Researchers now have proven you can hack a car remotely, and will share most — but not all — of the details on how they did it.
If a car’s brakes suddenly fail and send it careening uncontrollably into a ditch, how do you know whether it was a mechanical failure or the work of a malicious hacker?
There’s no foolproof way today to prove a car was hacked. Lucky for Wired journalist Andy Greenberg–who recently served as a live crash-test dummy for famed car security hackers Charlie Miller and Chris Valasek’s latest car hacking research–a nerve-wracking sudden full stop of the 2014 Jeep Cherokee he was driving at 70mph on a St. Louis highway was the handiwork of the white hat hackers from their laptops some 10 miles away in Miller’s living room.
The dramatic and controversial live car hack demonstration got plenty of attention this week, including from lawmakers and automakers. Fiat Chrysler issued a security update to the vulnerability found by Miller and Valasek prior to the demo going public; Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced proposed legislation for federal standards to secure cars from cyberattacks and to protect owners’ privacy; and the ICS-CERT issued an alert about Fiat Chrysler’s patch.
Miller and Valasek believe they are still way ahead of the bad guys when it comes to car hacking. At Black Hat USA next month, they will reveal details of the vulnerability they found and exploited in the Uconnect infotainment system, which affects up to 400,000 Fiat Chrysler vehicles. They plan to show the code and some other tools they wrote, but they won’t release the firmware for the chip they reprogrammed for the hack. “It’s the difference between turning up the radio loud and being able to turn the steering wheel. We feel we shouldn’t give that out,” says Valasek, who heads up the vehicle security research practice at security firm IOActive.
The zero-day vulnerability in Uconnect, meanwhile, was “pretty simplistic,” Valasek says, and they found it within a couple of weeks of their tinkering. “The hard part was getting firmware from the chip that interacts with the car and reverse-engineering it so we could do the next step and reprogram it” so they could send it messages via the car’s internal CAN bus network, he says.
Miller and Valasek were able to control a 2014 Jeep Cherokee’s steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.
“The important piece was getting on wirelessly, and making that lateral-wise movement to the actual controls of the car,” Valasek says. He and Miller initially began hacking away via the car’s WiFi, and then realized they could do the same exploits via its cellular connection. They also discovered that if an attacker knows a car’s IP address, he can hack it from any location within the US.
The researchers in their Black Hat presentation also plan to release a paper on the process they underwent to hack the Jeep. But it won’t be a how-to for car hacking: “This is not a step-by-step instructions on how to hack a car,” Valasek says. It’s instead aimed at people who want to perform security assessments of a vehicle, he says.
Fiat Chrysler’s software update for the infotainment system was in response to the researchers’ findings (the researchers shared their research with the carmaker in advance). But the patch is not as straightforward as it sounds: it entails a manual update via a USB stick or a visit to a dealer’s service center. And the advisory also doesn’t actually spell out that it’s a security fix. “It says it’s an improvement for your radio” but not that it’s a vulnerability patch, he notes. “So a [consumer] might say, ‘my radio works fine'” and not patch, he says. The flaw affects Uconnect-equipped Chrysler vehicle models in late 2013, 2014, and early 2015.
Whether car owners will actually apply the update en masse is unclear: “We are in uncharted territory,” says Valasek.
Gualberto Ranieri, senior vice president of communications at Fiat Chrysler, wrote in a blog post that the company is unaware of any real-world attacks: “To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle,” he said.
Miller and Valasek have been on a wild ride over the past two years exploring just how a vehicle with network connectivity can be “owned” by an attacker for nefarious purposes. In their first car hack in 2013, they cracked open the dashboards of a 2010 Toyota Prius and the 2010 Ford Escape. and reverse-engineered the electronics in the vehicles, using their own hardware hacking tools to wrest control of the brakes, steering, and acceleration, findings that they revealed at DEF CON that summer. Last year, they published a report on the most hackable vehicles — ones that they analyzed had unprotected networking features that would allow an attacker to break in and control them from afar.
At the top of their most hackable cars list: the 2014 Jeep Cherokee, as well as the 2014 Infiniti Q50 and 2015 Escalade. Miller and Valasek took that research to the next level with the latest car hack in dramatic fashion such that it’s even given the most hardcore security experts pause.
“I have to say I do think it was quite daring and it may have been pushing the boundaries. But I also believe their motivation was more to … get people’s attention. It was a calculated risk they took to get some sunshine for the consumer public,” says Mathew Desmond, manufacturing & heavy equipment domain subject matter expert at Cap Gemini. “But I don’t think anyone would recommend [doing what they did].”
The auto industry was not amused. “Demonstrations such as what’s been described are concerning, and it’s uncomfortable to see the way in which this particular demonstration was done: having a skilled test driver involved in the demonstration conducted on a closed course is one thing, but posing a risk to other drivers on open roads is clearly irresponsible. Especially considering that there are now several forums for demonstrating ethical research in controlled settings,” said Wade Newton, director of communications at the Alliance of Automobile Manufacturers, of which Fiat Chrysler, Ford, GM, BMW, Mazda, Porsche, Toyota, and Volvo are among its members.
Miller and Valasek indeed have been the most high-profile researchers in car hacking. But other projects are under way elsewhere in the industry, including a public-private working group in the Commonwealth of Virginia that is testing how state trooper cruisers could be sabotaged via cyberattacks.
“There’s no doubt cars can be attacked. Then the question is, how would we know? Today, there’s nothing to collect to show a cyberattack” on a vehicle, says Barry Horowitz, chair of the Systems and Information Engineering Department at the University of Virginia, which has conducted car hacking research. UVA also is involved in the Virginia State Trooper vehicle research.
Horowitz says carmakers must build their vehicles such that the infotainment center isn’t vulnerable to physical control by an attacker. “Why is the radio connected to the physical automation of the car?” he says. “There needs to be a physical gap” between systems on the car’s network, he says.
Automakers also should provide a way for investigators, such as state police, to gather forensic information at the scene of an car accident or incident in order to determine whether it was caused by a cyberattack.
Car Patch Tuesday?
Meanwhile, car software patching will become more and more common, security experts say. And consumers will have to start embracing it. BMW Group in February issued an “over the air” security update to its ConnectedDrive software running on some 2.2 million of its vehicles worldwide. The fix was for a hole that could allow an attacker to hijack or manipulate remote communications in some BMW, Rolls Royse, and Mini models’ SIM cards.
“The challenge for the public is to start thinking about a vehicle like they would their Windows PC’s operating system. They are accustomed to getting software updates” there, Cap Gemini’s Desmond says. “There’s going to have to be a mind shift, or a cultural shift.”
Desmond, who previously worked on the vehicle software side of the industry, says he’s confident that most automakers are already testing their networked systems and software for security holes that hackers could exploit. The cybersecurity piece of car safety will “get ratcheted up,” he says.
In the meantime, there’s still some breathing room for carmakers now. “It isn’t a malicious attack in the wild,” Valasek says of his and Miller’s research.
Valasek says the gaping security holes he and Miller have found in cars haven’t scared him away from networked vehicles. “I drove a 2014 Jeep Cherokee today,” as a matter of fact, he says.