Hackers can take over any Chrysler vehicle from the last 2 years. Yes, fully remotely. Yes, including steering, brakes and transmision.
-
Take a deep breath because this is pretty fucked up.
I'll quote and bold the most important paragraphs for your reading comfort:
The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.
[...]
As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be
fun.[...]
Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.[...]
Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country.
From that entry point, Miller and Valasek’s attack pivots to an adjacent chip in the car’s head unit—the hardware for its entertainment system—silently rewriting the chip’s firmware to plant their code. That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels. Miller and Valasek say the attack on the entertainment system seems to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015.
[...]
Second, Miller and Valasek have been sharing their research with Chrysler for nearly nine months, enabling the company to quietly release a patch ahead of the Black Hat conference. [...] Unfortunately, Chrysler’s patch must be manually implemented via a USB stick or by a dealership mechanic. That means many—if not most—of the vulnerable Jeeps will likely stay vulnerable.
So what now? Will thousands of vulnerable cars just be allowed to roam out there like that, because Chrysler can't be assed to make a wireless patch? That's a mass murderer's wet dream. Will they even be punished for their gross negligence?
And what makes me more angry is that people will probably blame technology, and say that cars should not have an internet connection in the first place, and all that stuff. But technology is not at fault here. There's just no culture of security in companies.
If you design a car's entertainment system with the proper methodology, in a language and environment focused on security (i.e. not C), with quality control, code reviews, safeties, formal verification for the critical parts, and obviously without letting the goddamn brakes take orders from the online media player, there's no way a disaster like this can happen.
-
because Chrysler can't be assed to make a wireless patch?
Are you sure they could? Would you want to rely on that? Doesn't that contradict the rest of your security rant?
-
Wouldn't any car that's updatable by wireless be vulnerable to exactly this? Even if patched, an attacker could simply patch the vulnerability back in. I'm sure that a car company who has never done this before would take many iterations before they figured out how to deploy updates securely. It took DirecTV years to figure it out and they were losing income from each of the exploited systems. Chrysler is only getting bad publicity.
-
So what now?
The zeroth step, clearly, is to rip the fucking antenna out.
There's a REASON Commander Adama wouldn't let them network his battlestar.
-
Does UConnect come with an activated cell radio that can't be turned off? Couldn't you just cancel the service?
-
Steering and brakes are fly-by-wire now?
-
Well, it wouldn't be the first time a vulnerability is used to patch itself. It has worked before (and yes, it also has backfired before). I would also expect systems like this to accept properly signed updates, but it might also be an extra risk. So I don't know, I didn't think that part all the way through.
But in any case, you can't just leave most users unpatched in a case like this. I don't know, issue a recall, make the car show a persistent message on the screen until patched, buy a full-page ad in every newspaper, do something. Even remotely bricking every car would be better.
-
How do you fuck up so badly that the stereo is the vector to gain complete control of the vehicle. That's insane.
Guess I'll stick to vehicles with an actual steering column for a while longer.
-
Steering and brakes are fly-by-wire now?
I sure as Belgium hope not. I could see maybe attacking the power-assist, but turning the steering wheel (even if you have to really use your muscles to do it) should still turn the wheels.
-
Does UConnect come with an activated cell radio that can't be turned off? Couldn't you just cancel the service?
I have not yet read the Wired article. I would be willing to bet money Chrysler will NEVER tell you to rip out (or disconnect, if you want to be less permanent) the antenna.
I was joking with the Galactica reference, but the car companies just aren't thinking about security at all yet, and until such time as they've had several iterations of actually taking it seriously, you have to assume networkable cars are hackable, because it has been sufficiently demonstrated that not only is it a bad idea to but entertainment functions on the system CAN bus, but that the people in charge have not yet admitted that.
-
Inb4: Boeing
-
I'm surprised that no one has questioned why the Entertainment system and important things like steering and brakes are on the same network.
Isn't this the same kind of shit that the airline industry is getting into trouble over?
Edit: For that matter, why are things like transmission and brakes connected to a network in the first place, let along one with access to the Internet?
-
not only is it a bad idea to but entertainment functions on the system CAN bus
That's not the worst part. The worst part is using the entertainment system as a diagnostic terminal for the entire car. I know the magic keys to press on my car to see trouble codes on the nav screen. The very existence of this features requires the two to be connected.
Hybrid car manufacturers love to make pretty displays that show how power is being used on the screen. All manufacturers love to add "start your car from your phone" type features. There is pretty much no way to implement these features securely, at least not with the skill sets that exist in the development departments of Fujitsu, Harman, and Johnson Controls.
-
I'm surprised that no one has questioned why the Entertainment system and important things like steering and brakes are on the same network.
Isn't this the same kind of shit that the airline industry is getting into trouble over?
We've been over this: The "threat" of "airplane hackers" is non-existant because those "researchers" don't know shit and drew conclusions of how airplanes actually work from simulators.
There's an easy way to fix this: Hardwired routing tables so that the stereo can't send commands to the engine.
-
Hardwired routing tables so that the stereo can't send commands to the engine
That works... unless one of your features is "display engine diagnostic codes on radio" and another is "start car from iPhone app".
-
Isn't this the same kind of shit that the airline industry is getting into trouble over?
Kind of...it's the kind of stuff the airline industry is getting into trouble over even though avionics don't actually work that way.
-
"display engine diagnostic codes on radio"
Why?
"start car from iPhone app"
In the name of all that is right and good in the world
-
@Rhywden said:
Hardwired routing tables so that the stereo can't send commands to the engine
That works... unless one of your features is "display engine diagnostic codes on radio" and another is "start car from iPhone app".
How exactly is "display engine diagnostic codes on radio" sending data to the engine?
The second one, yeah, that's idiotic.
-
How exactly is "display engine diagnostic codes on radio" sending data to the engine?
It's not like the engine control unit just spews trouble codes on the CAN bus, the radio has to request them. If it can send the "List Trouble Codes" command, it's not far from sending the "Update Firmware" command.
-
Well, that they'd have to modify / get rid of the CAN bus protocol is pretty much a given at this point.
So, that's not really an argument.
-
I wouldn't, but I'm guessing it's something along the lines of, "Because it's cold, and I want to start the car remotely so the heater can have the car all nice and warm before I walk from the house to the garage."
-
Why?
I'll add that, for my car, the infotainment system runs Linux. The root password is hardcoded to "jci" and SSH over WiFi was enabled by default until about 18 months after the system was released.
-
"Because it's cold, and I want to start the car remotely so the heater can have the car all nice and warm before I walk from the house to the garage."
then build it such that the app communicates with a piece of hardware on the unsecured side who, via mechanical interupt is capable of EXCLUSIVELY sending the "please turn on now" signal to the main computer on teh secure side
any other way is a security risk.
frankly so is remote ignition but apparently people are wimpy enough about the walk to the car that their comfort overrides security
-
comfort overrides security
Yeah, and we never see that in other security contexts, do we?
-
There's an easy way to fix this: Hardwired routing tables so that the stereo can't send commands to the engine.
Well, that they'd have to modify / get rid of the CAN bus protocol is pretty much a given at this point.
These quotes are both from you and they are incompatible with each other. My comment about features forcing the current state of things was in reaction to your statement about hard coded routing. The route has to be there because the two systems need to talk to each other.
Changing the CAN protocol is really just a way of restating "do security right", which they've proven they don't have the will to do.
-
The worst part is using the entertainment system as a diagnostic terminal for the entire car.
Well, we could nitpick about how what you just described is a clever use of a major security fail, but tomayto, tomahto. In this case, not using that screen (probably) requires a whole nother display.
-
How exactly are they "incompatible"? Maybe you should try to think for more than 5 meters of a country lane.
-
Why?
Because it beats the bizarro current methods, which are roughly analogous to BIOS beep codes, except they involve turning the key 10 times in succession and then counting the multi-digit flash pattern of the seat belt light.
In the name of all that is right and good in the world
Neither of those things enter into it.
-
"Because it's cold,
This is actually the problem you need to fix, not the rest of the sentence. Move away from where it's bloody cold!
-
then build it such that the app communicates with a piece of hardware on the unsecured side who, via mechanical interupt is capable of EXCLUSIVELY sending the "please turn on now" signal to the main computer on teh secure side
That's how cars used to be ten years ago. Even after CANbus became popular, that was how things were designed. Recently, features have been migrating from hardware to software. Auto makers need to get out of the "pretty screen" market because they are very bad at it. They should just sit down with Apple and Google and hash out a better interface between car and phone, then let the consumer buy whatever they want and hook it up to their car.
-
more than 5 meters of a country lane.
My high school teacher said that was equivalent to infinity in certain contexts.
-
They should just sit down with Apple and Google and hash out a better interface between car and phone, then let the consumer buy whatever they want and hook it up to their car.
What? And give up vendor lock-in? Are you insane, sirrah?
-
How exactly are they "incompatible"? Maybe you should try to think for more than 5 meters of a country lane.
Before you talk down to me for not getting it, make sure you aren't wrong. Statement #1 was that the radio and ECU should not be able to send packets to one another. Statement #2 was about securing CANbus so that when the radio and ECU send packets to one another, they can only perform one of the pre-authorized commands. If you can't see the incompatibility, that's not my fault.
-
@Rhywden said:
How exactly are they "incompatible"? Maybe you should try to think for more than 5 meters of a country lane.
Before you talk down to me for not getting it, make sure you aren't wrong. Statement #1 was that the radio and ECU should not be able to send packets to one another. Statement #2 was about securing CANbus so that when the radio and ECU send packets to one another, they can only perform one of the pre-authorized commands. If you can't see the incompatibility, that's not my fault.
First of all: I talked about "one-way" communcation and not a total blockade.
Secondly: You may have missed the "get rid of CAN" part.Learn to read. It's now pretty obvious how you arrived at your faulty conclusions.
-
Move away from where it's bloody cold!
Or just buy a big, gas-guzzling, CO2-emitting SUV, and let AGW do the work for you.
-
First of all: I talked about "one-way" communcation and not a total blockade
There's an easy way to fix this: Hardwired routing tables so that the stereo can't send commands to the engine.
No you didn't.Secondly: You may have missed the "get rid of CAN" part.
Well, that they'd have to modify / get rid of the CAN bus protocol is pretty much a given at this point.
If "modify / get rid of" === "get rid of", then yes. So... no.
-
Geeze, you really are dense and want to nitpick in the extreme.
It's a shortform for "modify and if that doesn't work out, get rid of". Is that clear enough for you now or do you need another set of hands, a map and a GPS to find your ass?
-
-
I wouldn't, but I'm guessing it's something along the lines of, "Because it's cold, and I want to start the car remotely so the heater can have the car all nice and warm before I walk from the house to the garage."
I walk past a car every morning that does that. Californian's are fucking wimps. I walk past in a short sleeve shirt.
-
Move away from where it's bloody cold!
Actually I use it to start the car and the A/C!
-
It's this sort of thing that makes me really tempted to think that, despite the drawbacks, we should really be moving towards a model where there are licensed software engineers that need to sign off on software that is running in environments like this, have set standards for testing and verification, and will be held criminally liable if they are not met.
-
Like in ... avionics?
-
where there are licensed software engineers that need to sign off on software
There have been efforts in the past [in the USA], but they never went very far. The cost (Estimated) far outweighed the Value (Perceived)
-
Isn't this the same kind of shit that the airline industry is getting into trouble over?
No.
-
What? And give up vendor lock-in? Are you insane, sirrah?
I'm not sure the general public knows just how bad they are at it. Today's Chrysler news is pretty bad, but it's not the first announcement like this. High end car theft has largely moved from picking locks to hacking RF unlock systems. Every time a new phone comes out a lot of the built-in Bluetooth systems need to be updated. Map updates for a built-in NAV systems cost 50 times as much as the same map updates cost for a TomTom. Most manufacturers won't make updates for systems that are four years old and there is no acceptable way to replace them with an aftermarket unit because of the deep integration with the rest of the vehicle.
And my personal one... Mazda replaced my car after they gave up trying to get the infotainment system working reliably. Two years later, version 55 of the software came out and the fix list still looks like my problem list from 2013.
-
Sending data from the secure to the "insecure" system should not be a problem.
To send commands from the insecure to the secure... well, an interface accepting a single byte (with a different value for every command) seems pretty impossible to hack so you could still do stuff like that.
(Of course, it means an attacker can turn your engine remotely. Your choice).
Most security isn't hard if you put some thought in it. The fundamental problems are isolating pieces of code (easiest solution: run them on separate hardware) and sanitizing inputs.
-
Auto makers need to get out of the "pretty screen" market because they are very bad at it. They should just sit down with Apple and Google and hash out a better interface between car and phone, then let the consumer buy whatever they want and hook it up to their car.
Standards are hard, let's go shopping!
(But yes, I agree with your sentiment 200%. Leave the software to the software makers).
-
Map updates for a built-in NAV systems cost 50 times as much as the same map updates cost for a TomTom.
That--and special cases like the one I mentioned a while back, about the guy whose car wouldn't route him onto dirt roads--are why I don't ever intend to get a built-in satnav.
-
Mazda replaced my car
Should I take the Mazda3 off my shortlist for my next car?
Also I wanted to QFT because a like isn't enough.
-
Should I take the Mazda3 off my shortlist for my next car?
I love my Mazda3 and would buy another if a meteor crashed into my current one. But, the infotainment system went through a lot of teething pains. The current version is no worse than the crap that comes with its competitors. It's also no better.
I also have to give them credit for actually replacing my car instead of scheduling an endless series of software update appointments.