Hackers can take over any Chrysler vehicle from the last 2 years. Yes, fully remotely. Yes, including steering, brakes and transmision.



  • Take a deep breath because this is pretty fucked up.

    I'll quote and bold the most important paragraphs for your reading comfort:

    The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.

    [...]
    As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

    Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be
    fun.

    [...]
    Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.

    [...]

    Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country.

    From that entry point, Miller and Valasek’s attack pivots to an adjacent chip in the car’s head unit—the hardware for its entertainment system—silently rewriting the chip’s firmware to plant their code. That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels. Miller and Valasek say the attack on the entertainment system seems to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015.

    [...]

    Second, Miller and Valasek have been sharing their research with Chrysler for nearly nine months, enabling the company to quietly release a patch ahead of the Black Hat conference. [...] Unfortunately, Chrysler’s patch must be manually implemented via a USB stick or by a dealership mechanic. That means many—if not most—of the vulnerable Jeeps will likely stay vulnerable.

    So what now? Will thousands of vulnerable cars just be allowed to roam out there like that, because Chrysler can't be assed to make a wireless patch? That's a mass murderer's wet dream. Will they even be punished for their gross negligence?

    And what makes me more angry is that people will probably blame technology, and say that cars should not have an internet connection in the first place, and all that stuff. But technology is not at fault here. There's just no culture of security in companies.

    If you design a car's entertainment system with the proper methodology, in a language and environment focused on security (i.e. not C), with quality control, code reviews, safeties, formal verification for the critical parts, and obviously without letting the goddamn brakes take orders from the online media player, there's no way a disaster like this can happen.


  • ♿ (Parody)

    @anonymous234 said:

    because Chrysler can't be assed to make a wireless patch?

    Are you sure they could? Would you want to rely on that? Doesn't that contradict the rest of your security rant?



  • Wouldn't any car that's updatable by wireless be vulnerable to exactly this? Even if patched, an attacker could simply patch the vulnerability back in. I'm sure that a car company who has never done this before would take many iterations before they figured out how to deploy updates securely. It took DirecTV years to figure it out and they were losing income from each of the exploited systems. Chrysler is only getting bad publicity.


  • Discourse touched me in a no-no place

    @anonymous234 said:

    So what now?

    The zeroth step, clearly, is to rip the fucking antenna out.

    There's a REASON Commander Adama wouldn't let them network his battlestar.



  • Does UConnect come with an activated cell radio that can't be turned off? Couldn't you just cancel the service?



  • Steering and brakes are fly-by-wire now?



  • Well, it wouldn't be the first time a vulnerability is used to patch itself. It has worked before (and yes, it also has backfired before). I would also expect systems like this to accept properly signed updates, but it might also be an extra risk. So I don't know, I didn't think that part all the way through.

    But in any case, you can't just leave most users unpatched in a case like this. I don't know, issue a recall, make the car show a persistent message on the screen until patched, buy a full-page ad in every newspaper, do something. Even remotely bricking every car would be better.



  • How do you fuck up so badly that the stereo is the vector to gain complete control of the vehicle. That's insane.

    Guess I'll stick to vehicles with an actual steering column for a while longer.



  • @mott555 said:

    Steering and brakes are fly-by-wire now?

    I sure as Belgium hope not. I could see maybe attacking the power-assist, but turning the steering wheel (even if you have to really use your muscles to do it) should still turn the wheels.


  • Discourse touched me in a no-no place

    @Jaime said:

    Does UConnect come with an activated cell radio that can't be turned off? Couldn't you just cancel the service?

    I have not yet read the Wired article. I would be willing to bet money Chrysler will NEVER tell you to rip out (or disconnect, if you want to be less permanent) the antenna.

    I was joking with the Galactica reference, but the car companies just aren't thinking about security at all yet, and until such time as they've had several iterations of actually taking it seriously, you have to assume networkable cars are hackable, because it has been sufficiently demonstrated that not only is it a bad idea to but entertainment functions on the system CAN bus, but that the people in charge have not yet admitted that.



  • Inb4: Boeing



  • I'm surprised that no one has questioned why the Entertainment system and important things like steering and brakes are on the same network.

    Isn't this the same kind of shit that the airline industry is getting into trouble over?

    Edit: For that matter, why are things like transmission and brakes connected to a network in the first place, let along one with access to the Internet?



  • @FrostCat said:

    not only is it a bad idea to but entertainment functions on the system CAN bus

    That's not the worst part. The worst part is using the entertainment system as a diagnostic terminal for the entire car. I know the magic keys to press on my car to see trouble codes on the nav screen. The very existence of this features requires the two to be connected.

    Hybrid car manufacturers love to make pretty displays that show how power is being used on the screen. All manufacturers love to add "start your car from your phone" type features. There is pretty much no way to implement these features securely, at least not with the skill sets that exist in the development departments of Fujitsu, Harman, and Johnson Controls.



  • @powerlord said:

    I'm surprised that no one has questioned why the Entertainment system and important things like steering and brakes are on the same network.

    Isn't this the same kind of shit that the airline industry is getting into trouble over?

    We've been over this: The "threat" of "airplane hackers" is non-existant because those "researchers" don't know shit and drew conclusions of how airplanes actually work from simulators.

    There's an easy way to fix this: Hardwired routing tables so that the stereo can't send commands to the engine.



  • @Rhywden said:

    Hardwired routing tables so that the stereo can't send commands to the engine

    That works... unless one of your features is "display engine diagnostic codes on radio" and another is "start car from iPhone app".



  • @powerlord said:

    Isn't this the same kind of shit that the airline industry is getting into trouble over?

    Kind of...it's the kind of stuff the airline industry is getting into trouble over even though avionics don't actually work that way.


  • FoxDev

    @Jaime said:

    "display engine diagnostic codes on radio"

    Why?

    @Jaime said:

    "start car from iPhone app"

    In the name of all that is right and good in the world



  • @Jaime said:

    @Rhywden said:
    Hardwired routing tables so that the stereo can't send commands to the engine

    That works... unless one of your features is "display engine diagnostic codes on radio" and another is "start car from iPhone app".

    How exactly is "display engine diagnostic codes on radio" sending data to the engine?

    The second one, yeah, that's idiotic.



  • @Rhywden said:

    How exactly is "display engine diagnostic codes on radio" sending data to the engine?

    It's not like the engine control unit just spews trouble codes on the CAN bus, the radio has to request them. If it can send the "List Trouble Codes" command, it's not far from sending the "Update Firmware" command.



  • Well, that they'd have to modify / get rid of the CAN bus protocol is pretty much a given at this point.

    So, that's not really an argument.



  • @accalia said:

    I wouldn't, but I'm guessing it's something along the lines of, "Because it's cold, and I want to start the car remotely so the heater can have the car all nice and warm before I walk from the house to the garage."



  • @accalia said:

    Why?

    I'll add that, for my car, the infotainment system runs Linux. The root password is hardcoded to "jci" and SSH over WiFi was enabled by default until about 18 months after the system was released.


  • FoxDev

    @HardwareGeek said:

    "Because it's cold, and I want to start the car remotely so the heater can have the car all nice and warm before I walk from the house to the garage."

    then build it such that the app communicates with a piece of hardware on the unsecured side who, via mechanical interupt is capable of EXCLUSIVELY sending the "please turn on now" signal to the main computer on teh secure side

    any other way is a security risk.

    frankly so is remote ignition but apparently people are wimpy enough about the walk to the car that their comfort overrides security



  • @accalia said:

    comfort overrides security

    Yeah, and we never see that in other security contexts, do we?



  • @Rhywden said:

    There's an easy way to fix this: Hardwired routing tables so that the stereo can't send commands to the engine.

    @Rhywden said:

    Well, that they'd have to modify / get rid of the CAN bus protocol is pretty much a given at this point.

    These quotes are both from you and they are incompatible with each other. My comment about features forcing the current state of things was in reaction to your statement about hard coded routing. The route has to be there because the two systems need to talk to each other.

    Changing the CAN protocol is really just a way of restating "do security right", which they've proven they don't have the will to do.


  • Discourse touched me in a no-no place

    @Jaime said:

    The worst part is using the entertainment system as a diagnostic terminal for the entire car.

    Well, we could nitpick about how what you just described is a clever use of a major security fail, but tomayto, tomahto. In this case, not using that screen (probably) requires a whole nother display.



  • How exactly are they "incompatible"? Maybe you should try to think for more than 5 meters of a country lane.


  • Discourse touched me in a no-no place

    @accalia said:

    Why?

    Because it beats the bizarro current methods, which are roughly analogous to BIOS beep codes, except they involve turning the key 10 times in succession and then counting the multi-digit flash pattern of the seat belt light.

    @accalia said:

    In the name of all that is right and good in the world

    Neither of those things enter into it.


  • Discourse touched me in a no-no place

    @HardwareGeek said:

    "Because it's cold,

    This is actually the problem you need to fix, not the rest of the sentence. Move away from where it's bloody cold!



  • @accalia said:

    then build it such that the app communicates with a piece of hardware on the unsecured side who, via mechanical interupt is capable of EXCLUSIVELY sending the "please turn on now" signal to the main computer on teh secure side

    That's how cars used to be ten years ago. Even after CANbus became popular, that was how things were designed. Recently, features have been migrating from hardware to software. Auto makers need to get out of the "pretty screen" market because they are very bad at it. They should just sit down with Apple and Google and hash out a better interface between car and phone, then let the consumer buy whatever they want and hook it up to their car.


  • Discourse touched me in a no-no place

    @Rhywden said:

    more than 5 meters of a country lane.

    My high school teacher said that was equivalent to infinity in certain contexts.


  • Discourse touched me in a no-no place

    @Jaime said:

    They should just sit down with Apple and Google and hash out a better interface between car and phone, then let the consumer buy whatever they want and hook it up to their car.

    What? And give up vendor lock-in? Are you insane, sirrah?



  • @Rhywden said:

    How exactly are they "incompatible"? Maybe you should try to think for more than 5 meters of a country lane.

    Before you talk down to me for not getting it, make sure you aren't wrong. Statement #1 was that the radio and ECU should not be able to send packets to one another. Statement #2 was about securing CANbus so that when the radio and ECU send packets to one another, they can only perform one of the pre-authorized commands. If you can't see the incompatibility, that's not my fault.



  • @Jaime said:

    @Rhywden said:
    How exactly are they "incompatible"? Maybe you should try to think for more than 5 meters of a country lane.

    Before you talk down to me for not getting it, make sure you aren't wrong. Statement #1 was that the radio and ECU should not be able to send packets to one another. Statement #2 was about securing CANbus so that when the radio and ECU send packets to one another, they can only perform one of the pre-authorized commands. If you can't see the incompatibility, that's not my fault.

    First of all: I talked about "one-way" communcation and not a total blockade.
    Secondly: You may have missed the "get rid of CAN" part.

    Learn to read. It's now pretty obvious how you arrived at your faulty conclusions.



  • @FrostCat said:

    Move away from where it's bloody cold!

    Or just buy a big, gas-guzzling, CO2-emitting SUV, and let AGW do the work for you. :trollface:



  • @Rhywden said:

    First of all: I talked about "one-way" communcation and not a total blockade

    @Rhywden said:

    There's an easy way to fix this: Hardwired routing tables so that the stereo can't send commands to the engine.

    No you didn't.

    @Rhywden said:

    Secondly: You may have missed the "get rid of CAN" part.

    @Rhywden said:

    Well, that they'd have to modify / get rid of the CAN bus protocol is pretty much a given at this point.

    If "modify / get rid of" === "get rid of", then yes. So... no.



  • Geeze, you really are dense and want to nitpick in the extreme.

    It's a shortform for "modify and if that doesn't work out, get rid of". Is that clear enough for you now or do you need another set of hands, a map and a GPS to find your ass?


  • Discourse touched me in a no-no place

    @Rhywden said:

    you really [...] want to nitpick in the extreme.

    YMBNH. HTH, HAND.



  • @HardwareGeek said:

    I wouldn't, but I'm guessing it's something along the lines of, "Because it's cold, and I want to start the car remotely so the heater can have the car all nice and warm before I walk from the house to the garage."

    I walk past a car every morning that does that. Californian's are fucking wimps. I walk past in a short sleeve shirt.



  • @FrostCat said:

    Move away from where it's bloody cold!

    Actually I use it to start the car and the A/C!



  • It's this sort of thing that makes me really tempted to think that, despite the drawbacks, we should really be moving towards a model where there are licensed software engineers that need to sign off on software that is running in environments like this, have set standards for testing and verification, and will be held criminally liable if they are not met.



  • Like in ... avionics?



  • @EvanED said:

    where there are licensed software engineers that need to sign off on software

    There have been efforts in the past [in the USA], but they never went very far. The cost (Estimated) far outweighed the Value (Perceived)


  • Discourse touched me in a no-no place

    @powerlord said:

    Isn't this the same kind of shit that the airline industry is getting into trouble over?

    No.

    http://www.cems.uwe.ac.uk/~ngunton/afdx_detailed.pdf



  • @FrostCat said:

    What? And give up vendor lock-in? Are you insane, sirrah?

    I'm not sure the general public knows just how bad they are at it. Today's Chrysler news is pretty bad, but it's not the first announcement like this. High end car theft has largely moved from picking locks to hacking RF unlock systems. Every time a new phone comes out a lot of the built-in Bluetooth systems need to be updated. Map updates for a built-in NAV systems cost 50 times as much as the same map updates cost for a TomTom. Most manufacturers won't make updates for systems that are four years old and there is no acceptable way to replace them with an aftermarket unit because of the deep integration with the rest of the vehicle.

    And my personal one... Mazda replaced my car after they gave up trying to get the infotainment system working reliably. Two years later, version 55 of the software came out and the fix list still looks like my problem list from 2013.



  • Sending data from the secure to the "insecure" system should not be a problem.

    To send commands from the insecure to the secure... well, an interface accepting a single byte (with a different value for every command) seems pretty impossible to hack so you could still do stuff like that.

    (Of course, it means an attacker can turn your engine remotely. Your choice).

    Most security isn't hard if you put some thought in it. The fundamental problems are isolating pieces of code (easiest solution: run them on separate hardware) and sanitizing inputs.



  • @Jaime said:

    Auto makers need to get out of the "pretty screen" market because they are very bad at it. They should just sit down with Apple and Google and hash out a better interface between car and phone, then let the consumer buy whatever they want and hook it up to their car.

    Standards are hard, let's go shopping!

    (But yes, I agree with your sentiment 200%. Leave the software to the software makers).


  • Discourse touched me in a no-no place

    @Jaime said:

    Map updates for a built-in NAV systems cost 50 times as much as the same map updates cost for a TomTom.

    That--and special cases like the one I mentioned a while back, about the guy whose car wouldn't route him onto dirt roads--are why I don't ever intend to get a built-in satnav.


  • Discourse touched me in a no-no place

    @Jaime said:

    Mazda replaced my car

    :facepalm:

    Should I take the Mazda3 off my shortlist for my next car?

    Also I wanted to QFT because a like isn't enough.



  • @FrostCat said:

    Should I take the Mazda3 off my shortlist for my next car?

    I love my Mazda3 and would buy another if a meteor crashed into my current one. But, the infotainment system went through a lot of teething pains. The current version is no worse than the crap that comes with its competitors. It's also no better.

    I also have to give them credit for actually replacing my car instead of scheduling an endless series of software update appointments.


Log in to reply