Hackers can take over any Chrysler vehicle from the last 2 years. Yes, fully remotely. Yes, including steering, brakes and transmision.
-
We need quick, performant code.
Yeah -- I want to see Blakey try to bit-bang custom serial protocols in C# sometime.
Nope, unless you just want to just make a huge soot cloud and nothing else. You need a decent detonator for ANFO, it is actually really insensitive.
Yep -- ANFO is classed as a "blasting agent" and not a "high explosive" for exactly that reason. You'll want a decent detonator (including a booster charge) for it. Granted...I suspect a length of detcord would do the trick as far as booster charges go.http://www.bbc.com/news/technology-33622298
Oh, nice. Off-the-shelve parts and a broadcast medium with a range measured in kilometers.
Yeesh...not trivial, but this is just getting worse and worse all the time.
-
not trivial, but this is just getting worse and worse all the time
Fear not! To take advantage of vulns like these would require a fair bit of organization, talent and money. Russia? China? Islamic State? Pshaw!
-
it's done:
Fiat Chrysler recalls 1.4 million cars over remote hack vulnerability
Uconnect bug can shut down engine and brakes, take over steering.
-
Yeesh...not trivial, but this is just getting worse and worse all the time.
The (not so) nice thing about technology?
It's only non-trivial until someone wraps it in a neat little package to go that makes it trivial.Consider angry-at-the-world teen script-kiddies hacking your car and going to play a round of IRL Carmageddon.
Unless car manufacturers wake up and finally start getting their act together, this will happen. It's unavoidable and only a matter of time. The genie is out of the bottle now that Crysler has taken this to the general public with their recall.
-
The (not so) nice thing about technology?It's only non-trivial until someone wraps it in a neat little package to go that makes it trivial.
Consider angry-at-the-world teen script-kiddies hacking your car and going to play a round of IRL Carmageddon.Unless car manufacturers wake up and finally start getting their act together, this will happen. It's unavoidable and only a matter of time. The genie is out of the bottle now that Crysler has taken this to the general public with their recall.
Well, for most exploits, that is very true -- the major non-trivial part would be the physical injection of the exploit in at least some of these cases, however. (Radiating RF on bands that the FCC doesn't say you can radiate on can leave you with feds crawling over your house. Not that that's a bad thing, though -- RFI is no fun.)
-
@Rhywden said:
You're forgetting one thing: Building a bomb is relatively complicated.
Tim McVeigh's bomb was 55-gallon drums filled with ANFO (a fertilizer) and diesel fuel. You literally just pour both into a drum and light it on fire.
When I was young, we used to make pipe bombs by taking a used CO2 pellet gun cartridge, filling it with gunpowder, and sticking a wick in it. Blowing stuff up is not complicated - just dangerous. Remote detonation is moderately complicated, but a suicide bomber wouldn't go through the trouble.
Yeah, I know how to quickly splatter a pumpkin using electrical or duct tape and 5 sparklers. Given a good fuse and assuming you know how to run, that one isn't even highly dangerous.
-
I've been around enough non-explosive chemical experiments going south fast that I have a lot of respect for the explosive variants.
Plus, good gunpowder is not simply created by merely mixing the ingredients. And the alternatives - well, let me state that I hope that your country is watching who buys nitric acid, especially the fuming variant.
-
Radiating RF on bands that the FCC doesn't say you can radiate on can leave you with feds crawling over your house.
There's no guarantee that will happen quickly, though, or at all, unless it's causing someone ongoing problems. Back in my active ham radio days, we'd have hidden transmitter hunts. Even with a small army of people searching, it might take a couple of hours to find the hidden transmitter. Granted, the FCC almost certainly has better direction finding equipment than we had, but they're generally not standing around with foreknowledge of who's going to be transmitting illegally on what frequency at what time. If you're running a pirate FM broadcast station out of your college dorm room, and keeping a regular broadcast schedule, they'll catch you pretty quickly. If you're occasionally transmitting a short burst of digital data to compromise any vulnerable vehicle that happens to be nearby, that's quite a bit harder to find.
-
I dunno about the FCC, but Civil Air Patrol (another Federal organization tasked with finding aircraft ELTs) uses old (80s old, roughly) L-Per direction finders on the ground...
-
None of which will help in this case if the equipment is vehicle-mounted. “We've worked out that it's somewhere in the vicinity of Indianapolis…”
-
None of which will help in this case if the equipment is vehicle-mounted. “We've worked out that it's somewhere in the vicinity of Indianapolis…”
Or if the equipment in question is a compromised car itself that was hacked to re-broadcast the signal, building up a swarm with every compromisible car it passes and infects. Not quite practical with RF and an exploit aimed at a radio, but if we're talking reinfection via Bluetooth and the average car-to-car distance in congested inner city traffic...
-
but if we're talking reinfection via Bluetooth and the average car-to-car distance in congested inner city traffic...
Don't worry, there'll be a wireless internet based approach soon enough. Because people want to be able to start their cars by their smartphones.
-
Don't worry, there'll be a wireless internet based approach soon enough. Because people want to be able to start their cars by their smartphones.
I swear, if that becomes a reality then the first thing I'll do with any purchased car is to have the receiver disconnected or: no sale.
-
-
I know of one guy who physically disabled the modem antenna for his BMW i3 because they wirelessly patched the driving firmware of his car without telling him. Said patch also altered the behaviour of his car in certain situations.
-
Said patch also altered the behaviour of his car in certain situations.
That's extraordinarily vague, thank you.
-
Well, for instance, it altered the behaviour regarding recuperation to a much more agressive setting.
Then again, some updates were needed. For instance, the car communicated with the update server over HTTP.
Not HTTPS.
edit: Reading up on this makes it even more hilarious: Because this bug (and the exploits thereof) affected every BMW with the ConnectedDrive system.
How was this bug discovered? Well, the ADAC wanted to know what kind of data the BMW transmitted to its base - and stumbled upon the unencrypted connection.Which made it possible to actually unlock the car.
-
There's a REASON Commander Adama wouldn't let them network his battlestar.
That's why, like the Galactica, my Jeep is old. No wireless networking here, and good old mechanical connections to the controls! Sure do wish it got a bit better mileage, but that's OK, it's reliably and cheap to drive.
Only networking it has is the aftermarket AppRadio I installed to get my tunes and GPS.
I'm fairly certain this isn't a problem endemic to Chrysler products. With the amount of wireless and network inter-connectivity in vehicles now-a-days, I'd be surprised if you couldn't do roughly the same thing with any other recent model from another manufacturer. Heck, GM's had OnSTAR for years, and that has had the capability to cut the engine or lock/unlock doors for quite a while.
Still, gotta wonder what idiot thought putting the infotainment system on the same bus as the rest of the vehicle's innards was a good idea. Wasn't there something in the news a while back about a researcher getting into the flight systems of an aircraft through it's infotainment unit?
-
Still, gotta wonder what idiot thought putting the infotainment system on the same bus as the rest of the vehicle's innards was a good idea.
It's easy enough: think dumbass meets cheap-ass.
-
AppRadio I installed
Which is of course not connected to neither canbus nor the odb2 port?
-
dumbass meets cheap-ass.
I'm thinking it happened gradually. Connect engine to lights and speedo, now add abs. Now add light motors etc.
Then add steering wheel buttons to the radio. Now add Bluetooth to the radio, no worries, right?
I'm think that's how it happened. Complacency and economics.
-
Still, gotta wonder what idiot thought putting the infotainment system on the same bus as the rest of the vehicle's innards was a good idea. Wasn't there something in the news a while back about a researcher getting into the flight systems of an aircraft through it's infotainment unit?
Yes. It was a lie because the network structure of an airplane is very different from that of a car. The infotainment unit in an airplane is basically only a receiver - and if for some reason, it tried to actually send data its data port would be shut down.
That's not for security reasons, though, it's because the switch knows which devices send and/or receive data to/from which devices. And a device which suddenly sends data when the hardwired configuration states "only receiving" will be considered malfunctioning (and thus cutoff from the network). Same goes for a device which may only send to device A but suddenly tries to connect to device B.The security aspect of this is purely incidental but very effective nonetheless.
-
@nullptr said:
AppRadio I installed
Which is of course not connected to neither canbus nor the odb2 port?Nope, it just replicates my phone screen. The phone itself is hackable, but hacking that won't change the vehicle at all. I do have a Bluetooth OBDII reader, but all they could do via that would be reset my check engine light or oil change interval.
-
Nope, it just replicates my phone screen. The phone itself is hackable, but hacking that won't change the vehicle at all. I do have a Bluetooth OBDII reader, but all they could do via that would be reset my check engine light or oil change interval.
Well, it depends on what access to the CAN bus the OBD-II reader grants its clients...
-
Well, it depends on what access to the CAN bus the OBD-II reader grants its clients
Yup. I can update my firmware over the OBDII port. It's not supported by the manufacturer and not supposed to be possible, but I can do it.
-
It's not supported by the manufacturer and not supposed to be possible, but I can do it.
Huge red flag right there. Probably means absolutely zero defense in depth added to the car's systems. It probably doesn't even have basic filtering of which devices connected to the bus are allowed to talk to each other.
-
As Tarunik said, such a filter is not really possible.
-
@nullptr said:
Nope, it just replicates my phone screen. The phone itself is hackable, but hacking that won't change the vehicle at all. I do have a Bluetooth OBDII reader, but all they could do via that would be reset my check engine light or oil change interval.
Well, it depends on what access to the CAN bus the OBD-II reader grants its clients...
I'm not horribly worried about it. The OBD-II scanner has a maximum range of 10', and only allows one connection at a time. Plus it's got a user-settable PIN, so they'd have to crack that first.
Which, of course, implies that someone would even be interested in hacking an '05 Jeep going down the highway. I find that highly dubious.
-
Plus it's got a user-settable PIN, so they'd have to crack that first
This is as far as i know not much of a protection anymore.
@nullptr said:maximum range of 10',
This can be extended greatly.
even be interested in hacking an
How about all cars with Bluetooth odb2 readers?
Many have fairly similar interfaces, and a hack could be as simple as a denial of service on the ECU (say spam with expensive commands)In all seriousness, I'd considered buying one too and connecting it to a Chinese head unit. The Chrysler hack has convinced me otherwise.
-
From what I've read, OBD-II ports are, most of the time, completely insecure.
This isn't a problem as long as people know it, since it's inside the car. Having a wireless transmitter attached to it all the time is a problem, unless it was unhackable (and I'd bet a lot of money that it's not).
Still, a bluetooth hack is nowhere near as bad as an IP hack.
-
As Tarunik said, such a filter is not really possible.
Yeah, you'd need a switch or bridge device in the middle of the CAN bus, at a minimum, to accomplish this.
-
Re: Bluetooth OBDII readers
I think you guys are being a bit paranoid here. Even if you COULD extend the 10' range by a factor of 10, so 100', keep in mind that the vehicle is in motion. 100' doesn't take that long to travel.
Also, my reader (and I suspect most) only accepts one connection at a time. Since I carry my phone with me, and my phone auto-connects to it, they wouldn't be able to connect anyway.
So, if I forgot my phone or it was otherwise not connected, you'd have to end up with someone in another vehicle keeping alongside you for the time it'd take them to hack into your particular OBD-II reader (and there are a lot out there), determine what subset of commands the reader will send and the ECU accept, and then do whatever it is they want to do. Keeping in mind that ECUs of different models and even years of cars sometimes have their own specific subset of acceptable commands.
As for 'denial of service' attacks on the ECU, I don't think there is enough bandwidth available on the OBD-II bus to do that. It'll only accept one command at a time, and that's rate-limited to how fast the ECU can process it. If a command is invalid, the ECU just tosses it.
It's just not something I see someone doing unless they are targeting someone.
Not to mention, hell, it's an '05. No one is going too look at it and think, "Huh, I bet that is wirelessly enabled so I can hack it".
-
Even if you COULD extend the 10' range by a factor of 10
Why "if"? haven't you ever seen a Class 1 device? Just like how if you boost the power on an RFID reader you can read from farther away, BT works the same way. I used to have a neat little BT host with an actual antenna on it and could connect to class 2 devices from 50 feet away.
keep in mind that the vehicle is in motion. 100' doesn't take that long to travel.
So the would-be hacker just drives and maintains a reasonable (to him) distance to you. Which you mention below.
my reader (and I suspect most) only accepts one connection at a time.
This is, bizarrely, probably the best defense.
Keeping in mind that ECUs of different models and even years of cars sometimes have their own specific subset of acceptable commands.
GPSD has the same issue; it works by probing. Depending on the details, a BT OBD-II hack could work that way too.
I mean, it's all pretty unlikely, of course, but it's probably less impossible than you make it out.
-
ly, of course, but it's probably less impossible than you make it out.
I think it'd be a lot more likely that someone would attempt to hack my phone or home wireless. If I simply tossed everything because it might be hacked, I'd be living in a cabin in the woods cooking over a fire with all my money stored in an old spring mattress.
That said, some modern vehicles with everything (including the door locks) on the same bus? Yeah, I could see people having reason to hack that. Car thieves especially. "Hey, free Tesla!"
-
Also, my reader (and I suspect most) only accepts one connection at a time. Since I carry my phone with me, and my phone auto-connects to it, they wouldn't be able to connect anyway.
It'll only accept one command at a time, and that's rate-limited to how fast the ECU can process it. If a command is invalid, the ECU just tosses it.
Both of those rely on the security measures of the devices. Experience has shown that these are the very defenses that will be bypassed by exploits that are found. That's why I brought up that my ECU can be flashed over OBDII. Someone found an exploit to get it done.If you can send electrical signals to a device, then you can probe it for weaknesses. If the device was built without rigorous development processes that address security issues, then exploits will be found. Most likely, one of the exploits will allow updating device firmware (since manufacturers love to use existing connections to initially load the firmware), and all rules go out the window.
Think of any device that has security that you can take home and ask yourself if it has it been compromised. Blu ray players, satellite receivers, and game consoles all come with strong protections, yet all of them are eventually compromised. Why would a component of a car, which has very little economic incentive to secure, fare better?
-
My ODBII reader can be unplugged. Good luck hacking it when it doesn't even have power!
-
My ODBII reader can be unplugged. Good luck hacking it when it doesn't even have power!
Mine too, takes about 5 seconds to do so. Just reach down and pull.
-
Oh look, OnStar may have similar problems (TRIGGER WARNING: Fox News ref): http://www.foxnews.com/leisure/2015/07/30/is-onstar-still-susceptible-to-remote-hack-attacks/
-
I thought that onstar had this issue like, many many years ago.
-
Right, but it looks quite possible that GM ain't done shit to put a true fix in place.
-
Right, but it looks quite possible that GM ain't done shit to put a true fix in place.
I know when I'm looking to buy something, a company saying "I won't tell you if we've fixed this significant vulnerability" is a major upside. I don't see how you could not buy a GM car after that.
-
Yeah but I meant like, I thought that vulnerability that OnStar had was nearly identical to this situation, and we don't have a slew of OnStar vehicles murdering important people. Shame on Chrysler for being utterly stupid, but I'm not actually afraid of any serious issues here, though using this in some sort of state sponsored, targeted attack (Think Stuxnet) is a much bigger possibility
-
We need to regulate
deer, my dear!
-
I'm whooshing here. Like, really badly
-
Someone upthread was lecturing us on how we needed regulations, like now. I started asking questions similar to yours and was told I was an idiot because I thought that hackable cars aren't a problem. Now I'm making fun of him.
-
Ahh, I didn't remember those older posts because I'm dumb
I agree with that
-
-
FFS i hate censored music.. It sounds somewhat like listening to an old portable cd player while running...
