How Those Hackers Took Complete Control of That Jeep

It was an overcast day with temperatures in the mid seventies – a perfect day to take your brand new Jeep Cherokee for a nice relaxing drive. You and your partner buckle in and find yourselves merging onto the freeway just a few minutes later.  You take in the new car smell as your partner fiddles with the central touch screen display.

“See if it has XM radio,” you ask as you play with the headlight controls.

Seconds later, a Taylor Swift song begins to play. You both sing along as the windows come down. “Life doesn’t get much better than this,” you think. Unfortunately, the fun would be short lived. It started with the windshield wipers coming on – the dry rubber-on-glass making a horrible screeching sound.

“Hey, what are you doing!”

“I didn’t do it….”

You verify the windshield wiper switch is in the OFF position. You switch it on and off a few times, but it has no effect. All of the sudden, the radio shuts off. An image of a skull and wrenches logo appears on the touchscreen. Rick Astley’s “Never Gonna Give You Up” begins blaring out of the speakers, and the four doors lock in perfect synchronization. The AC fans come on at max settings while at the same time, you feel the seat getting warmer as they too are set to max. The engine shuts off and the vehicle shifts into neutral. You hit the gas pedal, but nothing happens. Your brand new Jeep rolls to a halt on the side of the freeway, completely out of your control.

Sound like something out of a Hollywood movie? Think again.

[Charlie Miller], a security engineer for Twitter and [Chris Valasek], director for vehicle safety research at IOActive, were able to hack into a 2014 Jeep Cherokee via its wireless on-board entertainment system from their basement. A feature called UConnect, which allows the vehicle to connect to the internet via a cellular connection, has one of those things you might have heard of before – an IP address. Once the two hackers had this address, they had the ‘digital keys’ to the Jeep. From there, [Charlie] and [Chris] began to tinker with the various firmwares until they were able to gain access to the vehicle’s CAN bus. This gives them the ability to control many of the car’s functions, including (under the right conditions) the ability to kill the brakes and turn the steering wheel. You probably already have heard about the huge recall Chrysler issued in response to this vulnerability.

But up until this weekend we didn’t know exactly how it was done. [Charlie] and [Chris] documented their exploit in a 90 page white paper (PDF) and spoke at length during their DEF CON talk in Las Vegas. That video was just published last night and is embedded below. Take look and you’ll realize how much work they did to make all this happen. Pretty amazing.

If you do have a Jeep Cherokee in your garage – not to worry. The two hackers have been working closely with Chrysler, who have in turn released updates to prevent this kind of hack from happening. Just make sure you update your firmware.

Thanks to [Robert Marshall] for the tip.

71 thoughts on “How Those Hackers Took Complete Control of That Jeep

  1. Wow, how amazingly stupid to have all of a car’s systems controlled by an unsecured computer. Absolutely stupid. I would make some joke about Chrysler quality if it weren’t for the fact that this sort of asinine engineering is almost universal in the car industry.
    Makes me wish I could afford a retro-modded classic. Then I would at least know that the wiper switch was actually connected to the wipers…

    1. Agreed it is stupid.
      The funny thing this could have been avoided by using a simple PIC or AVR with the right fuses blown so it cannot be programmed in circuit as a firewall controller to filter CAN bus commands or better yet have no connection at all between the radio and the CAN-C bus.
      Yes this means PAM and FWC+ will no longer be fully automatic but if you need these to drive safely you probably should not be driving anyway.
      BTW a good classic car is usually much cheaper then an equivalent new car.

      1. But if you remove that connection it doesn’t allow the car manufacturer to disable your car or put it in “return to factory” mode when you refuse to pay your monthly lease for the firmware in the car. Skynet (Microsoft) are probably trying to work something similar out for Windo$e 10.

  2. When I first head about airplanes having onboard wifi a buddy of mine was terrified that now hackers can hijack the plane. I thought, “no way, there is no damn way they would be stupid enough to not have the customer comfort wifi and the critical aircraft control systems on physically isolated networks.” Which is exactly what happened on aircraft, and is exactly what happened here.

    Coming from an IT security background, I can promise you: physical isolation is the only true security. If a network has a means of signal flow, it CAN and WILL be breached.

    1. Seriously, why do I know that, and I’m just some geek, why does everyone on this site know that, but apparently the people who make fucking AEROPLANES don’t!?!? And cars as well. For one thing it’s a thousand times easier to test for safety when you can rule out the Wifi ever connecting to the brakes. And why DON’T they test for that?

      Physical separation is computer security 101. Seriously, I’m asking, what’s the problem? The people who create the in-car network must know that. So why don’t they?

      Even if it’s a simple bean-counting measure, an extra couple of lengths of wire is nothing compared to a recall, or a horror story like this, but with malicious hackers, hitting the press and destroying the company altogether. Is it just short-term thinking? Somebody gets a bonus for saving a bit of wire, and the car’s safety “isn’t their job”?

      I think perhaps the regulations need updating now cars are letting external connections into their computers. Either the government or some car manufacturer’s association. Since apparently there’s manufacturers who are letting crazy shit like this fly.

    1. I took that as part of the fantasy story the article started with, happening to the hypothetical “you”. And these “jokers” are white-hats in real life, it’s a good job it’s them discovered it and not someone more criminally inclined.

  3. And they want to make wireless networking mandatory I hear. And I also hear people saying they want to find the damn radio when they bought a car and destroy it.
    I’m with the second group. And not (only) because of hackers but more because of abuse by government and law enforcement and such. Tracking and remote control basically makes you a slave.

    1. V2V would be a disaster waiting to happen and would be highly abused by people on both sides of the law.
      If it included a means for regular cops to make a car stop remotely there would be absolutely no way to make it safe as such a backdoor will quickly become documented to the point exploiting it would become the sorta thing bored teenagers with modest technical skills could do.
      People need to write their congress person and tell them they do not want the junk NHTSA is pushing for in their cars.

      1. A simple 50 ohm terminator will solve most of those things.

        Most vehicle telematics connections are FAKRA, so adaptors to SMA are available. Just put a terminator after the SMA adaptor. Problem solved, as long as you don’t need any of the premium features of the vehicle such as factory navigation.

  4. Huh, this is the only Jeep problem my CJ can’t suffer from!

    On the comments calling for Chrysler to lock down these systems so people can’t use what they thought they owned: Didn’t HaD do a story on John Deere tractor software that had commenters demanding the exact opposite?

  5. V2v comms are the future. Remove the idiot mostly from the rapid decision making loop. Car 1 has to brake heavily, and hits something in the road….car 43 in the queue knows about it instantly and slows down fractionally, warning possibly and maybe suggesting a diversion around another street

    1. This is what scares the hell out of me about V2V. Regardless of the security implemented, someone, at some point, will crack it. Now build yourself a device that randomly emits “I’ve just gone from 60 to 0”, causing every car that thinks it’s behind it to slam on the brakes (or “breaks”, depending on which revision of the article you’ve read :) ).

      1. Even without malicious intent, have these people not heard of chaos theory? It’s what causes traffic jams with all cars. Throwing ad-hoc randomly-connected computer networks in there isn’t going to end up well. I bet it’ll cause a lot more harm than it prevents, and they’ll never catch the “bugs” cos it’s intrinsic to the system. Off to find a bookie who specialises in social disasters…

      2. If V2V becomes common place companies will likely make such a device for law enforcement.
        Once or even before such devices have trickled down to the average traffic cop expect to hear on the news where some bored teenagers made or bought such a device and decided it would be funny to stop all the cars on a freeway off ramp causing a traffic jam or even a pile up.
        It’ll become the new dropping bricks off overpasses.

  6. They did it because the GPRS/CDMA baseband connected OMAP chip was connected to the engine computer via SPI so all you needed was code-execution on the OMAP and you could flash the internal control module. Their only fix was blocking ports, but there are around eight other ports open on the vehicles. If it wasn’t for that SPI they could only hack the entertainment system.

    Funny thing is the people who FCA contracted to do the firmware for them did 90% of the work for the hackers by putting everything in unsigned LUA scripts so you don’t even need to backdoor CAN.

    1. > Funny thing is the people who FCA contracted to do the firmware for them did 90% of the work for the hackers by putting everything in unsigned LUA scripts so you don’t even need to backdoor CAN

      Unf#ckingbelievable…

      On the bright side, it does mean that any skr1pt k1ddie can still hope to write firmware for major car corporations. IoT is like the Interweb 20 years ago.

  7. The scarier thought is what if the three letter government agencies, with or without warrants, could anonymously pattern match everyone in the country’s GPS coordinates like they do with phone records? Or remote turn on the cabin mics and driver distraction facing cameras to eves-drop on conversations? Or remote pull over the car and lock the exterior doors during a traffic stops? Or use all cars passing by a GPS location to remote send the surround view camera feeds for continuous inconspicuous surveillance of an address or person?

    I’m less worried about Wei Lee in China hacking my car and more worried about John Smith at the NSA or FBI….

    1. All cellphones in the US now have mandatory GPS now, supposedly to help locate people when they make a 911 call, meaning the ‘off’ switch in settings isn’t quite such a hard kind of ‘off’.
      I wonder what other ‘special circumstances’ would make that ‘off’ less off than you would think when seeing the word off.

      1. I’m sure you could destroy the GPS antenna if you really wanted to. As it is, locating phones has been possible, and done, from the start. You just triangulate from the nearest cell towers.

        If you’re being super-sneaky, just wrap the phone in foil and take the battery out. Or leave it at home. Tie it to your dog, and there’s your alibi.

        1. Destroying such things in a modern cellphone is not that easy, they are all glued shut and the chips are all combining functions so it becomes harder to target one specific function, same for antenna assemblies, hard to reach, hard to specifically target one function.
          And of course if you are going to mod, you might as well make it switchable, maybe add an SMA connector for an external antenna that you can remove, this is HaD after all :)
          And while in there, also put a switch in the microphone circuit and maybe the cameras.

          1. Cameras, the one modern piece of tech where duct-tape still does it’s wonderful job!

            I admit I’ve no idea what a phone’s GPS antenna looks like, but I’d have thought they’d separate it from the cell network antenna. I suppose it’s a miracle it works at all really, lots of software signal processing I suppose.

            Speaking of GPS, Stephen Fry’s inept and completely wrong explanation of it is well worth seeing. A website ran a Fry-day column where readers were invited to make Fry-esque explanations of how technology works.

      2. Not true.

        Cell phones don’t need GPS to get a rough estimate as to where the device is. My old $150 off contract crap phone can get an approximate location by cell towers alone.

  8. While I totally believe that you can control everything on the CAN bus wirelessly and toggle control bits in the ECU to disable ABS and shut off the injectors to kill the engine. Some transmission are electronically controlled but anything other than shifting to neutral is prevented by physical hydraulic interlocking. I do know that there is no way to “turn the steering wheel” electronically without a self parking feature. I hear blogs posting about this and freaking out about steering the car remotely which is truly fear mongering in this situation.

    That said this is still a massive problem that needs to be addressed on a lot more than just a recall basis, this needs to be dealt with by replacing CTO’s and everyone down the electronics and security chain in a management position that obviously made the cost decision that security was being too paranoid.

    On a related note I have a bluetooth OBDII sensor in my car and its always screaming its name to those passing so I keep it unplugged now. Also my phone automagically paired to the guys truck next to me at a light once and he was freaking out, that was fun.

    1. Im an autospark. Electric power steering failures are commonplace and a regular mode of failure is the assist motor going full on in one direction or the other. This applies to various systems from bosh, delphi and marelli and a few others. When this happens the ecu incharge notices full current draw by the (3 phase usually) drive motor when no assist was requested and shuts the system down. However if the torque sensor, and varoious types are avaliable and again seen them all fail, tells the ecu that the human is imparting a load on the steering and assist is required the ecu obliges now on some cars the torque sensir is factory calibrated or mechamically calibrated but some are calibrated in software…. change the calibration the ecu will think your requesting full assist with no input. Change the speedo calibration you will get full assist at 70mph. Not implausible.

      1. Once again, I’m old. I did not know power steering had gone all electrical, it makes sense, but I just never put the thoughts together.

        All of that hydraulic / vacuum / belt driven pump stuff gets replaced with a single electric motor and a sensor or 3, software calibration so you do not need to make a different one for each model of car.

        I am sure that the motor is strong enough to overpower just about anything I can do to control the steering wheel.

        Fan and fuel pump went electric years ago. Electric power steering gets rid of that pump. How long do you think it is going to take for brakes to go completely electrical? A few pounds of wire and a couple of magnets wrapped in a metal box would replace the hydraulic/mechanical/friction system.

    1. The other day I read that the TSA was showing a newspaper reporter from a big newspaper how they did things, and it seems all TSA approved locks on baggage has a master key so the TSA can open them, so those TSA people showed their big bundle of masters keys, and they published a photo of it.. or in other words, now anybody can make master keys for baggage by templating from the photo.

      And using non-TSA locks is not allowed BTW..

      So basically that whole security concept is dead now

      1. Thisis what i meant… From the article “That’s when they cut the transmission.

        Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.”

        It was irresponsible and they should be ashamed of themselves. I’ve been in infosec when it used to be IT doing it without the formal title. You never risk a life making a point.

        1. Maaaaybe that’s not -exactly- what happened. People like drama in a story, and Wired hasn’t been taken seriously by technical people for decades. If ever. Who even reads it now?

          It’s not like journalism school has taught the concept of “honesty” for a few decades now either.

          1. I think reliable journalism is a fiction from TV and movies, and people see old movies and think it existed in the past, but nah.
            Although maybe once the censorship on smaller issues and the ‘memo’ system was less organized than now.

  9. Since 2008, all cars sold in the United States are required to use the ISO 15765-4 signalling standard (a variant of the Controller Area Network (CAN) bus). This remote control problem will only get worse over time. The driver is now completely disconnected from the mechanics of the car. The computer can override you and you cannot override it. Law enforcement also has backdoor ways to access modern car control systems as well. So if you don’t want narcissistic “hackers” to break into your car, consider something made before 2008 and stay away from anything that uses CAN.

    1. I wouldn’t say avoid anything with CAN as it is an amazing way to simplify complex wiring situations in high tech cars, but I would avoid cars with wireless capabilities. CAN should only ever be accessible physically.

    2. It’s a classic example of government regulation creating a problem much worse then the one it set out to solve.
      We need to dial back a lot of these stupid requirements they pushed for.

      1. Yeah but it at least takes research. It’s the same as burglar alarm theory, or bike locks. They don’t actually make your stuff theft-proof, but a thief’s more likely to take the easy option. If there’s a million cars I know I can break into, I’m not gonna bother wasting time on some weirdo model. Especially if I’m not actually a security expert, just some thief using downloaded software and electronics gear from Russia.

        1. In fact, just to add, but isn’t heterogeneity considered a strength nowadays? Backup systems that work along different principles, different manufacturers’ components, from the main system. It thwarts bugs and makes life harder for a hacker.

      1. If Apple made cars… they’d be near-impossible to hack into, but would only drive to predesignated commercial outlets. Nobody would be able to afford one, and when it ran out of fuel you’d have to buy a new one.

        1. Uhm… Near impossible? Their devices are regularly jail broken. A jb by definition is the abuse of a major security vulnerability.

          Rooting most Android devices are different: they’re rewriting parts of the firmware via allowed methods – like rewriting the bootloader, all of which require a factory reset to protect user data. There are some jb methods, but they’re not as common.

  10. Cadillac emphasized in a written statement that the company has released a new Escalade since Miller and Valasek’s last study, but that cybersecurity is “an emerging area in which we are devoting more resources and tools,” including the recent hire of a chief product cybersecurity officer. After Miller and Valasek decided to focus on the Jeep Cherokee in 2014, it took them another year of hunting for hackable bugs and reverse-engineering to prove their educated guess.

  11. Does anyone here actually believe that the manufacturer had no clue this kind of thing was possible? Yes there is ignorance and mistakes happen but as many have stated already there are easy solutions to avoid this possible hack yet we are to believe that no one in the process from design to production to testing picked up on this?

    We know that corporations lie and if their bean counters say the profits will exceed projected losses from liabilities they will produce something that could be harmful or even deadly. They just make sure to do it in a way so as to limit their liability to the projected financial loses (aka no actual jail time or true accountability). If we all knew that we could speed as much as we want and at worst it would only cost us a few dollars each time we got caught how many of us would then ignore the speed limits?

    You can find news articles (i.e. Reuters, Associated Press) on banks being caught laundering money and yet no one goes to jail (or they throw some middle management lackey under the bus to take the fall) and at most they are charged fines that sound lie a lot but are nothing in comparison to the profits they made.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s