Car Security Experts Dump All Their Research and Vulnerabilities Online

[Charlie Miller] and [Chris Valasek] Have just released all their research including (but not limited to) how they hacked a Jeep Cherokee after the newest firmware updates which were rolled out in response to their Hacking of a Cherokee in 2015.

FCA, the Corp that owns Jeep had to recall 1.5 million Cherokee’s to deal with the 2015 hack, issuing them all a patch. However the patch wasn’t all that great it actually gave [Charlie] and [Chris] even more control of the car than they had in the first place once exploited. The papers they have released are a goldmine for anyone interesting in hacking or even just messing around with cars via the CAN bus. It goes on to chronicle multiple hacks, from changing the speedometer to remotely controlling a car through CAN message injection. And this release isn’t limited to Jeep. The research covers a massive amount of topics on a number of different cars and models so if you want to do play around with your car this is the car hacking bible you have been waiting for.

Jeep are not too happy about the whole situation. The dump includes a lot of background for vehicles by multiple manufactureres. But the 2015 hack was prominent and has step by step instructions. Their statement on the matter is below.

Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.

We anticipate seeing an increasing number of security related releases and buzz as summer approaches. It is, after all, Network Security Theatre season.

88 thoughts on “Car Security Experts Dump All Their Research and Vulnerabilities Online

  1. As someone who worked for a Tier-1 automotive supplier in electronic control systems, I can tell you Harmon isn’t the only company that has massive security issues. It’s all due to security concerns, and the competency of those addressing them, being marginalized over other pursuits. The only way to reverse that pressure is to increase the costs of neglecting those concerns and hiring better people. Releasing this research, however large the short term cost, will produce overall benefit over the long term. They’ve given more than enough time and notice to FCA to address issues… kudos for this move.

    For all those critical of Miller and Valasek below, remember, sticking your head in the sand and hoping a hacker doesn’t find the same exploits is not a solution… Pro-actively auditing systems and (responsibly) releasing the findings to the public makes us all safer.

    1. Exactly! I also just want to point out that people should read their research there is a treasure trove of info in there, I can’t even begin to scratch the surface with an article. these guys really know their stuff.

    2. Behind many security vulnerabilities is a honest but stressed (project) manager saying “We’re really late. Get it out. Get it out!”

      Regrettably, if it ‘works’ it’s quite hard to argue against, unless there is some security certification system in place. Preferably a 3rd-party system so upper management can’t nobble them.

      1. The only reason the infotainment systems are connected to the CAN bus, is that it saves money in the short term. They don’t need as many different connections and protocols to offer integrated solutions like steering wheel controls and remote starter and locks.
        The problem is, that these systems shouldn’t be connected, let alone because it was easier that way.
        I don’t think that there is a legitimate reason for the head unit to be connected to the same bus as ANY other critical computer systems. Just look at OnStar, with twisted links into every single vehicle system. They have been dealing with vulnerabilities for everything for years.

        1. There’s only so many input devices in a car and only so many display devices. You should stop thinking of the car as a series of interconnected bits and start thinking of it as an integrated computer.

          There are plenty of reason critical and non critical systems benefit from sharing a bus. The focus should not be on segregation but rather fixing the fundamental flaw that is: car companies don’t understand security. Just like on a PC isolating the network isn’t security either.

    3. The real only way to get these companies to move is for someone to use the hack in a way that can cause a lawsuit. While I’m sure the tos when you buy the car deny liability, it won’t be hard to convince a jury of manufacturer negligence if a family dies in a car hacked because of piss poor security. Lawsuits, bad pr and killer car histeria will make the company at least try to look like they’re doing something resembling responsible.

        1. First pen testing of a new model should be done at 140 with a roster of top company heads, marketing and engineers you can even throw in a few investor in the trunk for good measure.

      1. easy! Car ransomware. Just imagine if every jeep affected spread a virus amongst themselves that would transmit to x number of cars and once a threshold has been reached the next time the car is parked it locks up the ecu. therefor no risk of loss of life but a shit tonne of bad publicity.

        I actually hope someone does that, the only way to get corporations to change their ways is to hit them where it hurts.

        Look at VW’s push for electrification after dieselgate.

  2. FCA might not condone it, but everyone who drives a car should! its the only way to hold the car companies responsible for the security of their products. Maybe car companies will start thinking about the security implications of new features into their ROI calculations for those features.

    Security through obscurity is BS

    It is only a matter of time until self replicating ransom-ware is released into the wild. Self driving vehicles will not be feasible until security is taken seriously.

    1. > Self driving vehicles will not be feasible until security is taken seriously.

      But I was driving to _____ store to make my purchases. How did I end up:
      – at their competitor’s store?
      – down at the beach?
      – out in Death Valley?
      – down this alley where there’s guys with guns?

      1. It clearly depends on how people use their navigation systems (although nobody should trust a “blackbox”). I either get it to show a map and select a destination point, or by typing its address. The POIs mostly appear as small icons on the map (and it’s so far from complete that most navigation device manufacturers allow people to build and publish their own POI lists).
        I would understand how an address database could be hijacked, so driving to absolute coordinates leaves less room for hijacking (unless the maps are offset like in China).

      1. It’s next to impossible to hack the critical systems of the car REMOTELY (obviously if you have physical access it’s yours for the taking) if the infotainment and other bullshit is NOT connected in any way or form to said critical systems… only way touch said systems then then is to physically touch the car :P
        The solution is simple – stop putting shit on the internet!

        1. If you read the Jeep exploit dump, you will see that remote hack is exactly what they accomplished, through a combination of an open port on the Sprint network, the fact that the radio “head unit” has access to all the radio services and both CAN buses, and the fact that they found a way to re-flash the firmware in the radio unit to bridge the wall that had been engineered between the radio and CAN systems. While the particular exploits they disclosed have been patched, their point is that many others probably remain to be found by suitably determined hackers.

          1. Isn’t that AKA’s point? That the only reason a remote attack is possible is because the infotainment stuff is connected to the critical car systems?

        1. THIS! that and you don’t need systems that control the physical motions of a car connected to the Internet. The Radio does not need to be connected to the ECU or BCM. Being able to unlock your car from your smart-phone is nothing more than a flashy gimick that does nothing but increase the attack surface. The problem is that most consumers are oblivious to the security implications of such features and the car companies are more than willing to take advantage of that situation in order to sell a few more cars. This is why i find the FCA’s reply so laughable, Instead of taking the problem seriously they are blaming the people who are trying to help which in today’s society is SOP for any corporation. Make profits now, worry about consequences later. This is also why computer security is such a joke, corporations and the people that run them are more interested in this quarters profits than lives they might endanger next year (after all the ceo has that nice big golden parachute and the next ceo can deal with the fallout)

          Even in self driving cars there really should be no need for the radio or any other outside connections to directly influence the physical motions of the car. I can understand traffic data will be important for a self driving car as outside input and that that data can be spoofed, but that data should only be used for route planning and not immediate movements. As well I understand that physical sensors can be spoofed and hacked but Serious efforts must be made to reduce the attack surface and as such personal devices should never be allowed to interact with the control network. Input sensitization should be the first thing on the list for the automotive companies but i dont have high hopes, after all in this day and age there are still DB admins that don’t sanitize their inputs.

          1. Mike, I’m going to borrow this line from you A LOT: Being able to ________ from your smart-phone is nothing more than a flashy gimick that does nothing but increase the attack surface.

            Little more needs to be said after that. The one thing a Smartphone *should* do that it doesn’t do very well is make phone calls.

          2. So, uh, how do you auto-update to fix problems without an intern-

            I just realized that electric cars could be set up so the charge cable can carry data, that way it checks for updates when you’re going to be leaving the car unattended for an hour+ anyway. So, uh, yeah, there really is no reason at all for any system providing any kind of input to car’s route planning or controls to be connected to the internet in any way shape or form.

          3. @Blue Footed Booby: That’s easy: It shall not auto update. It shall not make any data connection by it’s own and I want to decide that and when I want to update. Since the Windows 10 malware (*) distribution efforts from Microsoft I disabled auto update on my private computers.
            *) Yes, I consider Windows 10 malware. Microsoft tried to nag, force and mislead the user to install it and it “phones home”. At my mothers PC a starting (but later terminated) Windows 10 infection even disabled the backup settings which could only be restored by deleting an XML config file. And the reason for all this was, that MS made misleading dialog boxes, where “No” also started the installation process. I think there ware basically the question was “install it later”. If you said “no” it started the install immediately. Of course my >70yr old mother did not know, that she should have just closed the dialog with the “X”.
            And the idea from Microsoft to deny all updates for Windows 7 on modern CPUs is another try to press people to Win 10.

            NO!

            And so I definitely do not want automatic updates with unknown side effects in my car. And No “OnStar” or other monitorin.

          4. Being able to make a simple phone call from your smart-phone is nothing more than a flashy gimick that does nothing but increase the attack surface.

    2. After this weekend, I bet that releasing any kind of exploit info will get you on a list at the least, and a bunch of interviews and confiscations or worse, depending on where you are.

  3. None of my vehicles presently have any connection between it’s EFI and anything connected to the internet except when I do repairs with an ELM 327 and If I buy one with this “feature” I’ll just disable it by not getting the online service and disconnecting the cellular modem.

      1. I went ahead and downloaded it all.
        On a more constructive note I wonder if we could get an open source equivalent of a tech 2 tool out of this as a lot of modern cars need an expensive tool just for things such as replacing a crank sensor or throttle?

        1. I was just thinking the same thing; we really need an alternative to StarScan for various FCA products. It’s an expensive trip to the dealer to enable a “feature” every time you add something stupid like the harness to get the rear window wiper to work on the hard top in the Wrangler.

          Ford has Forscan, VW has Vag-Com, but nothing for Jeep nuts (and we by far are one of the largest car cults).

          1. Hahaha, I never thought about the innuendo, that’s great. Having used the previous two software packages, I can say that the VAG didn’t like Forscan, but I’m sure would love JeepNuts.

  4. I bought my car, a Chrysler 300s (2012), specifically for the year. It was mid / late 2013 Chrysler (Jeep, et al) incorporated a cellular modem / wifi into the cars (and thus allowing this hack remotely). I purposely also have a multi-purpose readout plugged into the OBDC — I think I would notice a local hack. :). There is no remote unlink to my car.

    * caveat – I have no efin’ idea what to buy next.

        1. Well, PC police would probably jump over the name, but I think back to “Ghost in the Shell” and what they referred to as “autistic mode” where they have a setting to disconnect ALL network functions.

        1. No! The most useful feature of a car is that you can drive with it. A handsfree unit for the telephone is the only wireless /bluetooth thing that I want in the car. But it shall not do any communication on it’s own.

    1. 2016 chevy: disconnected the antenna, the truck decided it can’t be started. I am not sure what is next, but I have a few things on the docket including cell-jamming. The power requirement is well below interference with anything else when the radiator is only 20mm from the receiver. Won’t stop the truck from sending, but it won’t receive anymore.

      1. False, sorry but that just isn’t true. no data lines connect to the antenna.. course disconnecting a module such as the vcim(onstar module)could easily disrupt the high speed LAN.. not sure what you think you unplugged but disconnecting the antenna on a Silverado will not turn it into a no start.. that’d be a wrecker drivers dream,lmao.. oh you truck doesn’t start, luckily I just happened to be driving by..

      2. That makes no sense. Are you trying to tell me that this truck won’t start in a tunnel, Death Valley (and many parts of the Southwest), large parts of Hawaii and Alaska, that have no wireless service at all?

        1. Perhaps it noticed something like a huge VSWR mismatch. Of course out of the reasons you listed, that also must not leave to a no start issue. Connecting a nice 50 Ohm dummyload should solve the issue anyway. If the car looks for an active antenna with some specific current consumption, separate DC path could be necessary.

      1. Nothing against bikes, if the have a decent motor, gas powered or electric. The disadvantage of a train is, that my destination lies rarely at a train station. Therefore I prefer a car.

  5. Arpanet was supposed to increase safety of comms against the nuclear attack. And look where we are now. A single script kiddie copying an existing worm can affect millions.

  6. FCA has had over a year to fix things, and have actually made it worse – then they complain that the public is informed? Do it right the first time and hire people like this to discover problems BEFORE releasing your product and you won’t get bad press.

    It’s same issue with this IoT plague… they need a swift kick in the ass to take security and the ethics thereof seriously.

    1. Personally I think if you have an IoT device as dangerous as a car can be it should have to be penetration tested by an independent panel of 3rd parties. In other words pay elite hackers to find bugs etc before release but they don’t work for any single manufacturer. Our lives are at risk with hacks like these. While I do find them amazing and love reading about them. They also scare the shit out of me.

      1. A car should never truly be an IoT device much like power grid equipment,airplanes,and assembly line robots should not be connected to the Internet.
        Idiots in marketing decided connected is a good buzz word to sell new cars while most of the engineering probably thought it was a bad idea.

    2. I think what Fiat brought to Chrysler is at best questionable.
      They used to make all their own transmissions now some have the ZF9 which is such a bad design it has killed people.

  7. I wonder if they release has something to do with yesterdays worm being the result of NSA hoarding exploits.
    Its not out of the realm of possibility EternalBlue was Charlie Millers SMB work (He did both work fulltime and contracted for NSA).

  8. Ok so it seems for most of this that can bus access is required, which ok I can rationalize as being acceptable (bigger problems if they have access to the interior) what I don’t get is why the computers for the engine are not isolated at the hardware level from the infotainment system. Have it as read only with a intemediarry chip that can only send select queries into the secure engine bus then even if the infotainment is compromised, which one will assume it is, the car cannot be completely controlled.

      1. I really hate to admit it, but this has a certain logic to it. Argh. Probably another case where marketing fell in love with an idea and ignored the moanings of engineers who unanimously declared it a bad idea.

    1. You don’t think the CAN bus is only inside the car do you? You might want to take a look at how say the trailer brakes work on some pickups and SUV. Likewise there are likely other CAN based sensors accessible for someone willing to crawl around a bit.

  9. “FCA, the Corp that owns Jeep had to recall 1.5 million Cherokee’s to deal with”

    Corp shouldn’t be capitalized, and should be “Cherokees” not “Cherokee’s” unless you’re talking about something that belongs to the Cherokee (The Cherokee’s engine, for example)

    “the dump includes a lot of background for vehicles by multiple manufactureres. ”

    manufacturers

    1. Good to know, I’ll forever remember this comment and completely ignore it for all eternity. I care about hacks so long as it’s readable I don’t give two shits to be honest. If you like Grammar so much perhaps find a grammar site instead as I’m sure I will constantly piss you off.

        1. And I will forever laugh at those who try to impress others on web forums with how smart they are – who can’t even be bothered to learn their own language.
          Try reading a book or a few. If you can’t communicate, it doesn’t matter what you have to say.

  10. My answer to FCA :
    Under no circumstances does we condone or believe it’s appropriate to overlook systems security that would potentially allow an hacker to gain unauthorized and unlawful access to vehicle system nor ignoring any request in hardening these systems or fail in doing so.

    Think whatever you want, I had my word.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s