Car hacking is not only a “thing” but it's also a thing that’s in its early days and because there’s the potential for exploits with serious and quite possibly life-threatening consequences, automotive cybersecurity is something we should all be very concerned about.
Just imagine your own car traveling at speed and having your ability to steer, alter speed, and brake, taken away and then being ransomed to regain control.
Think this impossible? Last year, Wired wrote about a couple of hackers remotely disabling a Chrysler Jeep Cherokee while it was heading down a freeway at 70 miles per hour. The hackers, Charlie Miller and Chris Valasek, revealed more details in a subsequent presentation at Black Hat USA 2015 a month later. It turns out that their first point of entry into the Jeep’s control system was via the Wi-Fi service of the vehicle’s multimedia system. Sadly, cracking its security wasn't that hard:
… they used a 2014 Jeep Cherokee that was equipped with a Harman-Kardon “head unit” that controls the central display and entertainment system. Initially, they hacked this unit through Wi-Fi (the unit provides a Wi-Fi hotspot for passengers to use), but soon were able to tap into it through its cellular connection, which goes over Sprint’s wireless network.
The hackers then connected from the head unit to the car’s CAN bus (the command and control system used in many modern vehicles) via a another device, a V850 processor, which was only configured to only listen to CAN bus traffic. This, however, didn’t stop the hackers because the processor wasn’t configured to be secure, so they were able to reflash its operating system so that the processor could then both send and receive CAN bus messages, thus they:
… had full access to the car’s CAN bus and thus could manipulate almost everything—locks, brakes, transmission, even take control of steering at low speeds.
The subsequent paper by Miller and Valasek, Remote Exploitation of an Unaltered Passenger Vehicle, goes into to even more detail on how the hack was engineered and they note:
The Harman Uconnect system is not limited to the Jeep Cherokee, and is quite common in the ChryslerFiat line of automobiles and even looks to make an appearance in the Ferrari California! This means that while the cyber physical aspects of this paper are limited to a 2014 Jeep Cherokee, the Uconnect vulnerabilities and information is relevant to any vehicle that includes the system. Therefore the amount of vulnerable vehicles on the road increases dramatically.
After the Wired article, Fiat Chrysler engineered a patch for the system and Sprint blocked cellular IP access but the Wi-Fi access vulnerability still remained in roughly 1.4 million Fiat Chrysler vehicle. The affected models were:
- 2013-2015 MY Dodge Viper specialty vehicles
- 2013-2015 Ram 1500, 2500 and 3500 pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
- 2014-2015 Dodge Durango SUVs 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger Sports coupes
Despite Fiat Chrysler issuing a recall last year, there are still millions of cars on the road that haven’t been patched and while no immediate threats have identified or exploits seen “in the wild,” the vulnerability should still be a serious concern to car owners.
Should you want to know more about automotive hacking, you might like to check out the recently published The Car Hacker’s Handbook: A Guide for the Penetration Tester by Craig Smith.
This is a practical “how to” tome that’s highly detailed, well-written, and not just a little scary. As you work your way through the book you’ll learn the intricacies of the CAN bus, the protocols used, the systems and subsystems involved, the attack surfaces presented, and the tools you’ll need to do things that you can be certain car and truck manufacturers don’t want you to be able to do.
Is this book a good idea? Absolutely! As the book’s foreword says:
“The world needs more hackers, and the world definitely needs more car hackers. We’re all safer when the systems we depend upon are inspectable, auditable, and documented—and this definitely includes cars.”
Concern about automotive cybersecurity has been expressed by the Federal Bureau of Investigation. In March, this year, the FBI, in conjunction with the Department of Transportation and the National Highway Traffic Safety Administration, issued a Public Service Announcement, MOTOR VEHICLES INCREASINGLY VULNERABLE TO REMOTE EXPLOITS, in which they explained:
As previously reported by the media in and after July 2015, security researchers evaluating automotive cybersecurity were able to demonstrate remote exploits of motor vehicles. The analysis demonstrated the researchers could gain significant control over vehicle functions remotely by exploiting wireless communications vulnerabilities. While the identified vulnerabilities have been addressed, it is important that consumers and manufacturers are aware of the possible threats and how an attacker may seek to remotely exploit vulnerabilities in the future. Third party aftermarket devices with Internet or cellular access plugged into diagnostics ports could also introduce wireless vulnerabilities.
On the legislative front, in April this year, the Michigan senate introduced Senate Bills 927 and 928 that would make it a felony to “intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter or gain unauthorized control of the motor vehicle” and, if convicted, offenders would face life in prison. The bills are in process but whether they’ll pass remains to be seen.
So, you should be in no doubt that automotive cybersecurity is an emerging and serious threat but for as much press as it’s had, we’d do well to pay a lot more attention to the issue. And we need to demand a lot more assurance and proof of safety from vehicle manufacturers because if left to their own devices, they’ll do what they can (or, to be cynical, what they can be bothered to do) to make high tech cars safe. That said, without the goad of hackers testing their products, whatever they do won’t be enough.
Hack on, people, hack on.