Last year we told you about a pair of researchers in St. Louis (Charlie Miller and Chris Valasek) who had managed to hack into their Jeep Cherokee remotely and wreak havoc on its systems. The good news is that the wireless exploit that they used at the time — which they themselves reported to Fiat Chrysler Automobiles (FCA) — has been patched. They have, however, shown that car hacking can be so much worse than what they demonstrated a year ago. Their research has allowed them to affect steering, emergency braking, and acceleration on their patched Jeep.
If there is other good news to be had, their current exploits require that they be in the vehicle, with their laptop attached directly to the car’s internal network, or CAN bus. They were quick to point out, however, that had someone else discovered their wireless exploit from last year and kept it a secret, these additional hacks could have absolutely been executed remotely. They also worry that someone may find a new wireless exploit, and if their new hacks are not patched, any future exploit could cause all sorts of trouble. Their goal is to keep the auto industry one step ahead of hackers, and keep them thinking about different ways that their vehicles could be attacked.
So how did they hack their Jeep this time? The quick/dirty version is that they convinced the car’s computer to execute actions contrary to its own safety programming. From Wired:
Instead of merely compromising one of the so-called electronic control units or ECUs on a target car’s CAN network and using it to spoof messages to the car’s steering or brakes, they also attacked the ECU that sends legitimate commands to those components, which would otherwise contradict their malicious commands and prevent their attack.
Here’s what having your steering compromised looks like from the inside of the car:
Now imagine that happening at highway speeds on a busy road with an unsuspecting driver and the results would be truly devastating. That is the kind of event that Miller and Valesek want to avoid. FCA, for their part, is downplaying their results. In an excerpt of their statement — which can be read in full at the bottom of this article — they say:
This demonstration required a computer to be physically connected into the vehicle’s onboard diagnostic (OBD) port and present in the vehicle. While we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles.
What Miller and Valesek want to impress upon FCA and other automakers is that at some point another wireless hack will come along. If these vulnerabilities are still active on the vehicles when that happens it will be very bad for everybody.
Wired has a very thorough breakdown of the entirety of the hack, and I’d recommend checking out their article when you have an opportunity.
What do you think about the increasing number of vulnerabilities that have been found here? Tell us what you think in the comment section below, or on Google+, Facebook, or Twitter.Source: Wired
FULL FCA Release
FCA US LLC Statement: Miller/Valasek Research
Charlie Miller and Chris Valasek recently shared a draft copy of their 2016 automotive cybersecurity paper with FCA US LLC. Based on the material provided, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles.
It is also important to note that in regards to this media demonstration:
- The exploits demonstrated require extensive technical knowledge, extended periods of time to write code, and prolonged physical access to the demonstration vehicle.
- This demonstration required a computer to be physically connected into the vehicle’s onboard diagnostic (OBD) port and present in the vehicle
- The risk of remote control through a third-party device is greatly reduced, if the device plugged into the OBD port is provided by a trusted source. Vehicle owners should check with the security policies of the third-party provider and not connect any unknown or untrusted devices to the OBD port. Some of these third–party devices have been found to have little or no security
- The OBD port on the vehicle, which is mandated by the government to remain accessible to vehicle owners, auto-repair facilities, and other third-party service providers, can only be physically accessed from within the vehicle cabin. This requirement is common to all OEM’s products sold in the U.S.
- It should be noted that the remotely exploitable vulnerability identified in the researchers’ work last year was eliminated at that time with the security enhanced software that the Company deployed
- Based upon FCA US records regarding recalled vehicles, the demonstration vehicle was updated with the security enhanced software that was deployed last year as part of a voluntary safety recall. The demonstration vehicle appears to have been altered back to an older level of software. It is highly unlikely that this exploit could be possible through the USB port if the vehicle software were still at the latest level
Under no circumstances does FCA US condone or believe it’s appropriate to disclose “how-to information” that would potentially encourage, or enable individuals to gain unauthorized and unlawful access to vehicle systems. The Company continues to caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.
Further, in the interest of public safety, FCA US launched a bug bounty program through Bugcrowd, to provide a forum for all cybersecurity researchers to responsibly disclose vulnerabilities to the Company and provide financial reward for such disclosure. Researchers may visit https://bugcrowd.com/fca to learn more and join the program. FCA US will continue to enhance the security of its vehicles on an on-going basis.
As always, the safety of our customers and their confidence in our products remains our primary concern. If customers experience unusual vehicle behavior, we encourage them to take their vehicle to the nearest authorized dealer immediately or call the FCA US Customer Care Center at (800) 523-7791.
For more information, customers should also review the section on Cybersecurity in the owner’s manual for their FCA US vehicle.