Just imagine driving down the highway at better than 100k when your vehicle suddenly begins behaving as if it’s got a mind of its own.
The air conditioning switches to Max and starts blasting cold air on the highest fan speed. The radio suddenly changes stations and goes to full volume. The wipers turn on and the washer starts spraying. You try turning things off but nothing works.
Just as you’re coming to terms with all of this, the transmission slip into neutral and you rapidly begin loosing speed. Following traffic begins passing your suddenly unresponsive and seemingly possessed vehicle. If all that wasn’t enough, the infotainment system screen displays a picture of the hackers causing the strange behaviour.
You manage to pull off the highway and safely stop and wonder “what the #%&! just happened?”
Surprise, your vehicle was just wirelessly hacked by a couple of guys sitting in their basement more than 15km away!
Think this sounds far-fetched? It’s not, as it was actually done in July 2015 near St. Louis as a proof of concept by a pair of security researchers working in conjunction with a writer for
{Zero-day exploit}
As the automotive industry works feverishly to connect vehicles to the Internet and users’ smartphones to the increasingly sophisticated vehicle infotainment systems, security concerns continue to mount.
Part of the problem is that many vehicle-based Internet-connected services are fee based, so the car companies generate a fair bit of monthly cash from subscribers. In their rush to create new and improved services (and revenue streams), they may not be paying enough attention to security.
After years of research into hacking automotive computers, the security researchers discovered a “zero-day exploit” in the Uconnect infotainment system installed in many Fiat-Chrysler products, including the Jeep Cherokee they used for this demonstration.
A zero-day exploit is a flaw in a computer program that allows malicious software to enter and engage in unauthorised activities on a device, typically a computer, but also embedded systems such as Uconnect. It gets its name from the fact that the software author has zero-days left to fix the problem – because someone has already found and is exploiting it.
Using the vehicle’s Internet connection over the Sprint cellular network, the researchers gained access to the Uconnect system through IP Port #6667. They then ran a program that rewrote the firmware in the system to give them wide ranging access to the Controller Area-Network Bus (CAN-bus) system that controls and monitor almost all of a modern vehicle’s mechanical and electronic parts.
The CAN-bus system is a network of microcontrollers and devices that can communicate directly without needing a computer to act as a host. Originally developed by Bosch, it has been used since 1987.
The system also communicates directly with the Engine Control Unit (ECU), commonly referred to as the vehicle’s “computer,” which controls and monitors most of the mechanical and electronic parts.
The ECU in the Jeep runs the market-leading QNX Neutrino Operating System (OS), which can be found in upwards of 60-million vehicles and other machines around the world.
There was some early and unfounded speculation that QNX was somehow vulnerable or at fault, although this was not the case.
QNX, a division of BlackBerry, wrote on its Fact-Check blog that “In this particular case the vulnerability came about through certain architecture and software components that are unrelated to the QNX Neurtino O/S”.
The zero-day exploit was effectively an unlocked side-door to the entire system.
{Previous attempts}
Prior to this proof of concept demonstration, the two researchers hacked a Ford Escape and a Toyota Prius purchased in 2013 as part of a US Defence Advanced Research Projects Agency (DARPA) grant to study the issue. The Wired magazine writer participated then too, although in those previous tests, the researchers were hard-wired into the vehicles’ computer through the Onboard Diagnostics (OBD-II) port.
In those tests they disabled the brakes, manipulated the steering, tightened the seatbelt and blew the horn.
To get to that point they spent a year physically and electronically disassembling the two test cars to completely understand how everything worked and interacted. They also obtained mechanics’ accounts for every major automaker so they would have access to technical manuals and wiring diagrams.
From their initial research they determined that the Jeep Cherokee was the most “hackable” from 24 vehicles they had short-listed. Other models with serious vulnerabilities included the Cadillac Escalade and Infiniti Q50.
They were able to control the brakes, engine and other less critical functions in the Jeep but, strangely enough, could only take over steering when the vehicle was in reverse.
The researchers indicated that the vulnerability is present in all Fiat-Chrysler vehicles produced from late 2013 through to early 2015 model years.
Other researchers from the University of California at San Diego and University of Washington demonstrated in 2011 that they could wirelessly control the brakes of a vehicle and disable its locks. They shared their research only with the affected auto makers.
{Patch that}
Fortunately the Jeep-hacking researchers were working in conjunction with Fiat-Chrysler for about 9-months. The company developed a software patch prior to the public disclosure of the vulnerability and recalled 1.4 million vehicles.
The DIY patch can be downloaded by vehicle owners and installed in 30-45 minutes using a USB key or they can have the dealer handle it free of charge.
{Trolling for victims}
Because the hack is made possible through the vehicle’s cellular connection, the researchers were also able to track the hacked vehicle, receiving precise GPS coordinates. Additionally, once they had access to the system they could obtain the VIN, brand, model and Internet Protocol (IP) address of the Uconnect system.
While demonstrating to the Wired magazine writer, they were able to identify a number of Chrysler vehicles being driven around numerous areas of the US, often hundreds or thousands of kilometers away.
Locating a specific victim is a bit more complicated, although a little discreet surveillance could net a hacker the VIN number of a target vehicle. Using the researcher’s system, they could then wirelessly find the vehicle and arrange an “accident” by a number of means.
{Solutions}
US law makers have already created legislation imposing more responsibilities on automakers to prevent this from becoming widespread. Automakers have also hired personnel to combat such vulnerabilities.
The cofounder of security industry organization ‘I Am the Cavalry,’ which is focused on securing Internet-of-Things (IoT) objects such as vehicles and medical devices, is helping to develop recommendations for automakers. These include: better system design to reduce access points for attacks, internal monitoring systems to detect intrusion attempts, segmented software architecture that limits how far an intrusion can go, regular software and firmware updates for the systems (as is done with computers) and third party testing.
Many companies have already implemented automatic over-the-air (OTA) updates to systems and features in their vehicles.
While this is a whole lot more complicated than it may seem, the potential is there for all sorts of serious and potentially fatal problems.
A disenfranchised programmer, terrorist group sympathizer or sleeper-agent working for one of the car-makers could create havoc by deliberately adding a zero-day exploit and then later implementing an attack on one (or thousands) of target or random vehicles simultaneously. This could include public safety vehicles.
Print this page
