When purchasing your next car, you face many options. You want a good price, but also good gas mileage and perhaps an entertainment system for the kids in back.
But for Dr. Charlie Miller, Twitter, and Chris Valasek, director of vehicle security research at I/OActive, the main criteria is whether or not the car is a likely candidate to be hacked. In particular they said they were interested in cars that would be more susceptible to remote hacking.
Work done previously by Professor Stefan Savage along with graduate students from the University of Santa Barbara and the University of Washington used the Onboard Diagnostic port to control a car. Last year Miller and Valasek used internal wiring to gain control of their test cars. This year the pair said they wanted to take a step back and look at how cars in general communicate internally as a predictor of hacking candidates in the future. Modern cars are comprised of Electronic Control Units or ECUs –up to 70 ECUs are common in the average new car–and these discrete embedded systems communicate through a Controller Area Network or CAN bus.
There are three things that have to work in a remote attack on a car. The remote attack has to reach the ECU, the ECU has to then talk to a physical component such as a brake, and that physical component has to respond such as actually stop the wheel. This, they said, doesn’t always occur. For example, it might be possible to get an attack through the Bluetooth stack to the ECU, but go no further. It depends on what features are in the car and how the car was designed.
Ranking lowest to highest, the Passive Anti-Theft System or PATS is not an effective attack vector because it is limited to the ignition key area of the car and only has a range of a few millimeters. The Tire Pressure Monitor System or TPMS doesn’t transmit a lot of data, and also lacks range. Remote Keyless Entrance or RKE works across a couple of meters, but again doesn’t supply a lot of data.
The first viable attack surface is Bluetooth, they said, especially in the post-pairing period when the connected device itself has rich data. Next on the spectrum of attack vectors is the AM/FM radio, specifically the Radio Data System which displays the name of the artist and song playing.
The best vector is the Telemetric/Cellular/WiFi Hubspot combo. Of specific concern is the rise of in-car browsers associated with these systems if only because writing HTML or cross-site scripting attacks is well-known. More people today know how to attack a web app than attack a vehicle, they said.
Rather than buy all these new cars, Miller and Valasek scanned the Internet for mechanical schematics and the result is a 92-page report to be released within the next few days. In it they map out the CAN systems and electronic features for a variety of makes and models of cars. The point, they said, is to show whether the communication from the attacker would be direct hit or indirect and therefore possible to stop.
At Black Hat, Miller and Valasek also announced a device (really a set of algorithms but they put them on a board to look cool) that could learn the normal communications of a car and then block anything outside that norm. Such a system, they said, shut down communications with the CAN bus when necessary and allow the car to pull over safely. In a video the device worked within a few seconds of activation.
The highlight of the talk, however, was a jailbreak of Miller’s Jeep Cherokee. Like a lot of auto manufacturers, Jeep asks its customers to download updates from their onto a USB, which is inserted into the Jeep with onscreen dashboard prompts. Miller said he first tried to pull the legitimate USB out during the authentication process, but the Jeep responded with an error. However, once the USB has been authenticated and once it starts uploading the file, Miller was able to swap out the USB. Now when he starts his Cherokee he sees a caricature of himself and Valasek on his dashboard screen.