In-brief: Researchers Chris Valasek and Charlie Miller are demonstrating wireless attacks on connected vehicles that can alter critical functions like braking and acceleration. (Added comments from Chris Valasek July 21, 2015 12:15 ET)
Two years after they demonstrated that they could use a computer to override a car’s navigation and braking systems, researchers Chris Valasek and Charlie Miller are demonstrating the same kinds of attacks: this time delivered wirelessly to a connected vehicle.
As reported by Wired’s Andy Greenberg, the two researchers have developed attacks against the software systems that power late model vehicles including a 2014 Jeep Cherokee. The researchers plan to unveil a remote exploit of Chrysler’s Uconnect connected car platform that can also be used to jump to the vehicle’s CAN bus – or internal network- and from there to systems that manage the operation of the engine, braking and other critical functions. Attackers would only need to know the IP address of the vehicle to control it, wirelessly, from anywhere in the country, the researchers told Wired.
Wired released video of Greenberg driving a Cherokee on an interstate highway and at the mercy of Valasek and Miller . In the video, the two researchers bombard the passenger cabin with loud music, blur the windshield with wiper fluid and – worryingly – force the car to decelerate. In another demo, the two showed how their attacks can control the car’s steering or tamper with its brakes.
[Read more about connected vehicle hacks here.]
Miller and Valasek’s attack relies on rewriting the firmware for the chip that powers the vehicle’s entertainment system, then sending commands through the car’s internal computer network to other components such as the engine and wheels. The attacks would work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015, they said.
In an interview with Security Ledger Tuesday, Valasek said the demonstration represented more than a year’s worth of research. Miller had demonstrated a compromise of the head unit on the Jeep at last year’s Black Hat briefings. But the two spent months perfecting a method that allowed them to send commands from the head unit to the on CAN bus, which runs on a separate processor.
“We had to compromise and reprogram the CAN bus processor to do that and it took us months to do it,” said Valasek.
Still, he said the challenges the two faced were due more to the newness of the platform than any security features built into it. The Jeep provides little separation between entertainment systems and critical car functions, he said. And their hack did not require any additional hardware to be added to the Jeep. “This is a car right off the showroom floor,” Valasek said.
The two researchers will present their findings at the Black Hat briefings in Las Vegas in early August. In addition, Valasek will speak at the Security of Things Forum in Cambridge on September 10th, co-sponsored by Security Ledger and Christian Science Monitor Passcode. (You can register for that event here.) However, they are keeping details of their method for issuing commands to the CAN bus a secret, given the safety risk they pose, he said.
Security and safety issues stemming from software flaws in connected vehicles are no secret. In addition to the research that Valasek and Miller did in 2013, software security experts and lawmakers have called on automakers to improve the safety of the software that runs vehicles. At last year’s Black Hat Briefings, the group IAmTheCavalry issued a public call for a software safety rating system for cars, and for safety to be built into the design of computer systems in vehicles.
“Modern cars are computers on wheels and are increasingly connected and controlled by software. Unlike your home computer, the consequences of compromise are far more severe,” said Joshua Corman, co-founder of I Am The Cavalry at the time.
A subsequent report in February of this year, released by Massachusetts Senator Ed Markey and first reported on the show 60 Minutes revealed security and privacy vulnerabilities in connected vehicles. The report was based on a survey of auto manufacturers about the security and privacy protections that accompany wireless features like WiFi and Bluetooth in modern vehicles.
Valasek said the process of making connected vehicles more secure will be long. Automakers are rich in engineering talent, but have not historically hired or cultivated software talent – let alone software security talent. That will have to change. “Like it or not, these car companies are software companies now,” Valasek said.
In addition, car makers need to start thinking about ways to both protect and record what happens to the software and hardware on their vehicles. Valasek said even modern cars lack any logging capabilities, making it almost impossible to note or block changes to critical software components.