Updated: Nothing But Scary: Wireless Hacks Disable Car on Interstate

Miller and Valasek used a wireless hack to take control of a Jeep Cherokee, installing an image of themselves on the dashboard monitor.
Miller and Valasek used a wireless hack to take control of a Jeep Cherokee, installing an image of themselves on the dashboard monitor.

In-brief: Researchers Chris Valasek and Charlie Miller are demonstrating wireless attacks on connected vehicles that can alter critical functions like braking and acceleration. (Added comments from Chris Valasek July 21, 2015 12:15 ET)

Two years after they demonstrated that they could use a computer to override a car’s navigation and braking systems, researchers Chris Valasek and Charlie Miller are demonstrating the same kinds of attacks: this time delivered wirelessly to a connected vehicle.

As reported by Wired’s Andy Greenberg, the two researchers have developed attacks against the software systems that power late model vehicles including a 2014 Jeep Cherokee. The researchers plan to unveil a remote exploit of Chrysler’s Uconnect connected car platform that can also be used to jump to the vehicle’s CAN bus – or internal network- and from there to systems that manage the operation of the engine, braking and other critical functions. Attackers would only need to know the IP address of the vehicle to control it, wirelessly, from anywhere in the country, the researchers told Wired.

Wired released video of Greenberg driving a Cherokee on an interstate highway and at the mercy of Valasek and Miller . In the video, the two researchers bombard the passenger cabin with loud music, blur the windshield with wiper fluid and – worryingly – force the car to decelerate. In another demo, the two showed how their attacks can control the car’s steering or tamper with its brakes.

[Read more about connected vehicle hacks here.]

Miller and Valasek’s attack relies on rewriting the firmware for the chip that powers the vehicle’s entertainment system, then sending commands through the car’s internal computer network to other components such as the engine and wheels. The attacks would work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015, they said.

In an interview with Security Ledger Tuesday, Valasek said the demonstration represented more than a year’s worth of research. Miller had demonstrated a compromise of the head unit on the Jeep at last year’s Black Hat briefings. But the two spent months perfecting a method that allowed them to send commands from the head unit to the on CAN bus, which runs on a separate processor.

“We had to compromise and reprogram the CAN bus processor to do that and it took us months to do it,” said Valasek.

Still, he said the challenges the two faced were due more to the newness of the platform than any security features built into it. The Jeep provides little separation between entertainment systems and critical car functions, he said. And their hack did not require any additional hardware to be added to the Jeep. “This is a car right off the showroom floor,” Valasek said.

The two researchers will present their findings at the Black Hat briefings in Las Vegas in early August. In addition, Valasek will speak at the Security of Things Forum in Cambridge on September 10th, co-sponsored by Security Ledger and Christian Science Monitor Passcode. (You can register for that event here.) However, they are keeping details of their method for issuing commands to the CAN bus a secret, given the safety risk they pose, he said.

Security and safety issues stemming from software flaws in connected vehicles are no secret. In addition to the research that Valasek and Miller did in 2013, software security experts and lawmakers have called on automakers to improve the safety of the software that runs vehicles. At last year’s Black Hat Briefings, the group IAmTheCavalry issued a public call for a software safety rating system for cars, and for safety to be built into the design of computer systems in vehicles.

“Modern cars are computers on wheels and are increasingly connected and controlled by software. Unlike your home computer, the consequences of compromise are far more severe,” said Joshua Corman, co-founder of I Am The Cavalry at the time.

A subsequent report in February of this year, released by Massachusetts Senator Ed Markey and first reported on the show 60 Minutes revealed security and privacy vulnerabilities in connected vehicles. The report was based on a survey of auto manufacturers about the security and privacy protections that accompany wireless features like WiFi and Bluetooth in modern vehicles.

Valasek said the process of making connected vehicles more secure will be long. Automakers are rich in engineering talent, but have not historically hired or cultivated software talent – let alone software security talent. That will have to change. “Like it or not, these car companies are software companies now,” Valasek said.

In addition, car makers need to start thinking about ways to both protect and record what happens to the software and hardware on their vehicles. Valasek said even modern cars lack any logging capabilities, making it almost impossible to note or block changes to critical software components.

12 Comments

  1. I would not implement any of these systems for as long as the security is not ok. This is really scary.

    • But, see, it works if EVERY car (but not car owner) is self-aware and interacts with every other car and is all carefully watched by agencies with big capital lettered acronyms. You know, like a panoptic[ar,on]. Then if one gets hacked every other car can respond, and those in control of the System can pursue the offender and send them off to Room 101 to repent of their sins and come to love their future robot overlords. ;P

      • Yes – the surveillance questions raised by connected vehicles are real. Even without the efforts of “three letter agencies,” local, state, federal law enforcement could, presumably, make use of data from the on-board cellular hotspot in order to retrace the movements of a vehicle. Obviously, most car owners are probably OK with that – or at least discount it against the benefit of having in-car wifi – but it will eventually be an issue for the courts, I’m betting.

        • I actually suspect the Court will do a worse job of this than it’s been doing with the (rather contentious) issue of GPS devices, especially in light of the US FREEDOM Act’s 3rd party provisos — in part because it’ll have its hands tied to do much about it. Sort of like the Stingray issue but instead of phones, cars, and instead of needing to insert a device to monitor the devices, they don’t. They may not even need a warrant, either, if they have the right ‘justification’, for data such as might be obtained that’d resemble cell tower data (pretty common sans warrant). You’re probably right about it not being only or largely three letter agencies.

          Most car owners are probably OK with a lot of things until their cars become informants on them and tell their spouses and insurance companies where they’ve been and how they’ve been driving.

          Especially the insurance companies.

        • By making it an issue for the courts, of course, and given the length of time it takes for the seemingly never-ending rinse-wash-repeat of the whole process, that’s basically just giving stuff like this sort of surveillance time to take root and become the inescapable norm.

          Why do people need in-car wifi anyway? Too lazy to turn their handset into a portable hotspot? Or just BUY a portable hotspot?

          This IoT stuff is out-of-control levels of irresponsible and we should be self-policing our industry — or at least attempting to. Of all of the fields why are we (computers/tech/security) one of the few that doesn’t seem to have a generalised standard of ethics?

        • (BTW, why yes, I AM actively in search of a non-classic pre-mid-1980s car that runs well with low-mileage, pristine condition. ;))

  2. Pingback: Fiat Chrysler Recalls 1.4m Vehicles to Patch Wireless Vulnerability | The Security Ledger

  3. Pingback: Podcast: Interview with Car Hacker Chris Valasek of IOActive | The Security Ledger

  4. Pingback: Following Jeep Hack, Miller and Valasek Move to Uber | The Security Ledger

  5. Pingback: Senators' Letter Demands Answers from Detroit on Cyber Security | The Security Ledger

  6. Pingback: House Committee to discuss Proposal to outlaw Car Hacking | The Security Ledger

  7. Pingback: What will it take to secure the Internet of Things? | The Security Ledger