By far, the most vibrant talk yet at the 2015 Blackhat computer-security conference was the one given yesterday by Charlie Miller and Chris Valasek on hacking a car remotely through the Internet.
In case you’ve not been following this story, these two researchers managed to take control of an unaltered vehicle’s electronically controlled subsystems (radio, AC, wipers, transmission, steering, even brakes) from afar, using the Internet connection its entertainment system makes through Sprint’s cellular network.
Miller and Valasek’s description of what they did to hack the car was immensely entertaining, even though most of the story was out already. In a nutshell, they used a 2014 Jeep Cherokee that was equipped with a Harman-Kardon “head unit” that controls the central display and entertainment system. Initially, they hacked this unit through Wi-Fi (the unit provides a Wi-Fi hotspot for passengers to use), but soon were able to tap into it through its cellular connection, which goes over Sprint’s wireless network.
That allowed them to perform such hijinks as blasting the radio and disabling the sound system’s normal controls. But what’s stunning—or I should say stunningly frightening—was that they were able to use this hack of the entertainment system to reach the car’s CAN bus (the electronic communications network that connects the car’s central computer with various electronic subsystems). “Turning up the radio is fine,” said Valasek, “but wrecking in a ditch is finer.”
While I suppose the two security researchers could have emphasized how clever they were to pull off this hack, instead they stressed how simple it was. Indeed, they made a big point of poking fun at Chrysler, harping on how easy it would have been to avoid many of the vulnerabilities they found.
For example, when they were first trying to hack into the car through Wi-Fi, they needed to determine the car’s WPA2 Wi-Fi password. Decompiling code, they discovered that the password was based on the time that the car was turned on for the very first time. But how does the car know the time when it’s first turned on? It doesn’t. Their test vehicle’s turn-on time turned out to be January 1st, 2013 at 00:00:32 GMT, suggesting that it had set its clock to a default time, 32 seconds after which the Wi-Fi subsystem created its WPA2 password. “So it’s actually not so difficult to figure out the password,” said Miller. “There are only 10 or 20 passwords in reality.”
When the researchers had figured out how to get access to the entertainment system’s computer, they discovered a wealth of utilities they could avail themselves of including something called “D-Bus,” which is for inter-process communication. D-Bus has authentication, but it’s not enabled on these vehicles, and D-Bus runs at “root,” meaning a user has the highest privilege levels.
Once they attained root privileges, they were able to control the entertainment system completely and spy on things like the car’s GPS coordinates—all with some very simple Python code. “If you want to own 1.4 million vehicles, there’s four lines of Python,” Valasek explained as he displayed the code they used.
With some simple scripts, the pair could then do things like track vehicles. But at this point, their exploit still needed access to Wi-Fi, which would have limited the hack to those that could get physically close to the target vehicle. So the team focused their efforts on the getting access through the cellular network, which turned out to be merely a matter of finding the car’s IP address on Sprint’s wireless network and putting that into their four-lines of Python. What’s more, unlike Wi-Fi, which requires the owner to pay a subscription fee, the cellular service is always enabled for any car equipped with this head unit. That allows any such car to be hacked from anywhere on Sprint’s cellular network.
What’s tricky is targeting a particular car. Each time a vehicle is started, it gets a new IP address from Sprint. So a hacker would have to know that the car was on; then he’d have to hack into many, many vehicles to find out which IP address corresponded to the vehicle-identification number of interest to him. Of course, if the hacker merely wanted to mess with a random vehicle (or many random vehicles), that would be easy enough.
When the researchers first approached Chrysler about the vulnerability, the company told them that it only affected 2014 vehicles. But in their probing, Miller and Valasek found they could tap into ones that ranged from 2013 to 2015 model years—and not just Jeeps. The list included the Dodge Viper, Ram, and Durango.
The key to controlling the car’s functioning was that there was an electronic connection from the head unit to the CAN bus—the main communications bus that carries commands to operate everything electronic: engine-control unit, wipers, transmission, brakes, and so forth. The link to the CAN bus was a tenuous one: a serial-peripheral interface (SPI) connection between the OMAP processor in the head unit and a V850 microcontroller that in turn could talk to the CAN bus. Miller and Valasek used that SPI connection to reflash the V850. “There’s no code signing; you can update the chip, no questions asked,” said Miller. “Even if there had been code signing, we could have exploited memory-corruption bugs,” said Valasek, emphasizing that the system Chrysler is using if rife with security vulnerabilities.
Reflashing the V850 was the most difficult step for the team. Indeed, when they first tried it, they managed to brick the head unit, which happily for the researchers was covered under warranty. Miller just brought the car to the dealer and played dumb. “The screen doesn’t turn on,” he told the service manager, which of course wasn’t untrue. And they got their car fixed. “One thing you got to say for Chrysler, they stand behind their products,” quipped Valasek.
Once they had worked out how to reflash the V850 chip, they had full access to the car’s CAN bus and thus could manipulate almost everything—locks, brakes, transmission, even take control of steering at low speeds. After Wired published its report on the hack, Chrysler came up with a patch, although that required owners to bring their vehicles in for service, meaning it would take a long time to lock down all the cars with this vulnerability. More effective was that Sprint blocked the IP port used to gain access to the car in the first place.
But it was a big blow to the car company in any event. “I’m not going to brag,” said Miller while he showed a plot of recent changes in Fiat-Chrysler’s stock price. “But we made the stock go down.”
Miller and Valasek will be releasing a 92-page report on their exploit on Monday August 10th. While it will be interesting reading, it’s somewhat unsettling to think what a true black-hat hacker might do with this information. After all, there will still be lots of vehicles unpatched at that point. And although the cellular channel has been blocked, it should remain possible to hack into a car by Wi-Fi—say by driving next to it on the highway. And with only a dozen or so passwords to try, it shouldn’t take a bad guy very long to do mischief. So if you own one of the affected vehicles and you’ve not gotten the patch, maybe change lanes a lot until you do.
Editor’s note: A correction was made on 7 August 2015 to an error introduced by editing. To run “at root” means a user has the highest access privileges, not that a user needs to attain those privileges.