We haven’t seen the last of the car hacks, says Charlie Miller, the security researcher who in 2014 helped show that hackers can take control of certain models of cars, messing with brakes and steering and other systems while the cars are in motion.
Speaking this week at ARM TechCon, held in Santa Clara, Calif., Miller said that carmakers “are not in good shape now,” but there’s hope for the future as the companies begin to understand the risks when vehicles are connected to the outside world.
Charlie Miller and Chris Valasek were able to scan the Sprint network for vulnerable vehicles. “I’m a good guy, but I was tempted when I found the Viper. I didn’t do it, but I could have changed the radio station so easily,” Miller said.Photo: Tekla S. Perry
Miller, currently an engineer at Uber, pointed out the difference between two categories of car hacks—hacks limited to the mobile app or to the head unit (the centerpiece of the audio system), and hacks that reach into the car’s controller area network (CAN) bus.
The latter are significantly more dangerous because brakes, steering, and other critical controls connect to the CAN bus. Yet mobile and head-unit hacks can go beyond simply changing the radio station.
Consider the recently detected vulnerability in the Nissan Leaf mobile app, Miller suggested (it has since been fixed). The password, he says, was the vehicle identification number, typically easy to see through a windshield. You could log in as the owner and, say, turn on the seat heaters. It’s not a safety issue, but, as Miller points out, that’s an easy way to kill a car’s battery. That’s “a denial-of-service attack against a car. Not dangerous particularly, but we’ll see more and more of these,” he says.[shortcode ieee-pullquote quote="Figuring out how to reprogram the (Jeep) chip wasn't easy. "I would screw it up, and my head unit wouldn't work anymore. Thank you, Chrysler and their warranty system; eventually we figured out how to reprogram it without breaking it"" float="right" expand=1]
The Jeep attack that made Miller and his partner-in-hacking, Chris Valasek, famous was a CAN bus attack. Miller discovered that, although the ARM chip that controlled the entertainment system wasn’t directly connected to the CAN bus, it did connect to a chip that was. And, through that connection, that second chip could be reprogrammed.
Figuring out how to reprogram the chip wasn’t easy. Recalls Miller:
“I would screw it up, and my head unit wouldn’t work anymore, I would have to go to the dealer, with my busted head unit. It was a real lemon; that thing broke all the time. They would fix it and get me back on the road. Thank you, Chrysler and their warranty system; eventually we figured out how to reprogram it without breaking it.”
The chip that controls the audio system in cars today typically connects to a chip on the controller area network (CAN) bus. Compromising this processor can give a hacker access to steering, brakes, and various safety systems.Photo: Tekla S. Perry
The most obvious fix for future car designers, Miller says, would be to simply not connect the two chips. But car owners like the features that such a connection enables—car audio systems that raise the volume as speed and road noise increase or guide lines that appear on rear-camera screens to indicate where your current path will lead.
“We will get more and more of these features,” Miller said, “including cars talking to other cars. There isn’t an option to disconnect this, so we need to figure out how to protect it.”
And some fixes, he said, work better than others. To shut down Jeep’s vulnerability, Miller explained, Jeep eventually went to Sprint, who provided cellular links for Jeep vehicles, and Sprint made that connection more secure. “They didn’t fix the code signing piece,” Miller said. “If I could get into a Jeep [head unit] I could still reprogram the gateway” to the CAN bus.
By contrast, Miller pointed out, after Tesla was similarly hacked by researchers from China this year, Tesla changed the gateway between the two processors to require that any code sent from one to the other be signed to prove it is authorized by the manufacturer. “So now when you read about a Tesla hack,” he said, “it is limited to whatever the head unit can do,” and doesn’t affect the car controls.
While these kinds of security patches are made public, Miller says, generally the car companies aren’t talking about what efforts they are making to improve security. “I would like more transparency; I’d like to see white papers from car companies that explain how they are designing systems for security,” he says.
In the meantime, is there anything a car owner can do?
Not much, says Miller. “You can’t download antivirus software” or add in other security patches yourself.
But you can avoid making your car’s vulnerabilities worse. You know those dongles that allow insurers to track your car’s operations or allow you to do so yourself via an app? (Some examples include Progressive’s Snapshot and Allstate’s Drive Wise.) Don’t even think about using one, Miller says: The safety risks are not worth the insurance discounts or convenience.
Tekla S. Perry is a senior editor at IEEE Spectrum. Based in Palo Alto, Calif., she's been covering the people, companies, and technology that make Silicon Valley a special place for more than 40 years. An IEEE member, she holds a bachelor's degree in journalism from Michigan State University.