Remotely Hacking a Car While It's Driving

This is a big deal. Hackers can remotely hack the Uconnect system in cars just by knowing the car's IP address. They can disable the brakes, turn on the AC, blast music, and disable the transmission:

The attack tools Miller and Valasek developed can remotely trigger more than the dashboard and transmission tricks they used against me on the highway. They demonstrated as much on the same day as my traumatic experience on I-64; After narrowly averting death by semi-trailer, I managed to roll the lame Jeep down an exit ramp, re-engaged the transmission by turning the ignition off and on, and found an empty lot where I could safely continue the experiment.

Miller and Valasek's full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep's brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they're working on perfecting their steering control -- for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep's GPS coordinates, measure its speed, and even drop pins on a map to trace its route.

In related news, there's a Senate bill to improve car security standards. Honestly, I'm not sure our security technology is enough to prevent this sort of thing if the car's controls are attached to the Internet.

EDITED TO ADD (8/14): More articles.

Posted on July 23, 2015 at 6:17 AM • 95 Comments

Comments

ArminJuly 23, 2015 7:21 AM

@JdL the age of the car is not necessarily relevant, the key question is the internet connectivity. You can probably still buy a lot of cars without this technology today and would therefore be safe. These cars are likely to be much safer for a lot of other areas (collision protection etc) than older cars, so ultimately you'd still be safer in a newer car.

ThomasJuly 23, 2015 7:32 AM

"Under no circumstances does FCA condone or believe it's appropriate to disclose 'how-to information' that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,"

Another bunch of numpties that completely ignored security in their rush to computerise everything and need to learn about "responsible disclosure".

AnuraJuly 23, 2015 7:37 AM

Absolutely no services should be listening on a public-facing IP address in the first place; avoiding that would significantly reduce the attack surface. Of course, it should have a firewall to block inbound connections anyway.

haxxJuly 23, 2015 7:43 AM

It did take them a few months to reverse engineer the radio in order to do this, so rewriting the firmware over the air not something you can easily do yet, but the targeted tracking anybody can do.

Jim BarrettJuly 23, 2015 7:54 AM

Consider if google's driverless cars become popular. I'm sure they would implement some sort of automated OTA security patches, but... What if that mechanism is compromised? Even if not, then what about driverless cars that reside in locations which are outside of wireless range, or are parked in underground garages, or otherwise disconnected from the Internet for extended periods?

Chrysler has provided a fix, but a voluntary recall will mean that a year from now there will still be thousands upon thousands of these cars which will remain unpatched. Vehicle registration and regular safety inspections are always handled by state/local municipalities, so regulations which would keep these dangerous hackable multi-ton projectiles off the road will be very slow in development, unless the federal government quickly puts pressure on states to enact and enforce penalties for drivers who keep their exploitable cars on the road.

As a side note, I am intrigued that Chrysler has released the patch directly to consumers so they can update their vehicles without having to visit a dealership. To download the patch, a person must enter their VIN, so the company will at least be able to keep track of who has downloaded it. Is there a way for the car to "phone home" so that Chrysler will know the patch is really installed and not just sitting on the key ring next to the ignition? (Come now, you know some people will honestly believe that keeping the usb drive on their car keys will constitute installing the patch) But, more importantly, can the update be easily reverse-engineered? Does this open the door to inserting a USB stick into the car's computer and hacking the car that way?

They were very quick to release the patch, which either means the engineers who discovered the flaw informed Chrysler months ago (more than likely, and which is always the Right Thing To Do®), or they were very hasty in building the patch. I doubt if any amount of programmers could slap together and properly test an effective fix in a matter of hours, so BIG KUDOS to the people who found this exploit.

Spaceman SpiffJuly 23, 2015 8:19 AM

@JdL - how old? Not sure, but my '99 Camry is definitely not hackable. To access the computer, you need a direct connection. It won't last forever, but at 16 years and 215,000 miles, it still runs like a Swiss watch!

MartinJuly 23, 2015 8:30 AM

blockquote> ... leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch ...

Isn't this what the emergency brake is for? Surely it, too, wasn't connected to the Internet.

AnuraJuly 23, 2015 8:38 AM

@Martin

The emergency/parking brake is not something people use regularly, especially with automatic transmission, so many people won't even remember it, especially under pressure. Also, my car has an electronic parking brake (which boggles my mind) so if you are able to replace the firmware, you can surely disable it.

chris lJuly 23, 2015 8:42 AM

@Jim Barrett
Anybody can read your VIN off the plate visible through the windshield on the drivers side, so downloading the patches for any car would be easy. The reason that they ask your VIN is probably to give you the correct patch-- it tells them which plant, what trim line, and when your car was built.

zucJuly 23, 2015 9:13 AM

This brings up interesting liability questions. So far, few, if any, software manufacturers have been criminally liable for their software. But the ubiquitous standard for auto manufacturers is that they definitely are liable if their product is defective.

CuriousJuly 23, 2015 9:19 AM

I am no historian, however, I wonder if upcoming legislation could be comparable to the drive for putting seat belts cars in USA in the eh sixties. I vaguely recall having seen a tv documentary for that, unsure about the time period though. Might have been in the fifties even.

Jim BarrettJuly 23, 2015 9:20 AM

@chris l
I doubt that the patch would tied to the VIN, but it's not too far-fetched of an idea. My point is that if they keep track of the VIN numbers which were used to download the patch, and if they then cross-reference that list with the dealership records, the company would have a (marginally reliable) count of how many of the affected cars (might) have been patched. That alone is really not good enough.

As for the reverse engineering... anyone could go to a used car lot or a dealership's website and find suitable VIN numbers. Even if Chrysler's website asks for more info after the VIN number is matched, it still wouldn't be too difficult for Joe Public to start a collection of patches.

Jim BarrettJuly 23, 2015 9:23 AM

@chris l
Correction... I meant to say that I doubt a unique patch would be required for each VIN. You are right, that the VIN would be critcal for finding the correct patch. Software for one model or trim could very well be different than another model or trim.

ArchonJuly 23, 2015 9:33 AM

I quite like how the car manufacturers sniffed at their old hacks because they needed to be hooked to the car's systems physically, then almost immediately wired the car's systems to the same bus as an Internet connection.

Haha! Your attempt to assassinate me by placing an inland taipan in my bedroom has failed because it has fallen asleep! Now watch me walk up and kick the snake a few times!

(Sigh.) In a perfect world no engineer or manager of engineers could land a job without at least understanding the concept of an air gap.

Gabor SzathmariJuly 23, 2015 9:54 AM

So how was that story again with the hacked aircraft that Boeing refuted? It is clear the automotive and aerospace industries are failing to commit themselves to proper security, so we need these regulations for our safety be ensured.

rgaffJuly 23, 2015 9:57 AM

Why are "security researchers" hacking their vehicles while driving down a busy freeway at 70 mph? Do they have a death wish for themselves and others? At least do all that kind of experimentation at a slower speed, with nobody else around...

CuriousJuly 23, 2015 10:00 AM

@ks & all
That article has some kind of quotation in it, where it is pointed out that a modern car has 50 million lines of code in its electronics. Although I wouldn't know myseld, this large amount of code seem like a lot to me and I found that number weirdly large. Maybe such code would have to be, some generic code, like a tweaked linux distro or something?

kingsnakeJuly 23, 2015 10:05 AM

This will make for some very interesting future LIveLeak videos, probably including in car reaction shots ...

Bradley192July 23, 2015 10:12 AM

Dunno (?) -- whole story sounds fishy ... like that recent 'Big' (phony) media story about researcher taking control of a commercial airliner via the entertainment-system in a passenger seat.

Why would the Jeep’s entertainment-system be connected to its steering, brakes, transmission, etc... in the first place ???

Makes no design engineering sense -- and is too complicated to result from just dumb human design errors.

yikesJuly 23, 2015 10:13 AM

Who needs to "know" care or even have the ip on traceable hardware when there is a lula nmap script app and open.able wifi for that?

So it is an an unaccountable irrestable soft target of immediate opportunity, could not more imminent if it tried

kingsnakeJuly 23, 2015 10:24 AM

@Bradley192 Because engineers don't make decisions, bean counters do. Unfortunately.

RipleyJuly 23, 2015 10:34 AM

@Bradley192 Seems legit to me. Folks were complaining about this stuff 10 years ago. Hacking the ABS system, tripping the brakes, or messing with the steering. Now that cars are going with more "by wire" controls, it's only getting worse. Everything gets tied into the same central bus, with security usually absent or pathetic at best. Until somebody releases a virus that wrecks a significant number of vehicles on the road today, nothing will get done.

Hollywood is even on board. We've seen this tech used in several of those Fast & Furious movies, as well as After the Sunset.

wiredogJuly 23, 2015 10:38 AM

@Bradley192

On my VW many of the engine readings can be displayed through the same screens as the radio settings, clock, and odometers. I can cycle through oil and water temperatures, time, fuel level, radio station info, and various distance traveled displays. So the engine info is on the same bus as the entertainment info. Now, if that's one way, where the readings are always available but a diode ensures it's read only, that's OK. Somehow I doubt it's one-way communications.

Chris SJuly 23, 2015 10:53 AM

The possibility exists that you *do* need a unique patch per VIN.

There is a OBD function to read the VIN out electronically through the OBD port. If the VIN is just a piece of constant data in the firmware used to enable this function, then each firmware install will be unique.

Potentially more troubling is that a firmware update could modify the electronic VIN.

Doug CoulterJuly 23, 2015 11:02 AM

I remember a movie in which a guy is tied down and being tortured to get some info out of him, his family hostage in the next room. He won't give, and says, just kill me, I'm not giving it up.

The bad guy then says, oh, should I shoot, my aim would not be so poor as to hit YOU.

Why the anecdote? Consider a party who wants to assassinate someone.
That someone doesn't have to be in a hack-vulnerable vehicle, or even in an auto at all if someone else can control a random one remotely....and the evidence is neatly destroyed in the resulting wreck.
A neighbor of mine has one of the affected vehicles. It's a tank. What a weapon.
You no longer need someone willing to suicide to do that type of attack.

Movie plot? You decide...

MaxJuly 23, 2015 11:54 AM

"Why?" someone asks. Because connecting everything together is the cheapest, easiest, most functional (except for security!) way to do things.

Still, it's madness not to have extra security for safety critical functions. Even if you can't charge a penny extra for it, the threat of expensive lawsuits and recalls should be sufficient motivation.

SasparillaJuly 23, 2015 12:19 PM

Its pretty obvious the automakers have no idea what a massive liability they have on their hands here...although the courts will (sooner or later) make them realize otherwise.

Seems like the internet connected part of the vehicle needs to be completely isolated from the vehicle control part (separate local networks with no wireless connections for the vehicle control network - the way flight control systems were done previously, maybe not anymore, on aircraft) otherwise its just a hack away from the liability of crashing a vehicle & injuring its occupants.

albertJuly 23, 2015 12:28 PM

@Saul,
Ah, memories! And when Thompson is wondering if/when is friend is seeing the monsters. :) Now, I never saw monsters, while driving or not, but.......
.
...

Dark thoughtsJuly 23, 2015 1:05 PM

It's scary, if self-driving cars (or hacked regular cars) are available as tools in terrorist threats, then they can be used to block most emergency responses.

Almost any mild disaster, fire or incident can escalate into serious threats if emergency responders can't get through to provide aid.

"Spreading unchecked fires", "normally survivable injuries going untreated for hours leading to deaths" and "violence, robbery or riots with no police response" are all examples of society's defenders being unable to do their jobs.

Laws need to be enacted to force strong airgap security (or at least liability) into ANY system that can effect society as a whole even if only in a local area.

AlanJuly 23, 2015 1:14 PM

The ostensible reason for connecting the vehicle CAN bus to the internet is so that "OnStar" (or whatever the Chrysler equivalent is) can remotely unlock the doors, or to allow the owner to remotely start the car, etc.

The day we picked up a used GMC vehicle we had the mechanic remove the OnStar transmitter. Both because I don't want to be tracked and vulnerable, and because I have little kids who like to push buttons...

This all reminds me of a certain politician's quote about a government big enough to give you everything is big enough to take it all away... If you want some remote person to be able to do things for you remotely, don't complain when the black hats do it too.

This connection between the vehicle CAN bus and the entertainment system is at least understandable from a usability/feature standpoint. I cannot fathom any reasonable explanation for having inflight entertainment systems and avionics/flight controls on the same network beyond saving weight & money.

albertJuly 23, 2015 1:15 PM

OK, I'm not certain how much of this stuff is true. Modern aircraft already have computer control. It's called 'fly-by-wire'. You only need an extra s/w layer to enable remote control. They have GPS, weather radar and TCAS. They are actually much safer to operate remotely than an automobile!
.
Why on Earth would auto companies engineer remote control? I can understand giving law enforcement the ability to kill the system in a car chase scenario, but to disable brakes, steering, etc.? What possible purpose could this serve? None.
.
The prime movers in this seems to be the douchebags Andy Greenberg, Charlie Miller and Chris Valasek. It smells like a stunt to me*, and a dangerous one at that. The icing on the cake would have been a real accident, with injuries.
.
I don't believe any auto company would engineer such capabilities into an automobile. Steering and brakes are, and need to be failsafe. Electric systems need to be mechanically operable at all times. Even Chryslers crappy engineering should be able to handle this.
.
To allow ECUs to be accessible from the internet is quite insane.
.
If this really happened, they should be charged with reckless endangerment.
.
...
* alternatively, the whole story could be BS.

Chris SJuly 23, 2015 1:42 PM

@albert;

Go back to the link to the Washington Post article. That article has much more detail, with a key item being that these researchers were brought in under a DARPA contract precisely because of concerns that the auto manufacturers were ignoring this area.

They first did earlier work that could accomplish much of the same thing by being in the vehicle, to which many manufacturers responded by claiming, roughly 'this is not important because you have to be in the car'. So, they go on to demonstrate how it works with not being in the car.

One of the most annoying facts about full disclosure - and, yes, sometimes including press-making stunts - is how often it's the only thing that actually gets manufacturers to start planning how to deal with the problems. In this case, it does NOT appear that Miller and Valasek jumped straight to the press without first talking to the manufacturer. Note that there is already a firmware update from the manufacturer - this would be unlikely if this was not previously disclosed. The big press coverage at this point has a useful function - get as many people as possible aware of the need to actually upgrade their car firmware with a newly available version.

name.withheld.for.obvious.reasonsJuly 23, 2015 2:17 PM

What is it about systems design and engineering that prevents the established use of best practices--the theory of explicit privileged access. When the owner of the vehicle (legally liable in most cases) is prevented from minimizing operational risks, one can expect to also be in the dark about those risks. This reminds me of the Microsoft model of "turn every thing on and install all drivers irrespective of need". It was so frustrating as a technologist to install a server OS and realize that there is an "Active X Desktop", Internet Browser capable of code execution, and all the drivers that you needed (or didn't) installed by default. Of course you could build custom installs that did the opposite--my point is that the default behavior should be that you have to make customization to extend behavior (increasing attack surface).

WmJuly 23, 2015 3:35 PM

I cannot see any reason that a car's steering should be able to controlled remotely. I was thinking of maybe getting a Jeep because I heard that people really like them. I will now put them in the category of all Chryslers - JUNK!
Whatever car I was going to get, I had always planned to at least disconnect the mini roof antenna. Being one to never trust anyone, I would not be surprised if all this computer information/control was not a conspiracy between the boot licking auto manufactures and the government. The government's desire to know everything about us is insatiable!

I may just go with a Hindustan Ambassador.

sideshowbobJuly 23, 2015 3:41 PM

Thank goodness I drive an old 60's reliable vehicle. Fanciest computer in there is an aftermarket radio that is in no way connected to the steering and brakes.

GavinsecJuly 23, 2015 10:45 PM

It is for reason I shy buying America's car. Nothing gets in the way of reliability and shine, in fact they are both speck good. Too much calea

Rufo Guerreschi July 24, 2015 2:20 AM

If we had a new "Ralph Nader", he would request that car systems are made 100 more verified relative to complexity, extremely compartmentized, and verified at CPU design and fabrication phase...

And then we could apply back those standards to high-assurance end-user IP comms systems, and finally have meaningfully secure/private devices.

This last step will happen only if somehow those systems are repiably available to law enforcement with due process. Otherwise they'll invest tens of millions to break the life-cycle...

Is the solution regulating and formalizing "lawful hacking" as proposed by Blaze, Bellovin and Landau in 2013?

Or just part of it?

Clive RobinsonJuly 24, 2015 3:32 AM

@ Wiredog, and others,

Now, if that's one way, where the readings are always available but a diode ensures it's read only, that's OK. Somehow I doubt it's one-way communications

No a diode would not make it read only... diodes are effectivly write only as far as information flow is concerned.

The issue to think on is that the radio is open at it's antenna, the frequency / RDS etc information comes from the radio so information is flowing onto the CAN bus from the open radio...

It does not matter if the radio writes to, or is read from, that "open radio data" gets onto the CAN bus.

The advantage of having the radio "read from" as opposed to "write to" is it limits some --but does not stop all-- DOS attacks on the CAN bus...

However even if there were two seperate buses, they would both end up at the display controler, thus the attacker would then find a way to use it as a "bridging node"...

Now whilst we can argue about having two or more out os sight CAN buses, are we going to be able to argue for two seperate displays with two totaly seperate sets of user controls?

That's where the "Gods of all corporate stupidity arise" in the "All powerfull all hallowed Marketing Department" who will if chalanged organise "focus groups" to get their way...

Dirk PraetJuly 24, 2015 6:52 AM

@ Bradley192 , @ name.withheld.for.obvious.reasons

Makes no design engineering sense -- and is too complicated to result from just dumb human design errors.

It makes perfect sense. You hire a couple of code monkeys supervised by a Mexican army of clueless managers (or outsource the entire thing), then put them on a tight budget and an impossible deadline. Secure design, coding and auditing - as usual - become an afterthought, and when the sh*t hits the fan, you get legal to revise the fine print while marketing cries bloody murder that the company has fallen victim to heinous deeds perpetrated by a bunch of irresponsible villains who are enabling terrorists.

EricJuly 24, 2015 7:55 AM

I did a mental inventory of my own car...

No Car-net (VW version of OnStar) in there.
No navigation system.
No WiFi capabilities.
No keyless starting of the car.
Indirect tire pressure monitoring (uses ABS, not wireless sensors).

The main wireless method an attacker could get in would be via bluetooth. Not insignificant, but a much more limited attack surface than some of these other cars out there. Assuming that one actually got in, there are a more limited number of things they could do to me:

No parking assist.
No collision avoidance system.
Manual transmission.

Sometimes having a simpler car has advantages.

Alan KaminskyJuly 24, 2015 8:12 AM

Hey Bruce, this would be a great topic for next year's Movie Plot Threat Contest: Hackers and terrorists take over the Internet of Things -- cars, thermostats, light bulbs, etc. -- and cause mayhem, death, and destruction.

BTW, the Wired story made the front page of the USA Today section in my newspaper this morning. Mainstream media is taking notice.

TomJuly 24, 2015 9:41 AM

Firewalls can't protect today's connected cars
http://www.computerworld.com/article/2951878/telematics/firewalls-cant-protect-todays-connected-cars.html

"I don't think there's a way to you can make a really secure way for computers to communicate," Miller said. Hacking a network firewall simply takes time and perseverance.
The CAN bus is very simple and the messages on it are very predictable, Miller said. "When I start sending messages to cause attacks and physical issues, those messages stand out very plainly. It would be very easy for car companies to build a device or build something into existing software that can detect CAN messages we sent and not listen to them or take some sort of action."
Once past a firewall, hackers can make computers imitate any other computer on a network, and that means they can control the systems through electronic messaging. That's basically what Miller and Valasek did: They had the head unit pretend to be the electronic control unit (ECU) for the brakes, the transmission and other systems.

WolfJuly 24, 2015 9:45 AM

wonder what the effects of this will be to the stock of Jeep, for example

or perhaps they will be supported by the government black ops budget (through shell corporations masquerading as investment banks)

MrCJuly 24, 2015 9:49 AM

@ Clive:
What about 2 different buses connected to the display via diodes?

MeJuly 24, 2015 9:51 AM

Why, after the Cylon war would they go back to networking all the ship's systems again?

Why?

Tom JoadJuly 24, 2015 10:03 AM

Why stop at vehicles? Let's connect everybody's sphincter muscles to the internet. That way some trust fund baby can charge you rent for using your own asshole.

Hey, it's a "feature"! We can call it Udefecatr. Maybe send live tweets of each turd.

Maybe do the whole thing in Flash.

albertJuly 24, 2015 10:15 AM

@Chris S, @Everyone,

My last comment got lost in the maintenance cycle.

There's no point in rehashing that same discussions we had on securing communications to internet appliances. Clearly, the auto manufacturers ignored or disregarded ECU security. There have been a rash of recalls lately traceable to poor engineering. They have well established track records in these areas. But,

Why should we think this is unusual? EVERYBODY'S doing it. The crux of the issue is the same: remote re-progam-ability. To control system functions, one has to be able to access the CAN bus, or hack the ECU firmware. Hacking the firmware is nasty, because it lasts until the next firmware update. (One of you guys could probably figger out a way to isolate some of the flash memory for a truly permanent hack).

'Auto companies are cost conscious' is the understatement of the year. Cars commodity items. They make millions of 'em. Every penny counts (it's $10k/million cars). It's no wonder they throw every function they can into the software.
.
@Chris S,
Why would DARPA be interested in this? Why not the NTSB?
.
I gotta go...


jonathanJuly 24, 2015 12:06 PM

@Bradley192

I'll bet the car hack claim in OP is truthful/authentic.

I'll bet the claim of changing commercial aircraft thrust is bogus.

----

If some security researchers can do this, imagine what a first tier spy agency can do. An easy way to assasinate ...

----
TANGENT:

Not just cars and planes, PCs and hand held devices should require physical access (i.e. flipping a physical switch or using a physical connector) to modify BIOS and other critical software. It goes without saying that the control systems (e.g. google car autopilot) should be completely isolated from the internet.

-----

The problem is:
* business is cost sensitive

* taking smallish risks that save money look attractive when viewed through the lens of short term profits. E.g. if I make 50 million but am long gone from the company when the shit hits the fan then profiting from chosing bad security is a win for me.

JohannJuly 24, 2015 12:13 PM

@albert

So the excuse is that car companies are cost conscious? Because supposedly "cars [are] commodity items", even though cheapest models with WiFi equipped computers cost tens of thousands USD.

Not to mention all the $$ car companies make out of the maintenance (oil changes etc) and leasing revenue.

In fact, if car companies are so "cost conscious" that they cannot build their crap safely enough to protect human life, then why include this kind of expensive electronics into the cars in the first place? It does not add "perceived value" from the users perspective anyway.

KristoffJuly 24, 2015 2:30 PM

One point that a lot of people have missed with this is that Chrysler can easily track where your vehicle is at all times. Moreover, the government is able to get this information and there's little you can do about it other than blocking the signal or disabling the built-in cellphone. Like a lot of things, this is probably so that the company can collect statistics about vehicles running in the wild, which helps tremendously when designing and improving vehicles.

I guarantee we're going to see a lot more things being exploited over the Internet within the next few years. I own a smart TV and am waiting for the day for it to stop working or start acting up. I guarantee we'll one day see a bunch of appliances getting bricked simply because security wasn't priority when developing these things. Or even worse, get into the hardware and sometimes you're able to set things on fire or melt.

albertJuly 24, 2015 2:58 PM

@Johann,
Car companies never use cost as an excuse. They have a laundry list of other excuses.

Some folks ask 'why would they do/not do this/that?' I answer: Cost is the main factor. What influences cost? Time to market, engineering expertise, specification writing, material & manufacturing costs, safety, and security.

For example, we have cars that can stop themselves (Mercedes). Po' folk ask "why can't my Honda Civic do that?" Honda guys say "We'd kill the market if we had that." So they decide to put it in, but it's gotta be cheap and fast, 'cause they need to beat the competition and still make money.

Some features ARE cool, some are stupid, some are, apparently, dangerous. I don't think bringing glass cockpits into autos is wise, but they're doing it.

Every time you 'computerize' a feature or system, the probability of failure increases dramatically. Remote access is a quantum leap in increasing the probability of failure.

Godspeed to you, the drivers of autos everywhere.
.
..

Bradley192July 24, 2015 4:15 PM

@jonathan


Keep in touch with reality on this "story" -- software itself can NOT physically move/affect anything in a Jeep.

Software can only possibly affect other physical devices that "might" be able to physically act (like motors, solenoids,etc).

So when these researchers "claim" to have remotely moved the Jeep steering wheel -- how exactly is that even possible ??

What physical device is directly connected to the Jeep steering that could command movement without human driver input ??

There is none, much less any software controlled device.

The Jeep power-assisted-steering (PAS) mechanism is the only conceivable device that could affect steering physically, but it's a simple, dumb hydraulic device-- that absolutely could not perform actions claimed by these researchers.

There are really no hard facts presented-- only assertions & opinions. Chrysler seems in a CYA mode for minor software problems (Microsoft patches bigger Windows security problems every month)

Still smells fishy and highly exaggerated.

Clive RobinsonJuly 24, 2015 4:24 PM

@ Mr C,

What about 2 different buses connected to the display via diodes?

It rather depends on which way the diodes are around and if the display "pulls information" from the devices or pushes it out.

On the assumption the display device requests data --normal for a master unit--, the diodes alow it to pull the data from the --slave-- devices it's connected to. If it gets tainted data from the open radio, by which it becomes corrupted and under the control of the attacker, then the diode to any other --slave-- device is already pointing in the right direction for the display to make requests or push commands.

Simplisticaly under normal configurations it would be unusual for the devices to push data onto a common bus as this would cause collisions and back offs, which is very undesirable in a Real Time system. Afterall you don't want your brakes to not work because your foot on the peddel did not get received by the control unit because the engine rev counter happened to be transmitting data and caused it's message to be backed off a few time slots.

anonymousJuly 24, 2015 4:58 PM

@Bradley192

Maybe you should read a bit more into this. First, Charlie Miller is a renowned hacker who's been doing this kind of thing for years. He's first class at reverse engineering, well, basically anything.

Second, these cars have electric power steering. Apparently they were only able to get the wheel to move in reverse, but with a big software-controlled motor on the steering rack, anything's possible. So, know what you're talking about before you post crap.

rgaffJuly 24, 2015 5:03 PM

@ Bradley192

Some high end newer vehicles have a parking assist feature that will automatically parallel park your car for you when you are in the right position and push the right button, using the accelerator and steering with your hands and feet off of them. While I don't see this feature listed on the Jeep site yet, it is possible that a) I didn't look hard enough, or b) it's partly implemented in the car ready for being fully activated in a future model, or c) since the hackers are literally rewriting the firmware of various chips in the car to do things they were never intended to do, maybe they can then actually use the ordinary power steering assist to nudge the steering right or left... The "park assist" feature I did find looks to only be a warning system, not one that will automatically park yet.

Don't assume things aren't possible just because you don't understand them.

albertJuly 24, 2015 5:23 PM

@Bradley192, @jonathan,

I haven't been following this stuff for a while. Am I correct in assuming that the Jeep in question uses the old hydraulic-assist steering? (see http://www.thetruthaboutcars.com/2010/02/whos-afraid-of-electric-power-steering/ for a view of the electric steering systems of the future.

What we have here is a plentiful lack of information.

The article implies more serious consequences than one would think possible. Could they really "... turn the steering wheel, briefly disable the brakes and shut down the engine..."?

Hydraulic pressure for PS is available as long as the engine is running. Electrically operated valves could easily operate the steering. (How does automatic parking work?) Front/read brake balance is accomplished with electric valves. Is it really possible to disable the brakes? I would be surprised if it's true. Killing the engine is childs play.

More to the point, it doesn't take much to freak out some drivers. Even if critical systems were secure (in some other universe; not here), a drive could lose control by any or all of:

"...the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass...."
.
Operating _everything_ with the computer is beginning to look like insanity. I don't trust the auto engineers to write good code, even without remote connectivity. Add remote access, and that's the 3rd strike. Yer out!
.
..

Clive RobinsonJuly 24, 2015 5:39 PM

@ Bradley192,

What physical device is directly connected to the Jeep steering that could command movement without human driver input ??

It rather depends on what you mean by "directly connected".

Simply pulsing the brakes on either side of the vehicle at different rates will cause the steering to be effected as you would expect.

Drivers of old/vintage vehicles without any kind of power steering can feel the steering wheel pull when the brakes are not working correctly. Some "off roaders" talk about "fighting the wheel" for similar reasons due to the grip or lack there of has.

Likewise even in more modern cars drivers can "feel the road" grip etc through the steering wheel.

However with the researchers talking about only being able to effect the steering "in reverse" clearly implies that it is to do with power assisted steering that augments the driver in a way that is different to that of normal forward driving. This differentiation, I suspect is not the sort of thing you would want to do with a non electrical power assist system.

AnuraJuly 24, 2015 5:59 PM

@Clive Robinson, @Bradley192

The Jeep Cherokee has a self-parking system, which I believe requires it to be in reverse. So that's probably what it is.

rgaffJuly 24, 2015 6:04 PM

@Clive Robinson, Mr C

What about 2 different buses connected to the display via diodes?
It rather depends on which way the diodes are around and if the display "pulls information" from the devices or pushes it out.

I would assume that the only "safe" way would be for the high-security system to only send information one-way to the less-secure display system, in kind of a dumb push-only continuous stream, not waiting for it to be requested. This would mean that a hacker could still sniff the stream or alter the display, but not issue commands to and control things within the high-security system. Obviously, sniffing the stream and altering the display is also really bad news too, but it's a defense-in-depth idea to layer it like that with more critical functionality. It would also mean that user input controls for that higher-security system would have to be isolated from less-secure controls (like accelerator/brake/steering isolated from entertainment/climate systems, for example).

Chase JohnsonJuly 24, 2015 6:35 PM

Y'all aren't trying very hard. A link about electric steering systems from 5 years ago? Really?

Try the maker's marketing site. This took me under thirty seconds to find.

"A speed-sensitive electronic power steering system helps improve efficiency and reduces road noise. The system automatically adjusts for limited effort during parking or increased steering effort on the road." -- http://www.jeep.com/en/cherokee/capability/

Other fun toys from the same link:

Electronic rear locker: "With the push of a button, Trailhawk® can electronically lock both rear wheels together for outstanding traction at lower speeds." -- Probably not super dangerous, but could be interesting, nonetheless. What a subtle way to cause an oversteer condition...

Speed control: "Selec-Speed® Control is only available on Cherokee Trailhawk®. It's a great feature for off-roading and helps you confidently drive up or down hills at controlled, steady speeds." -- So there's your throttle control.

Transmission and transfer case control: "Making things easier is the available Selec-Terrain® traction control system with up to five customizable settings: Auto, Snow, Sport, Sand/Mud and Rock. Auto is an overall 4x4 performance mode for any road or weather condition." -- Almost certainly this could be used to program the transmission into an unusable state, like trying to run in first gear at 70, or 5th at a stop. The former could probably do a nice imitation of blowing up the motor, too.


Cars don't work like you think they do anymore.

Chase JohnsonJuly 24, 2015 6:44 PM

Interesting thought: a sophisticated and determined (not to mention, creative and cruel) hacker could do a very convincing poltergeist imitation against someone who owned a new car and a smart house.

rgaffJuly 24, 2015 8:29 PM

@ Hatfield

That's why I listed two other explanations I could think of.... because I doubt it too... But still my doubts or beliefs do not make it fact.

rgaffJuly 24, 2015 8:35 PM

By the way, a great many newer cars have a fully electronic "drive-by-wire" throttle, I'd be surprised if this Jeep doesn't. It's meant as a great fuel savings feature, compared to a mechanical one.

tyrJuly 25, 2015 3:24 AM


This looks like a golden opportunity to push for
end to end encryption for any address on the Net.
That would make it a lot harder to play with the
IOT or vehicles. You'd have to crack the encryption
first. Since it would then be generic it would
be normal to do all the communications (economy
of scale). The IC types would have to concentrate
on the real targets and stop playing dirty econ
and politics.

albertJuly 25, 2015 11:15 AM

@Chase, et al,

The link tells us nothing. What does 'electronic power steering system' mean? It's BS market speak, just what one would expect from the manufacturers website.
.
Bradley192 said it was a simple hydraulic system. My searches show that also. It probably has solenoid valves controlling the amount and/or speed of the assist. With proper mechanical design, these valves could be used to steer the car. (hint: automatic parking systems are locked out* in forward gears)
.
@rgaff,
I didn't know it was a 'great many' cars with 'throttle by wire'. In most cars today. the fuel injection is controlled by throttle position anyway (the TP sensors fails, and you walk:) The FI (and the ignition system) can be disabled by the ECU. So they probably eliminated the mechanical linkage (really not necessary anyway). It's just a way to save money.
.
@Nate,
“network-level security measures”? I can't help thinking 'security theater' here. If you patch the vehicles, why would you need this? Is something else going on?

Firmware updates via USB sticks?

"...They can download the patch to a computer right now, put it on a USB drive, and install it on the dashboard...."

OK, now I'm laughing. Could someone with a valid VIN report on what other information is required to download the patch?

This is secure? Does anyone have details on this? Or do we have to wait, yet again, for the hackers to explain it?
.
..
* probably in software...sigh...

rgaffJuly 25, 2015 12:06 PM

@ albert

To be fair, I didn't say a great many OF ALL cars on the road have a drive-by-wire throttle.... only a great many of NEW cars.... There's quite a difference between the two. Also "great many" doesn't necessarily mean a majority, just a nonspecific large number. And with an electronically-controlled fuel injection anyway, why have a pointless mechanical linkage in the first place.

“network-level security measures” are needed because they can't coerce everyone at gunpoint to update all their cars RIGHT NOW! So, even if people don't mind rolling around in 2 ton unguided missiles, they still need to protect the rest of us from them. Obviously forced updates over the net is coming soon to address this issue.

Not that simply blocking this one attack is really fixing anything, just give the hackers some time to find more leaky holes...

albertJuly 25, 2015 3:36 PM

@rgaff,
Come to think of it, most car engines have throttle position sensors. I guess the mechanical linkage is ancient vestige that will soon become extinct. It's functionally extinct anyway:) Mechanical steering and brake linkages do act as 'redundant' systems though. I saw on the news an auto being driven by a quadriplegic. Joystick steering has been demonstrated. I'm all for computerization (most of my career was based on it), but embedded systems are being pooped out like candy, with about as much forethought.

'Forced updates' is certainly the future, and can be done automagically. Maybe I'm old fashioned, but developing good code might be a better solution:)

.
..
.
..
o

SchneieronSecurityFanJuly 26, 2015 4:18 AM

Here's an article from February 2010 concerning some Congressional testimony from U.S. Secretary of Transportation Ray LaHood in the wake of the Toyota Prius acceleration problem:
http://www.thetruthaboutcars.com/2010/02/nhtsa-has-electrical-engineers-but-where/

The Secretary admits that there are only two electrical engineers in the NHTSA. Who knows how many software engineers.


Here are some statistics from about five years ago:

Manfred Broy, of the Technical University, Munich, told IEEE Spectrum that software and electronics can make up 35 to 40 percent of the cost of a premium car today. At $10 a line, a cost he calls too low, 100 million lines represent $1 billion of investment for each car.

According to consultant Frost & Sullivan, those 100 million lines of code will rise to 200 or 300 million within a few years.

JonJuly 26, 2015 9:04 AM

One thing I've not seen here yet is the contemplation of the hack rewriting the chip's firmware.

As built, no, the chip couldn't send malicious messages, but the chip itself has the ability to reprogram itself - And that's open to the public.

There is a huge attack surface - Anything your chip can do, a malicious attacker can make it do, whatever the limits you set while designing the thingy.

J.

rgaffJuly 26, 2015 9:45 AM

@ SchneieronSecurityFan

You can't just multiply lines of code out like that, unless you've already worked your way backwards and started from averages. The reason is code reuse. Nobody starts with zero lines of code with each new make of car, they write systems that they reuse in many cars, with slight alterations/improvements for each model. And each year the whole system gets an upgrade too, most years just a slight upgrade and occasionally there's a massive one that isn't rolled out to every car every year either. Everything is reused and there become many forks of the same code that all has to be maintained.

@ Jon

Indeed. When you reprogram that chip, your limit is anything electronically connected, not just the previous far lower software limits. Anything that can be reached electronically that will accept any sort of input can be controlled. That's why it can be so surprising how much more can be controlled than people think should be possible.

albertJuly 26, 2015 10:04 AM

@SchneieronSecurityFan,

"...software and electronics can make up 35 to 40 percent of the cost of a premium car today. At $10 a line, a cost he calls too low, 100 million lines represent $1 billion of investment for each car...."

He throws out numbers, but they're so general that they're useless. 100M lines of code? This is what the auto companies write for every car? I find this impossible to believe. Where does all this code reside?

It's impossible to derive anything but very crude estimates for things like this. A skilled accountant would need days to get 'accurate' data, and then they would still be _estimates_. Counting lines* of code is easy because the computer does it. Anything else is pulling numbers out of your butt.
.
*with or without comments?
.
..
.
..
o


albertJuly 26, 2015 10:13 AM

@SchneieronSecurityFan,
P.S.
NHTSA is just like the FAA, EPA, FDA, etc.. They're regulated by the industries they 'regulate'. It's all legal. You can control them by reducing their budgets and appointing industry-friendly directors (Wall Street is a good example).

EricJuly 26, 2015 10:44 AM


Yes,the ECU firmware can be re-flashed. The people who "chip" engines do this all of the time. They have somehow reverse engineered the things on the ROM, changed it in some manner or another, and then flashed it back again. This can oftentimes be done from the OBDII port, so the assumption is that if you can get onto the bus wirelessly by one means or another that theoretically it would be possible to reflash one of the modules.

Some years back I had my car chipped. The first attempts to reflash via the OBD2 port failed - they physically removed the ECU from the car, desoldered the ROM, reflashed it, and then soldered it back onto the circuitboard.

It doesn't sound like they attempted this in this one demonstration, but clearly that is within the realm of possibility.

gordoJuly 26, 2015 12:44 PM

Related/Sidebar Topic/Info:

Below is a nice FAQ, with links, etc., from Canadian privacy group FIPA, out of British Columbia, on their vehicle telematics and privacy report [the result of a year-long study]:

The Connected Car: Who’s in the Driver’s Seat FAQs
BC Freedom of Information Privacy Association | March 24, 2015

What’s a “Connected Car”? “Connected Cars” are vehicles that use wireless communications to send data from the vehicle to external computers and/or service providers.


What are “telematics”? Vehicle telematics are computer systems that automatically combine a car’s data with global positioning satellite (GPS) tracking and wireless communications technologies to enable a wide range of services and applications that aim to improve safety, security and convenience.

Are telematics already in use? ...

https://fipa.bc.ca/connected-car-faqs/

tyrJuly 26, 2015 9:12 PM

@albert

I'd like to see the methodologies used for estimates
involving the comp. I once calculated the death toll
from my cigarette smoking using Californias advertising
about second hand smoke. 37 trillion deaths seemed
a bit high to me but I'm sure the ad sounded good.

I can remember when there were no computers in a
car unless you counted the vacuum spark advance as
an analog comp. I don't remember any surge in ads
for automotive programmers or any sudden demand for
special purpose hardware. I imagine the comp got
scabbed onto the existing system as typical kludge
similar to todays smart IoT lightbulbs. I have seen
some of the auto stuff in action and if there's 100
million lines of code there it must be over commented.

Nick PJuly 26, 2015 10:07 PM

@ tyr

There's a whole sub-industry dedicated to products for cars. Most focus on functionality. However, there's been steady advertisements and apparently some sales by separation kernel vendors for automotive. Green Hills and QNX have whole platform packages targeting them. Lynx, VxWorks, and SYSGO mention them specifically. AdaCore pushes Ada and SPARK for the whole transportation industry with Toyota experimenting with it. Esterel's SCADE does something similar. Rockwell-Collins' AAMP7G processor puts such rigor into hardware and is probably available for automotive.

Plenty of options available. Most focus on artificial air gaps or vulnerability elimination. Real security takes a bit more than that but it's a good start. The lack of security in all these cars seems to be a result of ignoring what's there. Them just throwing stuff together on the cheap as you suggested. The market and solutions are there, though. Gives them less excuse.

nymJuly 27, 2015 5:00 AM

@Martin • July 23, 2015 8:30 AM "Isn't this what the emergency brake is for? Surely it , too, is not connnected to the internet."

No, it's not. The emergency brake's function is limited to locking a stationary axel manually to prevent the car from rolling down a steep incline upon which the car is parked.

Applying the emergency brake whie moving will destroy it immediately and do nothing to stop your car.

nymJuly 27, 2015 5:09 AM

>>Gabor Szathmari • July 23, 2015 9:54 AM

>>So how was that story again with the hacked aircraft that Boeing refuted? It is clear the automotive and aerospace industries are failing to commit themselves to proper security, so we need these regulations for our safety be ensured.


You're right, hat is clear. What's not clear is security is achievable at all.

I cannot forsee buying a car which is vulnerable to this category of exploits, irrespective of future claims for security updates.

JohnJuly 27, 2015 10:09 AM

There seems to be a little confusion which has caused some rather far-fetched speculation on this thread about CAN and what is or is not possible. While I am not an expert in CAN and how it is used in the automotive field specifically; I do have some experience in the automotive safety and engine performance monitoring fields.

CAN is a zero dominant, message oriented, prioritized, high reliability bus that has a programmable baud rate. CAN messages carry an ID and not an address. Lower ID's take priority in the case of a collision and most transceivers have the ability to filter messages in the transceiver based on the ID. There is no master on the bus and all nodes are equal. A message may be sent by any node but no other nodes on the bus are required to act on the message aside from asserting the acknowledge bit during the reception of the message. If I remember correctly, the ACK bit is asserted regardless of whether or not the ID of the message is filtered.

There are typically at least two separate buses in most modern cars. In my Jeep JK, I believe there are actually three. However, no matter how many buses are present they are typically all connected to the ECU; each with their own transceiver. In the case where there are at least two buses in the vehicle, one is used for high speed communication to the engine, brakes, and drive train. The other bus is used for low speed communication with the instrument panel and the entertainment system. If the OBDII port uses CAN then it is usually a third bus connected to the ECU. The physical separation of the buses combined with the fact that the buses usually run at different baud rates typically make it more difficult to send messages from a device on one bus to devices participating on the other. I believe that is why the researchers modified the firmware in the ECU--to bridge the two buses. The ECU would have to accept messages on one bus and forward them to the other; something that is probably not allowed by stock firmware in most ECU's.

albertJuly 27, 2015 6:35 PM

@tyr, @Nick P, @John, et al.

Automotive electronics evolved slowly over time. For example, ignition systems went from points and coils to total computer control (with individual coils for each cylinder!) The ECU does a much better job of controlling spark advance. The legacy distributor is an expensive mechanical device. Better emission control is another benefit. The quantum jump came with computerized fuel injection. Both of these systems help increase fuel economy, power, and decrease emissions. This is all good:)
.
Adding 'automatic' control of the vehicle is not good (if you can't park a car, you shouldn't be driving), and adding remote access is just crazy. 'Single point', read only access to the ECU for external display of vehicle parameters is quite safe (as the computer jacks used by auto techs). CAN buses must be isolated, conversing only with the ECU. As @John pointed out, The CAN bus protocol is designed for speed and simplicity. There's no provision for security; it's assumed that everyone will play nice. The logical place to interface to the outside world is the ECU. I'm still against remote firmware updates. Write good code!!
.
..
.
..
o

SchneieronSecurityFanJuly 29, 2015 10:46 AM

Here's a link to a page that graphically compares carious "lines of code" implementations: http://www.informationisbeautiful.net/visualizations/million-lines-of-code/


Two historical notes:

In October 2004, Anthony Scott, chief technology officer for General Motors Information Systems and Services, said that in 1990 cars had 1 million lines of code.

A Ford Taurus in the 1990s had more computing power than the Lunar Module from NASA's Apollo missions.


This is the article that I referred to. It has some interesting statistics and Manfred Broy is considered an expert in the automobile embedded electronic control unit field:
http://spectrum.ieee.org/transportation/systems/this-car-runs-on-code


I wonder if the "lines of code" in the automobiles is written in assembly language.


G-ManJuly 31, 2015 8:33 AM

Delphi to Buy HellermannTyton to Expand in Vehicle Connectivity
http://www.itbusinessnet.com/article/Delphi-to-Buy-HellermannTyton-to-Expand-in-Vehicle-Connectivity-4002406


(Bloomberg) -- Delphi Automotive Plc, the former car-parts unit of General Motors Co., agreed to buy cabling-gear maker HellermannTyton Group Plc for 1.07 billion pounds ($1.7 billion) among a set of acquisitions to expand in vehicle connectivity.

Delphi said the purchase will help it capitalize on growing demand for cars that connect to mobile phones and other devices.

MarecSeptember 2, 2015 6:52 AM

Sooner or later all cars have this voulnerability. Older cars without internet connection can't drive forever. Better accept it and try to prepare (but don't know how).

Jeffrey AndersonDecember 5, 2016 2:45 PM


Criminal/ bad driving records are not permanent if you hire the right hacker.
I found a hacker who specializes in website hack andclearing criminal/bad driving
records.He is a Russian hacker by the name Vlad Bogdan. This man helped me when
i was in a really big mess. I can't say much. You should contact him if you have
similar problems. EMAIL- vladhackworld@gmail.com or KIK- VladTech

Sebastian BartschFebruary 25, 2017 12:34 PM

Afterwards this was trigger for the car makers to take the topic cybersecurity really seriously.

Beside secured gateways they now integrade key management into the ECUs hardware. So now we see encryption of flash and secure onboard communication... so interested in what more is coming up.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.