If you've been hiding under a rock, the secret's out: Car
hacking is possible.
Security Researchers Charlie Miller, a Security Researcher
at Twitter and Chris Valasek , Director of Vehice Security Research Firm IOActive
are now in the limelight.
Working with Wired
Magazine's Andy Greenberg, they managed to hack a Jeep Cherokee while the
writer at along for the ride as reported in the article “Hackers
remotely kill a Jeep on the highway - with me in it”, published 07.21.15 by
Andy Greenberg, Wired.
Normally I’d write a lot of stuff at this point. But I think
this time, I'll let the video do all the talkin'!
Their research has now resulted in legislation being
considered by Senators Ed Markey and Richard Blumenthal to improve automotive
security and set new Digital Standards for Internet connected Cars and Trucks as reported in the
article “Senate
Bill seeks standards for Cars' Defenses from Hackers”, published 07.21.15
by Andy Greenberg, Wired.
The pair plans to publish their research and do the talk
circuit rounds at the Black Hat Security Conference in Las Vegas in August
2015.
Andy Greenberg the
Guinea Pig for Security Researchers- 2 Years worth of Research Vindicated
This is the culmination of almost two (2) years of research
since, during which time Wired Magazine's Andy Greenberg was their occasional guinea
pig as reported in the article “Hackers
Reveal Nasty New Car Attacks--With Me Behind The Wheel (Video)”, published
JUL 24, 2013 by Andy Greenberg, Forbes.
This in a bid to demonstrate to the reporter – and the
Automotive Industry - that Car hacking was indeed real. Worse, you didn’t have
to be physically in the vehicle; it could be done remotely over the Internet,
with deadly results being possible.
From July 1, 2015 |
They had the clearly nervous Andy Greenberg drive a Ford
Escape and a Toyota Prius around a South Bend, Indiana will they remotely
controlled almost all aspects of the vehicle functionality via special software
on their Laptops. But that was in a parking lot and via Wi-Fi.
But could it be done over a longer distance? After some DARPA
(Defense and Research Project Agency) funding, studying vehicle schematics and
even tearing down a Toyota Prius and a Ford Escape to see how its ECU
(Electronic Control Unit) works, the short answer, as this video clearly shows,
is yes!
Security
Researcher hack a 2014 Jeep Cherokee - How to remotely control an Internet
Connected Vehicle
As I said before, Car hacking is real as this video
graphically demonstrated!
By August 2014 these Security Researchers gave CNN Money a
long list of vehicle makes and models that were hackable as reported in my blog article
entitled “Automotive
Security Researchers tell CNN Money Vehicles are hackable - How Vehicle
Entertainment Systems are hacked”.
The models that were listed in that interview were:
1. 2014
Audi A8
2. 2014
Dodge Viper
3. 2014
Jeep Cherokee
4. 2014
Toyota Prius
5. 2015
Cadillac Escalade
And yes, if you check that article and the list above, the
2014 Jeep Cherokee was listed among vehicles that were hackable.
The pair deemed it to be the most hackable in the list simply
because the Engine Management i.e.
Brakes, Steering, Tire Pressure Monitor and Engine and on the same Internal
Vehicle Network, known as the CAN (Controller Area Network) Bus as the
Entertainment System in most of the models.
The 2014 Jeep Cherokee connects via the OnStar Cellular
Network, which is really a Baseband Processor for the Sprint Network, which is
also connected to the Engine Management
and the Entertainment System.
It thus became the focus of their continue research into
remotely hacking via the Internet, as they soon realized that there was no
authentication for the remote access; almost any Fiat Chrysler vehicle using the
Uconnect Software was trackable and hackable.
A hacker merely need to infect the vehicle's Entertainment System
with a Trojan horse that lays in wait for instruction sent via Wi-Fi (if within
range!) or via the Sprint Network, accessible via a cellphone connected to that
Network.
Using a laptop, a Sprint cellphone and special software,
Security Researchers Charlie Miller and Chris Valasek can then remotely control
the target vehicle.
Vehicle Hacking
via a Cellular Network – Vulnerability in the Baseband Processor
But this recent car hacking video demonstration by Security
Researchers Charlie Miller and Chris Valasek is different. They're apparently
exploiting the fact that these three (3) Systems may even be sharing the same
Hard-drive and memory.
This makes it very easy for hackers to gain control of the
entire System via access to one of the more vulnerable Systems, which in this
case is the Baseband Processor for the Sprint Network.
What's worse, they apparently can hack the vehicles WITHOUT
installing any special software via the Entertainment System. They can also
scan the Sprint Network for other equally vulnerable connected vehicles that
they can hack.
If so, then it implies that vehicle manufacturers have been
playing fast and loose with the security of passengers in vehicles.
Fiat Chrysler
recalls 14 million vehicles – Fix for Security hole in Uconnect System
Now that the video is out, on Friday July 24th 2015,
Fiat Chrysler, makers of the 2014 Jeep Cherokee, has issued a voluntary recall
to upgrade the Entertainment System software in some 14 million vehicles as
reported in the article “Fiat
Chrysler to recall 1.4 million vehicles following remote hack”, published
July 24, 2015 by Lance Whitney, CNET News.
The vehicles included in the recall are the following models
that use the Uconnect Software and have the 8.4-inch touchscreens:
1. 2013-2015
MY Dodge Viper specialty vehicles
2. 2013-2015
Ram 1500, 2500 and 3500 pickups
3. 2013-2015
Ram 3500, 4500, 5500 Chassis Cabs
4. 2014-2015
Jeep Grand Cherokee and Cherokee SUVs
5. 2014-2015
Dodge Durango SUVs
6. 2015
MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
7. 2015
Dodge Challenger sports coupes
Owners of any of these vehicles can go the Fiat Chrysler Uconnect software update
site and check if they’re on the
recall list by typing in their VIN (Vehicle Identification Number). A visit to
their local Fiat Chrysler can get then
the update via a USB Drive, which they can then use to upgrade their Uconnect
software.
It is this software that the Security Researchers Charlie
Miller and Chris Valasek exploited to remotely control the vehicles.
Ironically, this was the same software that grants the car owner the same level
of control over their vehicle, including tracking it location via GPS and was
really a security and anti-theft feature.
They plan to release all but the parts of their software
that gives hackers the ability to infect the CAN Bus; hacker’s will have to do
their homework. But they can demonstrate the remote access to the vehicle,
evidence enough that Remote Hacking of
Internet connected vehicles is possible.
Researcher heading
to Black Hat Security Conference - Vehicle Hacking makes Remote Vehicle
Homicide possible
Albeit their demonstration is benign at best, this
vulnerability can potentially be exploited to commit Remote vehicular homicide
from hundreds of miles away as reported in my blog article
entitled “Mission
Secure Inc and Perrone Robotics Inc say Vehicles can be hacked - Apple Carplay
and @Android Auto Assassin’s Weapon of Choice in Contract Remote Vehicular
Homicide”.
US security firms Mission Secure Inc (MSi) and Perrone
Robotics Inc in June 2015 have pointed out that IVE (In-Vehicle Entertainment Systems),
the same target identified by the Security Researchers Charlie Miller and Chris
Valasek, is a potential point of attack for hackers.
The veracity of the work of Researchers Charlie Miller and
Chris Valasek over the past two (2) years has been proven true. As Automakers
take steps to make sure their Systems cannot be compromised, the pair will
definitely be the talks of the Black Hat Security Conference in Las Vegas come
August 2015!
No comments:
Post a Comment