Terrifyingly bad design makes jeeps remote murder machines.

[jwm_]

This is scary, and would have been trivially avoidable with basic mild security foresight. tl;dr. Anyone driving a jeep cherokee can be anonymously remotely murdered over the internet right now.

Jeep connected the cell "smartphone" to the cars internal CAN bus. meaning zero day exploits of the phone (which exist) turn into being able to rewire the cars firmware to do anything. like remove tension from the seat belts, do max acceleration, disable breaks and twist the wheel into a roll. _easily_.

If anything needed to be _physically_ firewalled, it is a cars CAN bus

 http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

[TorqueRanger]

This  is nothing new here ..Check out Defcom they did it before and can be done for many years now  but never has either been reported or done but was always possible.. Also there is no way to really stop it cause all they really need is time to hack it and by the time you realize whats going on it's to late ..

[jwm_]

This  is nothing new here ..Check out Defcom they did it before and can be done for many years now  but never has either been reported or done but was always possible.. Also there is no way to really stop it cause all they really need is time to hack it and by the time you realize whats going on it's to late ..

No, remotely hooking into cars entertainment systems or door unlock mechanism has been done, this is remotely hooking into the CAN bus with full privliges, which is wildly different order of magnitude. Also, should be impossible. For instance the FAA demands a physical air gap between fly by wire systems and other ones, I would have assumed the same would be bleedingly obvious to car manufacturers and would 100% protect against this.

[TorqueRanger]

Please Watch

[langwadt]

This  is nothing new here ..Check out Defcom they did it before and can be done for many years now  but never has either been reported or done but was always possible.. Also there is no way to really stop it cause all they really need is time to hack it and by the time you realize whats going on it's to late ..

so far it has required physical access to insert hardware to access the CAN bus via the OBD connector or similar. That  isn't 
so scary since if you can get physical access there is nothing that can stop an attack. 

If they can really do it all wireless then it is much much more scary

[TorqueRanger]

Maybe I am not understanding here cause I work for a tow truck company and I can gain access to most Cars in under 30 seconds or less and right to your obII plug and be able to control the car remotely and the remove the OBII tool after impact and no one will be the wiser..

[jwm_]

Maybe I am not understanding here cause I work for a tor truck company and I can gain access to most Cars in under 30 seconds or less and right to your obII plug and be able to control the car remotely and the remove the OBII tool after impact and no one will be the wiser..

Physical access is a big big difference. you could always just stick a car bomb in there if you had physical access.

But physical access means fingerprints, forensic evidence, you having to be in the same jurisdiction as the victim at some point, something for investigators to find after the accident, and a fair amount of skill.

This brings it to script kiddies. some 12 year old budding psychopath with an undeveloped moral sense in no-extradition-ia on the other side of the world downloads a script and types in a cars IP address for the lulz with no effort or practical culpability.

Or mobsters from another country send extortion letters threatening death to your family and can actually follow up on the threat fairly easily without exposing themselves locally.

[Tomorokoshi]

The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.

Whatever happened to "fail-safe"? It's as if it was engineered with failure capability built-in. What if the processor or some other component has a fault? It seems like automotive standards are quite out of date when it comes to failure modes.

[TorqueRanger]

Maybe I am not understanding here cause I work for a tor truck company and I can gain access to most Cars in under 30 seconds or less and right to your obII plug and be able to control the car remotely and the remove the OBII tool after impact and no one will be the wiser..

Physical access is a big big difference. you could always just stick a car bomb in there if you had physical access.

But physical access means fingerprints, forensic evidence, you having to be in the same jurisdiction as the victim at some point, something for investigators to find after the accident, and a fair amount of skill.

This brings it to script kiddies. some 12 year old budding psychopath with an undeveloped moral sense in no-extradition-ia on the other side of the world downloads a script and types in a cars IP address for the lulz with no effort or practical culpability.

Or mobsters from another country send extortion letters threatening death to your family and can actually follow up on the threat fairly easily without exposing themselves locally.

How many Accident Deaths have you ever cleaned up ?

[EEVblog]

so far it has required physical access to insert hardware to access the CAN bus via the OBD connector or similar. That  isn't 
so scary since if you can get physical access there is nothing that can stop an attack. 

Yes, I'm not sure what the fuss is about here.
No one can remotely hack into your CAN bus if the physical wireless/internet hardware is not there to do that.
How many cars have that?
Tesla is wirelsss internet connected, but they have challenged hackers to break it and so far no one has?

[jwm_]

so far it has required physical access to insert hardware to access the CAN bus via the OBD connector or similar. That  isn't 
so scary since if you can get physical access there is nothing that can stop an attack. 

Yes, I'm not sure what the fuss is about here.
No one can remotely hack into your CAN bus if the physical wireless/internet hardware is not there to do that.
How many cars have that?
Tesla is wirelsss internet connected, but they have challenged hackers to break it and so far no one has?

That's what this new attack is. completely wireless, against jeep cherokees (which are not uncommon). They do a remote update of the firmware and are given full access to the CAN bus with no physical access ever needed.

That's the bad design I alluded to, they actually put the physical connection in there between the buses. sigh.

From that entry point, Miller and Valasek’s attack pivots to an adjacent chip in the car’s head unit—the hardware for its entertainment system—silently rewriting the chip’s firmware to plant their code. That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels.

...

They’ve only tested their full set of physical hacks, including ones targeting transmission and braking systems, on a Jeep Cherokee, though they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit. They have yet to try remotely hacking into other makes and models of cars.

    John

[EEVblog]

That's what this new attack is. completely wireless, against jeep cherokees (which are not uncommon). They do a remote update of the firmware and are given full access to the CAN bus with no physical access ever needed.
That's the bad design I alluded to, they actually put the physical connection in there between the buses. sigh.

Then they are stupid and they will go out of business if they don't fix it. A recall is in order.

[jwm_]

That's what this new attack is. completely wireless, against jeep cherokees (which are not uncommon). They do a remote update of the firmware and are given full access to the CAN bus with no physical access ever needed.
That's the bad design I alluded to, they actually put the physical connection in there between the buses. sigh.

Then they are stupid and they will go out of business if they don't fix it. A recall is in order.

Yes. very much so. Actually an air gap should be manditory for the same reason the FAA requires it for planes. I somehow assumed it was as that is very basic security.

Every chrysler since 2013 is a lot of cars to recall, maybe 4 million cars based on gross sale numbers.

Nowadays a botnet can do an exhaustive search of the entire IP space on the order of tens of minutes. A single person can do a lot of damage, not just to the car owners, but anyone in their path. A coordinated crashing of a few million cars will bring every major freeway to a halt and overwhelm emergency services.

   John

[suicidaleggroll]

DBW throttle, ECU-controlled fuel and spark, all are fine with me...but I've never been comfortable with electronic brakes, steering, or ignition.  I haven't bought a vehicle with any of those yet, and I would have to face a serious internal struggle before ever doing so.

I think it goes back to the old rule - you never want to see how sausage is made.  Waiters/waitresses don't eat where they work, and electrical engineers don't trust cars driven entirely by electronics.  Once you see how things actually work, and the bugs that can make their way into critical systems due to ineptitude and lack of oversight, you have difficulties ever trusting them.  Anyone remember this?

http://www.edn.com/design/automotive/4423428/Toyota-s-killer-firmware--Bad-design-and-its-consequences

[Rasz]

No one can remotely hack into your CAN bus if the physical wireless/internet hardware is not there to do that.
How many cars have that?

>any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015
GM is not far behind pushing its own car as a hotspot crap

Tesla is wirelsss internet connected, but they have challenged hackers to break it and so far no one has?

No they didnt. Tesla was recruiting and promoting at Defcon, not running any challenges. They did it only after independent chinese competition that ended in plethora of remote exploits. There were at least 7 remote exploits found in model S to date (wirelessly opening doors while car is moving and so on). This just shows how good Tesla PR is.


I imagine car "security" is handled in same stupid way Boeing did it in 747 relying on ethernet VLANs for separation of networks, because adding $100 in wires to $30K car is TOO MUCH!

[Skimask]

Anyone driving a jeep cherokee can be anonymously remotely murdered over the internet right now.

F.U.D.

like remove tension from the seat belts

Not likely as the seatbelt mechanism has a centrifugal locking assembly in it which is actuated mechanically...no electronics here.

, do max acceleration,

Possible, but as has been shown in the Toyota Prius debacle, step on the brakes, turn the engine off, no problems here.

disable breaks

Everybody wants to "disable BREAKS".
However if you mean "disable BRAKES"...impossible, as even though the braking system is tied into systems such as anti-skid, anti-lock, etc., the fail-OPERATIONAL mode of any and all braking system is purely hydraulic.  Barring any failures otherwise (eg. leaks, blockages, etc.), step on the brake pedal, brake shoes/pads actuate, car stops.  'nuff said.

and twist the wheel into a roll. _easily_.

NOT easily.  First you gotta spin the steering wheel fast enough and have enough traction to make the vehicle roll over.  Second, today's power steering system is a form of an electric power 'assist' system, NOT a steer-by-wire system...and they are easily overcome with nominal effort.

Nothing to see here...
Move along...

[Rasz]

Anyone driving a jeep cherokee can be anonymously remotely murdered over the internet right now.

F.U.D.

maybe

disable breaks

Everybody wants to "disable BREAKS".
However if you mean "disable BRAKES"...impossible

umm NO, like the prius you cited its all in software now, if you control the software (or it crashes) then there are no brakes.

, as even though the braking system is tied into systems such as anti-skid, anti-lock, etc., the fail-OPERATIONAL mode of any and all braking system is purely hydraulic.  Barring any failures otherwise (eg. leaks, blockages, etc.), step on the brake pedal, brake shoes/pads actuate, car stops.  'nuff said.

you missed a step between "step on the brake pedal" and "brake shoes/pads actuate", that step is 'ECU reads potentiometer in the pedal and decides what to do'.

Nothing to see here...
Move along...

nothing to see here except remote exploit on a moving CAR

[CatalinaWOW]

So a Jeep lacks a firewall, and a Prius has a purely electrical element in the brake system.  Seems there is still a pretty tall hill to climb for that script kiddy.  Somehow he has to get the cell phone to hack the Jeep system into a Prius, or the Prius brakes into a Jeep.

The Prius may well have better system separation - it needs it.  The Jeep may have evaluated the risk and said it was OK, because it is on their automobile.

Maybe some future automobile will be at risk, but in the cosmic scheme of things I'm not going to lose a lot of sleep over this.

[Rasz]

So a Jeep lacks a firewall, and a Prius has a purely electrical element in the brake system.  Seems there is still a pretty tall hill to climb for that script kiddy.  Somehow he has to get the cell phone to hack the Jeep system into a Prius, or the Prius brakes into a Jeep.

The Prius may well have better system separation - it needs it.  The Jeep may have evaluated the risk and said it was OK, because it is on their automobile.

Is it my language barrier, or does above read like gibberish?

Maybe some future automobile will be at risk

if you define future as past 2013, because this is what this article is about. This isnt some "yo I can haz hax" kid story, one of the researchers is a former NSA geek. Team from the piece has been working on this since 2010.

but in the cosmic scheme of things I'm not going to lose a lot of sleep over this.

me neither, but that doesnt make it less real
Hacking a phone is trivial(huge attack surface), automakers decided every car should have a smartphone buildin and tightly integrated with the rest of the system(new revenue stream), sooner or later there wont be any cars left without this functionality.

Yes, cars with a regular need for reboot already exist. Most often it's less severe and usually results in car deciding to ignore any input from buttons and levers.

btw Tesla has crtl-alt-del build RIGHT INTO THE steering wheel to reset whole dashboard in case it hangs _while you are driving_. In case you think Tesla is HOLY and Im lying go to garage, put your sweet innocent hands on the steering wheel and hold down both scroll wheels 

[miguelvp]

That's pretty major, you might as well have Eugene the Jeep to drive your Jeep.


I wonder if the researchers already approached the manufacturer and only came public because they didn't do a thing to resolve the problem.

One thing is to illegally enter and alter someone's car and put something in the ODBII that allows you to gain control, because you never know if someone saw you do that and snapped a picture or even film you doing the modification, or just forensics could catch the perpetrator.

Doing it by hacking into someone's phone is orders of magnitude worse, that's just insane and totally irresponsible from the engineers that designed the car, or whoever vetoed the engineers to reduce cost instead of doing a proper design and if that is the case I would still blame the engineers for not stepping forward.

I don't think I'll ever buy a car that connects to my phone, not even for hands free calls. Any call can wait until I need a break or I arrive to my destination.

[EEVblog]

like remove tension from the seat belts

Not likely as the seatbelt mechanism has a centrifugal locking assembly in it which is actuated mechanically...no electronics here.

I think there is.
AFAIK seat belt pre-tensioners are pyrotechnic charges set off, just like airbags. You are thinking of the regular selt belt mechanism which still exists, that has slack in it hence why pre-tensioners are used a lot now.

[EEVblog]

I don't think I'll ever buy a car that connects to my phone, not even for hands free calls.

That's uninformed FUD.
Bluetooth phone connection for handfree calls can in no way access a cars systems.

[EEVblog]

and electrical engineers don't trust cars driven entirely by electronics.

Cue Free_Electron who works at Tesla and also owns and drives one...

[miguelvp]

I don't think I'll ever buy a car that connects to my phone, not even for hands free calls.

That's uninformed FUD.
Bluetooth phone connection for handfree calls can in no way access a cars systems.

It all depends on the car manufacturer on what access they allow via Bluetooth, maybe they think it would be cool if you could tap into the CAN bus to get telemetry via an app. Or maybe is not even intended but a flaw because the built in Bluetooth module needs to connect to the infotainment system via CAN and they didn't think in protecting other CAN channels from being accessed.

To be clear I'm not saying it's possible on current cars, just that it "might" be possible.

In any event I don't need to make calls or answer them while driving anyways.

and electrical engineers don't trust cars driven entirely by electronics.

Cue Free_Electron who works at Tesla and also owns and drives one...

Yeah, I thought Tesla had separate independent CAN buses, but then again:
http://www.instructables.com/id/Exploring-the-Tesla-Model-S-CAN-Bus/?ALLSTEPS

CAN 6 looks a bit dangerous:

Power Steering
Stability Control and Braking
Air Suspension
Instrument Cluster and LIN Bus
Blind Spot and Parking Aid
TPMS
EPB(electronic parking break) ECU

And the link:
https://github.com/openvehicles/CAN-RE-Tool/blob/master/rules/teslamodels

[Skimask]

I think there is.
AFAIK seat belt pre-tensioners are pyrotechnic charges set off, just like airbags. You are thinking of the regular selt belt mechanism which still exists, that has slack in it hence why pre-tensioners are used a lot now.

Yep.  Absolutely right.  My bad.
Ejection seats are similar.  Pull the yellow/black handle and all the straps go tight milliseconds before the main ejector mechanism goes off.