Hacking a Jeep

[Markbnj]

Doesn't sound like it was much of a laugh for the reporter.

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

 

[SunnyD]

I understand the whole Black Hat concept, but something like this in the realm of ethical hacking - why the fuck would ANYONE in their right mind publish ANY sample code at all, even in limited form?

Once the sample gets out, it's only a matter of time before something like this becomes weaponized and in the hands of anyone from stupid kids to DPRK... I know their goal is to get it fixed sooner rather than later but come on.

 

[Markbnj]

I understand the whole Black Hat concept, but something like this in the realm of ethical hacking - why the fuck would ANYONE in their right mind publish ANY sample code at all, even in limited form?

Once the sample gets out, it's only a matter of time before something like this becomes weaponized and in the hands of anyone from stupid kids to DPRK... I know their goal is to get it fixed sooner rather than later but come on.

Yeah the only thing they held back was the reverse engineering of the firmware in the head unit chip. The article said that took them "months" of work.

Who wants to bet that the government doesn't already know how to do this?

 

[edro]

That's it. I'm trading my car in for a '69 Camaro.

 

[SOFTengCOMPelec]

I understand the whole Black Hat concept, but something like this in the realm of ethical hacking - why the fuck would ANYONE in their right mind publish ANY sample code at all, even in limited form?

Once the sample gets out, it's only a matter of time before something like this becomes weaponized and in the hands of anyone from stupid kids to DPRK... I know their goal is to get it fixed sooner rather than later but come on.

I'm sure they did it for the right reasons $'s Fame/fortune Publicity Bragging rights , for the betterment of society and stuff.

On a more serious note. They sound like careless amateurs to me.

Professionals would never (except highly exceptional circumstances) hack vehicles while driving at high speed on the highway/motorway, due to the extreme dangers that the distraction/hacking could cause a major accident, and kill many innocent people, in a big fireball pileup etc.

E.g. Use a private (hired) test track, under controlled, safe conditions.

 

[tynopik]

I understand the whole Black Hat concept, but something like this in the realm of ethical hacking - why the fuck would ANYONE in their right mind publish ANY sample code at all, even in limited form?

"That vulnerability is completely theoretical" - Microsoft to L0pht

Vendors have repeatedly proven that they don't take a threat seriously until there is an active exploit in the wild.

 

[WelshBloke]

I'm sure they did it for the right reasons $'s Fame/fortune Publicity Bragging rights , for the betterment of society and stuff.

On a more serious note. They sound like careless amateurs to me.

Professionals would never (except highly exceptional circumstances) hack vehicles while driving at high speed on the highway/motorway, due to the extreme dangers that the distraction/hacking could cause a major accident, and kill many innocent people, in a big fireball pileup etc.

E.g. Use a private (hired) test track, under controlled, safe conditions.

Miller and Valasek have been sharing their research with Chrysler for nearly nine months, enabling the company to quietly release a patch ahead of the Black Hat conference

They don't sound that irresponsible.

 

[SOFTengCOMPelec]

They don't sound that irresponsible.

They do appear to be irresponsible. That was a potentially very dangerous stunt they played, on that highway.

I'm NOT sure that releasing all that code, is a good idea, either.

Cars are not like computers, and are not expected to have to have their software updated every week, like Microsoft windows.

I bet some of the vehicles, will never set foot in the expensive dealers service bay, ever again. So presumably, the firmware will never be patched, in a number of cases.

 

[Markbnj]

They do appear to be irresponsible. That was a potentially very dangerous stunt they played, on that highway.

This. They said they would do nothing life threatening, and then they occluded his windshield with washer fluid and cut his transmission so he slowed dramatically while driving on a highway. Put him at risk, and put everyone around him at risk.

 

[tynopik]

This. They said they would do nothing life threatening, and then they occluded his windshield with washer fluid and cut his transmission so he slowed dramatically while driving on a highway. Put him at risk, and put everyone around him at risk.

there's two different parts

1. releasing redacted code after the vendor has been notified and had time to develop a fix: perfectly fine

2. demonstrating on a live highway: not fine at all

 

[tynopik]

Cars are not like computers, and are not expected to have to have their software updated every week, like Microsoft windows.

I bet some of the vehicles, will never set foot in the expensive dealers service bay, ever again. So presumably, the firmware will never be patched, in a number of cases.

And that's going to have to change.

Incidents like this are going to push vendors to have some sort of update functionality available.

Possibly also state inspections will start requiring that cars be at the latest version

 

[SOFTengCOMPelec]

And that's going to have to change.

Incidents like this are going to push vendors to have some sort of update functionality available.

Possibly also state inspections will start requiring that cars be at the latest version

I'm not sure how state inspections (MOT in the UK), would be able to easily check that all the necessary vehicle software/firmware is up to date and/or had all safety recalls applied to it (software ones).

There must be many different ECU controllers, on modern vehicles, potentially made by different suppliers/manufactures. Checking them all would probably be expensive, time consuming and need technically advanced people to do it (maybe, depends on how standardized things become).

I guess modern times are changing, and the laws/regulations may need to be updated, to keep pace.

 

[tynopik]

There must be many different ECU controllers, on modern vehicles, potentially made by different suppliers/manufactures. Checking them all would probably be expensive, time consuming and need technically advanced people to do it (maybe, depends on how standardized things become).

probably something that reports over OBD and is easily checked against a vendor provided list

in fact, it will probably be automated where it just plugs in and gives a green light if it's current

 

[SOFTengCOMPelec]

probably something that reports over OBD and is easily checked against a vendor provided list

in fact, it will probably be automated where it just plugs in and gives a green light if it's current

Good point. It is useful getting the fault code(s), when something goes wrong with your car. If it can also process the firmware version number as well, then so much better.

I don't know enough about the specifics to accurately reply. (I have heard about fault codes being read out).

If the manufactures have got their act together, it is theoretically possible.

 

[Markbnj]

Incidents like this are going to push vendors to have some sort of update functionality available.

Which will of course provide yet another attack vector. Not that I disagree with you, but what this will really push the OEMs to do is get smart about software. They haven't got the decades of experience at userland integration that they have in the embedded stuff.

 

[Squeetard]

Geebus, how about they just separate the vehicle functions from the infotainment/cellular system.

 

[Brainonska511]

Geebus, how about they just separate the vehicle functions from the infotainment/cellular system.

Yeah. I don't get why they are not simply segregated.

 

[Platypus]

Geebus, how about they just separate the vehicle functions from the infotainment/cellular system.

Some OEMs do. The design of the CAN bus is different in different auto makers' designs and the ones where you can jump laterally to other components are the ones that are vulnerable to these kinds of issues. Car design takes years and these problems are hitting an industry that has a 5 year delay on fixing problems. The next 5 years of cars are basically already in the bag and enough attention wasn't paid to these problems. If you read Chris/Charlie's paper from last year, they have great diagrams of how all the major players handle this design. I assume the short answer is that it's more costly to design this properly and at the time of design they didn't think about the potential dangers or that someone would look under the covers.

To reply to the general sentiment in the thread of why release working code? Speaking as someone who is presenting at Blackhat this year and works in infosec, this is a complicated issue that really doesn't have a one-sized fit all answer in my opinion. Personally, I disclose issues to the affected vendor and try to maintain a working relationship with them. This is exactly what Chris and Charlie have done as well. I've spoken with them many times when presenting at different conferences and they work closely with these companies. But I completely understand the argument that sometimes companies don't want to listen or fix problems. I've run into this personally many times. Sometimes the only way to get attention on the problem is to prove the need for it.

 

[SunnyD]

But I completely understand the argument that sometimes companies don't want to listen or fix problems. I've run into this personally many times. Sometimes the only way to get attention on the problem is to prove the need for it.

And this is the grey line when it comes to ethical hacking. Yes, someone should be responsible enough for fixing the issues and also bringing them to light, but they should also be responsible enough to know exactly how much is too much.

In this case they have already identified over 400,000 potential targets that can be affected wirelessly by this flaw. That's 400,000 potential fatalities once their sample code hits the wild, gets analyzed, modified and weaponized. Are the automakers to blame if something happens? Sure. But the two of them are equally to blame for putting the beachhead out in the wild.

 

[CoPhotoGuy]

That's it. I'm trading my car in for a '69 Camaro RS/SS.

Fixed that for you.

 

[Platypus]

And this is the grey line when it comes to ethical hacking. Yes, someone should be responsible enough for fixing the issues and also bringing them to light, but they should also be responsible enough to know exactly how much is too much.

In this case they have already identified over 400,000 potential targets that can be affected wirelessly by this flaw. That's 400,000 potential fatalities once their sample code hits the wild, gets analyzed, modified and weaponized. Are the automakers to blame if something happens? Sure. But the two of them are equally to blame for putting the beachhead out in the wild.

I understand where you're coming from and I do not assume to speak for Chris and Charlie, but it's naive to think that someone who would willingly use this for evil isn't already fully aware of the potential for these kinds of issues. They don't need poc code, they'd just write it themselves. The vulnerability potential for cars has been publicly known and had information directly related to it published since 2011.

Casual script kiddie type hackers are not going to know how to use this information, and anyone capable of knowing what to do with it could have just written their own in my opinion.

We live in a world now filled with a ridiculous amount of things connected to the Internet... this is only the beginning. Companies need to take things more seriously and they just aren't. Good job security for me, but a bad situation in general.

 

[Markbnj]

We live in a world now filled with a ridiculous amount of things connected to the Internet... this is only the beginning. Companies need to take things more seriously and they just aren't. Good job security for me, but a bad situation in general.

100% true. This is just the tip of the iceberg.

 

[gorcorps]

I just don't understand how something like the brakes can be so tied into the electrical system that they're able to be triggered remotely. I understand how anything on the infotainment screen could be messed with (radio, AC, etc) but it just doesn't make sense why every electrical input on the vehicle would be accessed in the same way.

Anyway, this whole problem goes away if they stop sticking fucking modems in everything. I'd much rather them spend time figuring out how to connect to my phone's network vs. this current bullshit of turning cars into mobile hotspots. I don't want that, it'll never be as fast as my phone.

 

[Markbnj]

I just don't understand how something like the brakes can be so tied into the electrical system that they're able to be triggered remotely

They're not controlled through the electrical system. All of these devices are now controlled by various separate computers (control modules) located around the vehicle, and communicating over a common network using a serial protocol (the CAN bus).

 

[SOFTengCOMPelec]

They're not controlled through the electrical system. All of these devices are now controlled by various separate computers (control modules) located around the vehicle, and communicating over a common network using a serial protocol (the CAN bus).

But there surely should have been physical security. I.e. It can ONLY be accessed by physically plugging in something inside the car.

Making it (CAN bus) accessible via wi-fi (or similar) is asking for trouble.

I thought I (faintly) heard something, about it NOT allowing activity, while the vehicle is moving (or above some low speed), so that if the garage mechanics, have accidentally left the CAN tester machine (whatever it is called) connected, and a child messes with it, while the car is in motion (driven by a parent), it is inherently disabled.

Maybe because this is "hacking", it gets round such safe guards, as a hacker can do what they like (once they are hacked in to the system). Depending on how well they have "hacked" it, I guess, and whatever hard limits are still in place, even after advanced hacking.