Newsflash: Car Network Security Is Still A Horrible, Very Dangerous Joke
from the I'm-sorry-I-can't-do-that,-Dave dept
As we've noted for years, the security on most "smart" or "connected" cars is aggressively atrocious. And in fact it's getting worse. As car infotainment systems get more elaborate, and wireless carriers increasingly push users to add their cellular-connected car to shared data plans, the security of these platforms has sometimes been an afterthought. Hackers this week once again made that perfectly clear after they demonstrated to a Wired reporter that they were able to manipulate and disable a new Jeep Cherokee running Fiat Chrysler's UConnect platform. While the reporter was driving it:As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission. Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.Uconnect utilizes Sprint's cellular network, and hacker/researchers Charlie Miller and Chris Valasek were able to
From that entry point, Miller and Valasek’s attack pivots to an adjacent chip in the car’s head unit—the hardware for its entertainment system—silently rewriting the chip’s firmware to plant their code. That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels.The two used to have to physically modify cars to get access to these systems, but as vehicles have gone cellular, it has opened the door to a world of new exploits. And if you've ever experienced the incomprehensibly-clunky in-car GUI of most in-car infotainment platforms, rest assured that the quality of the system's security is usually in the same ballpark. Miller and Valasek will publish a portion of their exploit online during a presentation at the Black Hat security conference in Las Vegas next month.
The exploit appears to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015. Chrysler/Fiat posted a notice to its website last week informing users that they need to update their in-car software either via USB stick (you can download the update here) or by taking it in to a dealer. Of course like many patches, most users won't be paying much attention to the warning. And we're only talking about Chrysler's UConnect; there's a bounty of half-assed security measures implemented in infotainment systems from automakers worldwide just waiting to be tinkered with by pranksters (or worse).
Of course cars aren't the only tech sector where security has failed to keep pace with ambition. "Smart" TVs have been shown to have similarly awful security, often sharing unencrypted user info (even conversations) with any hacker with a modicum of talent. In the rush to embrace the gee whizzery of the "Internet of things," there are more than a few companies that apparently forgot to bring security and intelligence along for the ride.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cars, connected cars, hacking, privacy, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
It should be illegal to modify any car driven on a public road in any way, except by the manufacturer. Only factory dealer parts should be allowed on such cars. It's for the children!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
No - lame excuse
[ link to this | view in chronology ]
Re:
I think you need to reread the article. This was a software bug in the manufacturer-supplied software.
Making it either illegal (through legislation) or impractical (through DRM or TPM chips or similar) only increases the chance these bugs are not found. It also takes away valuable modding capabilities to improve your own car.
If the concern is safety, then existing laws either already cover it (e.g. illegal to operate a car that hasn't passed it's yearly inspection) or should be written in a manner that does not cut out legitimate tinkering and modding because of overblown fears.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
It makes it easy to disable rear hatches or power sliding doors when the car is in gear.
It allows a single display to work for heating and air conditioning and also for audio and video.
In short it does what most networks were designed to do, share information between computers.
That said, yes connecting it to a public attack vector is an trouble waiting to happen.
Unfortunately, people want their phone to connect to everything because ...internet.
[ link to this | view in chronology ]
Re: Re:
How many people have access to a test track, which is where any modded control software should be properly tested before use on a public road?
[ link to this | view in chronology ]
Re: Re: Re:
I do not want that. I want to be able to drive safely.
What I want to prevent is the inevitable overreaction and counterproductive bad legislation that prevents people from legally tinkering or making modification to the cars (and other devices) they own, and not to require approval from the manufacturer. Your words: "only run manufacturers approved software" is what I have a problem with.
The act of driving unsafely, or of operating an unsafe vehicle, is what should be illegal. It should not be illegal if I run different software in my car that Chrysler or Ford or GM or whoever doesn't like, so long as that software isn't otherwise dangerous.
[ link to this | view in chronology ]
Re: Re: Re: Re:
When it comes to mechanical modification, and experienced mechanic can examine a vehicle and tell whether it is safe or not with 15 minute inspection. The same cannot be done for software, which requires much more time and cost in auditing and testing before it can reasonably be trusted. Also, legal action against a driver is no consolation to the family and friends of any person that they kill or maim.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
If I buy a "insert any device here" and modify it, and it malfunctions and kills someone... my fault.
In almost any case you can try and shift personal liability over to the Government by certification and testing but it's not going to help you when shit goes wrong. You tweak it, and it messes up and hurts someone or their property, it doesn't matter how much certification it had, YOU are responsible. That is how it is, and that is how it should be in a free country.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Great, lets put the government in charge of safety... They can't even protect our data, what makes you think they can protect the roads? How about we make the very few people that actually try and mod their cars responsible for their actions?
"Why should car manufacturers be required to gain such approval but some Joe blow not. "
Because manufacturers are selling thousands if not hundreds of thousands of cars, and Joe Blow is modding his personally owned car... big difference.
[ link to this | view in chronology ]
The biggest take away I had from this article was horror that they did this demonstration on a public highway with a good amount of traffic - this should have been demonstrated in a controlled environment where the only people who were endangered were the ones who knowingly participated - not every other car and passenger on the highway at the time. They cut power to the vehicle when there was no place to pull over - in a 70mph zone - completely reckless.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
The fact that he has a very good point does not in any way invalidate the research that was done. It simply points out that it was done in an irresponsible and needlessly dangerous way.
[ link to this | view in chronology ]
Srsly it has been years now that the car CAN bus system is horribly flawed with security holes. It was designed for extremely high availability not confidentiality. This is why it should never be hooked up to a communication point outside of the car.
[ link to this | view in chronology ]
Re:
Exactly this. I've programmed for CAN-based systems before, and security is simply not a part of mix. In the old days, this was (barely) acceptable because you had to physically connect to the system to subvert it.
Getting CAN anywhere near an external network is guaranteed to be a serious problem, though.
[ link to this | view in chronology ]
On a more serious note, Chrysler ought to be issuing critical updates like that through the relatively well proven mechanism of vehicle recalls. I'm not saying they should have to accept trade-ins of vehicles over defective software, but recall notices, both direct-mailed and published through well-known sites, are a proven mechanism of notifying users that they need to contact their dealer for repairs. In this case the "repair" is just a software update, and the notice could include a blurb about how to do self-service repair.
[ link to this | view in chronology ]
Re:
Now, you could argue that it is a safety concern, but it is actually only a safety concern if someone exploits it and harms someone. By that measure, you would have to recall all cars because someone may drive over another person with it.
[ link to this | view in chronology ]
Re: Re:
It's not a safety problem in my car when someone else uses their car to run me off the road, nor is it a safety problem in their car that their car failed to prevent them from running me off the road. It is a safety problem in my car when their laptop politely asks my car to drive itself off the road, and my car obliges.
[ link to this | view in chronology ]
Re: Re:
I don't think you know what the term "safety concern" means.
[ link to this | view in chronology ]
HR: "So, what makes you think you're a good candidate for the organization?"
Kid: "Well, using the CEO's health band, I jumped to the HDTV menu system to access the network, since the HDTV is in constant eavesdrop mode. From there, I used an employee's Blutooth headset to access her laptop as she was streaming from a website. There, I accessed the files of the company to determine what they do, both legally and illegally, and determined my skills would be best applied in the IT department, now that Bob Jones 'left' the organization after being investigated for child porn."
HR: "I see. You will start Monday for orientation."
Kid: "Cool. It'll be nice working for Comcast."
[ link to this | view in chronology ]
Re:
You know, like it probably does today.
[ link to this | view in chronology ]
There's an Element of BS to This "Hack"
The Jeep appears to belong to the hackers. So they had complete access prior to the Wired reporter arriving.
If they go into their own Jeep, modify the systems through an open port like the OBDII, then remote connect to the car, is that really "hacking into" someone's car?
I mean, my car has a app. If I have full access to the car, I can link the app to the car. Now I can honk the horn, activate the AC, open the sunroof from anywhere in the world. It's considered a feature.
People have been able to "hack" vehicles in this remote way for decades, so long as they had prior access. What about cutting the brake lines, or attaching a bomb that is remotely detonated. I could remotely activate a solenoid that shuts off fuel supply -- all on a 1920-2015 non-connected car?
This hack demo is theater. It would be far more frightening if they didn't have prior full access to the vehicle.
Now, I agree that there should be stronger security, and better firewalls between the entertainment and mechanical side. But this Wired story teaches us nothing...other that fear mongering grabs attention.
[ link to this | view in chronology ]
Re: There's an Element of BS to This "Hack"
[ link to this | view in chronology ]
Re: Re: There's an Element of BS to This "Hack"
And to continue, these are the same two guys that sensationalized the "hack" of a Prius in 2013, and that was written up by the same author.
http://goo.gl/MiDhrh
That Prius was completely opened up, and they were patched in with wires and laptops. It was basically a farce to think that the average person could fall victim. How many real victims have turned up in the two years since? Zero. So these guys lack credibility to me when they try to start a panic. I see clickbait.
That said, there are legit aspects to their findings. The weak separation of entertainment system and CANbus is important. That is what Chrysler will rush to patch. They are legit black hat hackers for finding that.
But the remote aspects are just fear-mongering. The hack wasn't done remotely. It was done in the car, then they went remote to control it. The part that scares people is their cars being remotely hacked from China, Russia, or Nigeria. That is not a revealed possibility.
...Imagine "Dear good sir. I, a Prince of Lagos, have taken control of your car. If you would like it returned to you, please wire $5000 to this bank account. May the good lord bless you, as I'm sure you are a good person." That is scary, but didn't happen...yet.
Also, I agree that car security is very important, and like most security, not adequate. Most big companies (and gov't) seem to rely on "Security through arrogance", which is one step weaker than "Security by anonymity".
These two hackers and the author strike me much as the lead-in to the 6 o'clock news: "What's in your car that might kill you? Stay tuned to find out."
[ link to this | view in chronology ]
Re: Re: Re: There's an Element of BS to This "Hack"
The fact that uConnect is able to interface with CANBUS is very scary, and there is absolutely no reason that it should be connected in any way, shape, or form. The only reason it is connected is so that the manufacturer can read out data stored on the ECU and send it back to them remotely should they want to do that - it would also allow them to update the car remotely, making ECU updates way, way cheaper.
The only reason they probably haven't gotten further with this is because writing CANBUS software is a huge pain in the ass. Nearly everything in a modern vehicle is controlled via CANBUS - throttle, brakes, steering on cars with electric power steering, transmission, etc. I would not be surprised if other countries intelligence services are already weaponizing this kind of shit... I bet it won't be long now before some Iranian nuclear engineers end up having their seat belt lock, accelerator floored, brakes disabled, and then steered right off a bridge. The attacker has access to the GPS and reverse-camera (or others if they are available) so it wouldn't be too hard to do...
[ link to this | view in chronology ]
Re: Re: Re: Re: There's an Element of BS to This "Hack"
Did you not read what I read? I don't believe their claim.
If that claim WERE true, they would not have demonstrated on their own Jeep. They would have made their point by telling the wired reporter "Just rent ANY 2014 Jeep when you arrive in Chicago."
But they didn't. They supplied the car.
Perhaps they didn't hack a random vehicle because it isn't safe? Nope, that is not consistent with their know actions: The fact that they demonstrated on a public interstate shows that, for them, safety concerns are trumped by a dramatic news story.
When an owner modifies his own car, it's really more of a "mod" than a "hack". This news story headline would be more honest if it read "Guys Mod Their Car To Be Partially Remote Controllable".
I admit, I don't have a whole lot of proof to back up my claim, but then again, they haven't supplied much either. And given their record of sensationalizing this type of thing, I'll bet money that it's an exaggeration.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: There's an Element of BS to This "Hack"
Uh, is that supposed to be "Did you not read what I wrote?"
So this is all a fraud, eh? I guess that's why the manufacturer, who these hackers shared their work with, put out that press release exposing the fraud. Oh wait - no such release exists...
[ link to this | view in chronology ]
Re: Re: Re: Re: There's an Element of BS to This "Hack"
Actually, there are lots of good reasons that the uConnect communicates with the CANBUS. I have one of these. They used the infotainment unit to control all kinds of settings in the car including the electronic suspension, exhaust, traction control, etc. There are lots of configurable settings and everything is handled through a single user interface. It can also do things like adjust the volume based on the speed of the vehicle. It's actually a nice setup and makes a lot of sense to have it aware of everything in the car.
Now, connecting the thing directly to the internet? Yeah, maybe not the best idea without a bit more thought into security.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: There's an Element of BS to This "Hack"
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: There's an Element of BS to This "Hack"
The volume-speed thing is done via a microphone - head units with no GPS or connectivity to the ECU have had this for years.
[ link to this | view in chronology ]
Terrible Desgin
[ link to this | view in chronology ]
Re: Terrible Desgin
[ link to this | view in chronology ]
[ link to this | view in chronology ]
PS:
I love my "DUMB PHONE" !!! It's a nice fliptop that has text disabled and works like a phone should.
I also love my home designed workstation which when I go Online is on a VPN and up to Date with all the protections us computer people know about.
I also am a proud Dinosaur.I'm sitting on a 20 Grand Book Collection and no it is not on some little hard drive.Mine are real physical books....1st Editions and Pulp Mags.
Already being willed to my heir and all Non-Fictions going up for donation to the local Portland, Maine Library.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Obligatory...
[ link to this | view in chronology ]
"Old fogey" ahead ...
Yes, perhaps it *can* be done both safely and effectively eventually, but I very much doubt that those doing it today are going to get it right any time soon, I very much doubt they've sufficiently analysed the problem(s), and too many victims are going to be buried before they either get it right or abandon the idea.
This "tech" (and I use that term loosely) is nowhere near ready for prime time, and it's way too overloaded with corporate BS priorities (simpler and easier updates, customer to corporate communication facilitation, infotainment, ...). I do not believe those practicing software or hardware design and implementation have learned sufficiently the lessons the Therac 25 episode offered us (in fact, I doubt they've ever even heard of it).
I'm surprised they managed to get the corporate go-ahead, and even more surprised it made it past the regulators. This just stinks of, "It compiles! Ship it!!!"
This sounds like a litigation bonanza in the making. I'll pass, thanks very much.
[ link to this | view in chronology ]
If you are driving a fca car with uConnect ennabled,
every hacker can kill you.
That is Fiat Chrysler Alfa Romeo Dodge Jeep Lancia Ferrari Maserati.
[ link to this | view in chronology ]
[ link to this | view in chronology ]