back to article Jeep hackers: How we swerved past Chrysler's car security patches

Last year, the Black Hat presentation by Charlie Miller and Chris Valasek caused Chrysler to recall 1.4 million vehicles to install a software update after they proved they could remotely hack Jeeps. This year, in Las Vegas, the pair showed us how to defeat that update. The dynamic duo praised Chrysler's efforts to secure …

  1. a_yank_lurker Silver badge

    Physical Access

    When someone has physical access to any device it is potentially game over. Also, there will no perfect security.

    1. Starace
      FAIL

      Re: Physical Access

      Exactly.

      You wouldn't even need to use the diagnostic port, you could splice straight into a bus on the other side of the gateway and push anything you like down it, which would also nobble their stupid little security idea.

      Which in part is what I suspect they did because they're claiming to have done stuff that doesn't seem to be possible if you're going in via diagnostics, but could be if you went in elsewhere. Like overriding the vehicle speed messages which aren't on the diagnostic bus if you're talking about the ones between the control modules.

      It's like claiming I can hack your banking passwords on your ultra-secure system after I've stuck a keylogger on the keyboard cable; not exactly complicated and doesn't really prove much.

    2. CrazyOldCatMan

      Re: Physical Access

      > When someone has physical access to any device it is potentially game over

      Indeed. After all, they can use the old standby of partially-cutting the brake lines (so any hard braking with cause a rupture and brake failure) or even putting sugar in the petrol tank..

      1. John Brown (no body) Silver badge

        Re: Physical Access

        "Indeed. After all, they can use the old standby of partially-cutting the brake lines (so any hard braking with cause a rupture and brake failure) or even putting sugar in the petrol tank.."

        And that's the Bingo right there. Anyone prepared to go to the lengths the hackers did for this latest escapade will find it much easier to just go "old school" and physically damage the car in a way as to cause an accident. No need for a complicated physical hacks.

        Bad of Chrysler to have left the holes in the first place, but hats off for dealing with it in what seems to be a comprehensive manner.

  2. Sureo

    I think I'll just keep my old car, it doesn't have any of that smart crap in it.

    1. John Robson Silver badge

      With physical access I can just cut your brake lines...

      1. Will Godfrey Silver badge

        .. which will be discovered the moment the driver does any starting manoeuvres - unless you have a way of doing this while the car is in motion.

        1. John Robson Silver badge

          OK - I can set a timer to cut the brake lines...

          A phone with a little activator could cut them the next time you go over 50mph...

          1. herman Silver badge

            There is no effective defence against a Rube Goldberg machine, since the perpetrator can always use a smarter hamster.

    2. Anonymous Coward
      Meh

      With 9 hours work I could attach a device to bleed your brakes at a certain speed.

      Or fit a little latch to jam your throttle on at a certain revs.

      Lock your steering at a certain angle of turn.

      or even simply removing 3 of your 4 wheel nuts and waiting for the other one to sheer off will do the job.

    3. CrazyOldCatMan

      > I think I'll just keep my old car, it doesn't have any of that smart crap in it.

      My wife's Morris Minor barely has electrics, let alone electronics.

      1. Trigonoceps occipitalis Silver badge

        16 Valves

        My cars got 16 valves, 8 in the engine and 8 in the radio.

        1. herman Silver badge

          Re: 16 Valves

          You forgot to add: "Now get off my lawn!"

          Something to have fun with: http://www.aeronetworks.ca/2015/02/cool-amplifier.html

          I'm now working on a simple FM detector to add some olde skool muzak from Abu Dhabi Classic.

  3. Gene Cash Silver badge

    I supposed you've heard where 100+ Jeeps were stolen in Houston by reprogramming keyfobs:

    http://abcnews.go.com/US/houston-police-100-cars-stolen-high-tech-thieves/story?id=41124433

  4. Neil Barnes Silver badge
    Pirate

    Mine uses...

    a connection at 430THz, and all it does is unlock the doors... good luck with that one guys.

    Remind me again why it's a good idea to have things telling the steering which way to turn?

    (Although to be fair, hardening the external connectivity is at least a step in the right direction.)

    1. Anonymous Coward
      Anonymous Coward

      Re: Mine uses...

      That is most likely for auto parking. You either learn how to park or live with a car that can be remotely controlled.

      Anon for being in the car business.

      1. herman Silver badge

        Re: Mine uses...

        Also for 'Auto get my car out of the sand trap', which is really handy where I live.

    2. DropBear
      Trollface

      Re: Mine uses...

      ...430THz? That's so last year's tech. Mine works on minus 27MHz...

  5. Paul Crawford Silver badge

    Really there is a need for new regulations to make sure that certain critical systems are simply not modifiable in any way via on board communications.

    At one time the "emergency brake" had to be a physically separate mechanical system to deal with the possibility of hydraulic failure (in the days of single circuit brakes). That seems to have been relaxed but really now it seems there is a single point of failure in the on-board computer and that should not be allowed.

    Same goes for power steering, so far my cars have only had independent hydraulic systems for that and the range of things that can go wrong, and go wrong suddenly are pretty low. I really don't want to change that.

    1. CrazyOldCatMan

      > the "emergency brake" had to be a physically separate mechanical system to deal with the

      >possibility of hydraulic failure

      Oh - you've had a Citroen XM too then? (Brakes, power steering and suspension all shared the same hydraulics. Not a good idea when the quality of the pipes and linkages was so abysmal..)

      In the 12 months I had it I had total hydraulic loss 3 times. At least it had a food operated parking brake that used a cable!

      1. John Brown (no body) Silver badge
        Joke

        "a food operated parking brake that used a cable!"

        "The hydraulics canna take it Cap'n, she's runnin' awa with us"

        "Quick Scotty, start feeding burgers to the food operated parking brake!!"

      2. Vic

        In the 12 months I had it I had total hydraulic loss 3 times

        I drove XMs for quite a few years. I only had one total failure[1].

        The emergency brake was barely adequate[2], but it would have been so much worse if it had been a handbrake...

        Vic.

        [1] I snapped the belt that drives the hydraulic punp. In a well-maintained XM, this should cause gradual loss of pressure, with quite some time before total failure. But my XMs were never in that category...

        [2] I was doing somewhere in the region of 90mph, just south of J9 on the M3. There was no way I was going to get through the traffic and onto the junction, so I had to keep it rolling for a couple of miles and pull up after the sliproad. That was interesting...

  6. Zimmer
    Joke

    It's a trap!

    (tin-foil at the ready...) 'they ' have this dream of controlling every car remotely so that the minute you commit an offence on the road (or just for fun) 'they ' can take over the car and have it drive to the nearest cop-shop...with you still in it......

  7. Anonymous Coward
    Anonymous Coward

    "It's hard, so I'm not worried about it"

    Something similar could have been said about exploiting buffer overflows, after RTM provided the proof of concept in 1988... In fact, given how many years it took before Sun bothered to even look at fixing buffer overflows, I'm pretty sure that's what their execs must have said!

    Today this bug needs physical access, but perhaps in combination with another bug that lets you cross the boundary from the entertainment system to the CAN bus it could be remotely exploitable tomorrow. The problem with bugs in cars is that they'd be extremely difficult to fix, because there isn't any infrastructure set up to fix things - every owner has to take their car to the dealership and the automaker has to spend millions for this which rather disincentivizes them to do so unless they believe the cost of defending lawsuits > the cost of recalling every car for the fix.

    Imagine a worst case scenario of a car that is able to receive text messages, and multimedia content that can compromise the OS (ala the multiple such holes that exist in all but the latest patch of Android) can be attached. Let's further imagine that from the OS, it is possible through a separate hole to access the CAN bus, and inject commands to tell it to steer left (potentially into oncoming traffic - substitute steer right in the UK) while at speed.

    Imagine this getting in the hands of terrorists, and timing it to hit at 10:30am EDT on a Monday morning, sending the killer texts to every Jeep in the US, every 10 minutes. How long before people figure out what is going on, what models are affected, and word can get out to enough of the public that Jeep drivers stay parked? How many people will hear about it and simply pull over on the highway, afraid to drive any further because maybe their car will be hacked next? This could create as much fear as 9/11 even if it would be unlikely to match its death toll (unless it was a more popular make of car) and could disrupt travel in the US worse than 9/11 did.

    Sure, that's a true worse case scenario, taken to an extreme to make a point though almost certainly impossible, but hearing an auto exec say "I'm not worried about it" makes me wonder if he knows it could be a real problem but doesn't want to alarm customers/investors, or he's really that clueless.

    1. John Robson Silver badge

      Re: "It's hard, so I'm not worried about it"

      Yes - if only Tesla could update their car's software without having to recall all the cars each week...

      Oh wait, they can...

      1. Anonymous Coward
        Anonymous Coward

        Re: "It's hard, so I'm not worried about it"

        Yes, the technology to do it exists but hasn't been deployed by the traditional automakers yet. On the other hand, the ability to do remote updates provides exactly that sort of remote connectivity - that if exploited and combined with a "local" exploit to get on the CAN bus - which could lead to my nightmare scenario.

        And that's leaving aside the concern that the update process itself could be hacked to essentially download malware onto cars. Or that the government could coerce them into adding some 'backdoor' ability like remotely shutting off the car, claiming it is necessary to prevent high speed chases or terrorist attacks like the truck running people down. And then you have to worry about the backdoor being compromised, which it almost certainly would if it wasn't an FBI only capability but was made available to local police departments all over the country.

        So I'm actually sort of OK with making the update of a car's firmware kind of a pain in the ass. At least for updating anything that has any interface whatsoever with the CAN bus side of the house. If you want to update the GUI for the radio via an OTA update, be my guest!

      2. Anonymous Coward
        Anonymous Coward

        Re: "It's hard, so I'm not worried about it"

        JR "...if only Tesla could update their car's software [remotely]..."

        Unless the antenna used to access the data network has been sheared off at the same time as the roof.

        Yep. Such a clever company... LOOK OUT, TRUCK!!!!

  8. Cuddles Silver badge

    Intrusion detection

    "All these issues could be stopped if only car manufacturers built a basic intrusion detection system into their cars"

    Is it even possible to buy a car without an alarm these days? As keeps being noted in regard to stories like these, physical access means game over. Trying to make things harder for someone who already has full physical access (and in this case not just a quick in and out, but a full 9 hours to play around inside your car) is much less useful than either preventing that access, or at the very least letting you know that it's happened.

    By far the best security advice for car manufacturers would be to simply put the OBD port somewhere visible. If you can see there isn't a dodgy device plugged in to it, there's essentially no risk. Someone could still have disabled your brakes or something, but as others have noted they could also have just cut the brake lines. As long as all they can do is damage it in place rather than remotely change its behaviour while you're driving, it's no different from any physical sabotage.

    1. CrazyOldCatMan

      Re: Intrusion detection

      > car manufacturers would be to simply put the OBD port

      Mostly it is. On my Honda it's on the centre console, just to the left of the steering wheel.

      1. JeffyPoooh
        Pint

        Re: Intrusion detection

        "...simply put the OBD port..."

        By law (regulation), the OBD II port must be roughly exactly where they all are.

    2. John Brown (no body) Silver badge

      Re: Intrusion detection

      "not just a quick in and out, but a full 9 hours to play around inside your car"

      Don't forget that the 9 hours was what it took them from "cold" on a newly patched unseen system. If they were pro car thieves/assassins, no doubt they would practice and hone their skills and tools in a warehouse or garage, not your driveway.

  9. hhhobbit

    Does anybody know new cars that are not drive-by-wire? Other than the front ends going out on a Corvair or similar things it seems like old style mechanical cars were usually much better than these nener computer controlled cars are.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022