http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
This is frightening hack. There is clearly something to improve in car IoT systems security.
Posted from WordPress for Android
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
This is frightening hack. There is clearly something to improve in car IoT systems security.
Posted from WordPress for Android
24 Comments
Tomi Engdahl says:
Hackers Remotely Cut a Corvette’s Brakes
http://it.slashdot.org/story/15/08/11/1939242/hackers-remotely-cut-a-corvettes-brakes?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Security researchers presented work at the USENIX conference today showing an easy way to hack into a car’s electronics using a small gadget that plugs into modern dashboards. The port they’re taking advantage of is commonly used to monitor the location and speeds of these vehicles. Once the researchers’ dongle is attached, they can use SMS messages to transmit commands to the car’s internal network. They demonstrated this by remotely cutting a Corvette’s brakes.
Hackers Cut a Corvette’s Brakes Via a Common Car Gadget
http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/
Car hacking demos like last month’s over-the-internet hijacking of a Jeep have shown it’s possible for digital attackers to cross the gap between a car’s cellular-connected infotainment system and its steering and brakes. But a new piece of research suggests there may be an even easier way for hackers to wirelessly access those critical driving functions: Through an entire industry of potentially insecure, internet-enabled gadgets plugged directly into cars’ most sensitive guts.
At the Usenix security conference today, a group of researchers from the University of California at San Diego plan to reveal a technique they could have used to wirelessly hack into any of thousands of vehicles through a tiny commercial device: A 2-inch-square gadget that’s designed to be plugged into cars’ and trucks’ dashboards and used by insurance firms and trucking fleets to monitor vehicles’ location, speed and efficiency. By sending carefully crafted SMS messages to one of those cheap dongles connected to the dashboard of a Corvette, the researchers were able to transmit commands to the car’s CAN bus—the internal network that controls its physical driving components—turning on the Corvette’s windshield wipers and even enabling or disabling its brakes.
Tomi Engdahl says:
Wired Jeep hack: Don’t let stunt storytelling eclipse the message
http://fortune.com/2015/07/22/wired-jeep-hack-takeaway/
Connected car manufacturers are not doing enough to secure their vehicles.
People piled on the criticism. Fusion called the act “a really, really dumb stunt that potentially threatened the lives of those involved and any unwitting bystanders.” A security researcher told Forbes, “We as a community need to [not] condone this sort of behavior.” And one agitated viewer, posting to Hacker News, apparently called the cops.
Other came to the stunt’s defense. My Fortune colleague Daniel Roberts called it “awesome, ballsy, important journalism.” Cybersecurity researcher and blogger Robert Graham wrote that “Any rational measure of the risk of that stunt is that it’s pretty small — while the benefits are very large.” And mostly everyone praised the story’s narrative.
Connected car manufacturers are not doing enough to secure their vehicles.
Update July 24, 2015: Fiat Chrysler has issued a voluntary recall for 1.4 million of its potentially vulnerable vehicles.
On Tuesday, Wired published an alarming account in which two security researchers carjack a Jeep Cherokee. Remotely. Miles away. From the comfort of a couch.
The stunt involved Wired reporter Andy Greenberg cruising down a highway outside of St. Louis, Mo. as the pair of code-crackers wirelessly infiltrate his jeep, blasting the radio and air conditioning, killing the hazard lights, cutting the car’s transmission, and generally delighting in the futility of his situation. Their attack leaves Greenberg rattled and stranded in the middle of the road, albeit briefly, as a semi-truck weaves past him.
After the story appeared, commenters immediately pointed out how dangerous this demonstration—performed on a public road amid traffic—was. Indeed, strapped in the hot seat, Greenberg himself admits: “This is fucking dangerous.” (Watch the video here.)
The more I think about the Jeep-hacking piece, the more surprised I am that someone signed off on it. http://t.co/chHqyckmV7
— Kevin Roose (@kevinroose) July 21, 2015
People piled on the criticism. Fusion called the act “a really, really dumb stunt that potentially threatened the lives of those involved and any unwitting bystanders.” A security researcher told Forbes, “We as a community need to [not] condone this sort of behavior.” And one agitated viewer, posting to Hacker News, apparently called the cops.
Other came to the stunt’s defense. My Fortune colleague Daniel Roberts called it “awesome, ballsy, important journalism.” Cybersecurity researcher and blogger Robert Graham wrote that “Any rational measure of the risk of that stunt is that it’s pretty small — while the benefits are very large.” And mostly everyone praised the story’s narrative.
For many people, the blow-back is justified. Though veteran vulnerability-wrangler Charlie Miller, an ex-NSA hacker who is a security engineer at Twitter, claims in the accompanying video that the demo was done “in as safe a way as we could,” there’s no question it could have been done safer.
Miller and his associate, Chris Valasek, director of vehicle security research at the consultancy IOActive, estimates that hundreds of thousands of Fiat Chrysler vehicles on the road today could be vulnerable. That’s unsettling.
Worse yet is the manner in which the manufacturer is rolling out the security update. There is no recall. There is no auto-patching feature to immediately remedy the issue—a flaw that in itself needs fixing. This is the precedent now being set.
Instead, customers must independently download the patch to a memory stick, or take their cars to a mechanic to fix. “Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems,” the company said in a statement.
Tomi Engdahl says:
Fiat Chrysler issues software update after hackers hijack Jeep Cherokee for ‘Wired’ article
http://bizbeatblog.dallasnews.com/2015/07/hackers-take-control-of-jeep-on-highway.html/
Fiat Chrysler has released a software update for thousands of its vehicles after two professional hackers took command of a 2014 Jeep Cherokee while it was driving.
The invasion was reported in Wired magazine on Monday and included video evidence of hackers Charlie Miller and Chris Valasek compromising the functions of a Cherokee driven by Wired journalist Andy Greenberg.
Working with laptops from their homes, the hackers blasted the Cherokee’s radio, turned on the wipers and washer fluid and eventually shut off the Cherokee’s engine while it was driving on a St. Louis highway, according to Automotive News.
Later, in a parking lot, the hackers demonstrated how they could take control of the Cherokee’s steering wheel while the transmission was in reverse and even disabled the brakes, Automotive News said.
Fiat Chrysler said the software updates will be available for free to the UConnect systems in 2013-14 Chrysler, Dodge, Jeep and Ram vehicles, and some models of the 2015 Chrysler 200.
Tomi Engdahl says:
Hacked Jeep: Whom to Blame?
http://www.eetimes.com/document.asp?doc_id=1327266&
So, where, exactly, did hackers find a crack in the firewall of a 2014 Jeep Cherokee? How did they infiltrate it and who’s at fault for failing to foresee the breach?
The failure apparently occurred in not one, but multiple places in the connected car’s system architecture. Blame, according to multiple automotive industry analysts, could also extend to parties beyond Fiat Chrysler Automobiles (FCA). They include Sprint — a system integrator — with whom Chrysler contracted for secure vehicle network access via the telematics control unit, and Harman Kardon, who designed an in-vehicle infotainment system.
Since two hackers revealed a week ago their handiwork of wirelessly hacking into a 2014 Jeep Cherokee, first reported by Wired, the issue of cyber security in vehicles has come into sharp focus. Until this incident, the conventional wisdom among engineers was that it’s “not possible” to hack into a car without a physical access.
The revelation by the hacker team, Charlie Miller and Chris Valasek, set in motion a sweeping recall, on July 24th, of 1.4 million vehicles by Fiat Chrysler. U.S. Senators Ed Markey and Richard Blumenthal also introduced last week legislation to require U.S.-sold cars to meet certain standards of protection against digital attacks.
However, Roger Lanctot, associate director, global automotive practice at Strategy Analytics, is the first analyst to publicly implicate Sprint. He wrote in his latest blog:
FCA’s Chrysler division is taking the fall for Sprint’s failure to properly secure its network and the Jeep in question – which was subjected to some comical and terrifying remote control in real-time on the highway thanks to an IP address vulnerability.
Breakdown of security vulnerability
Asked to break down the security vulnerability of the hacked car, Lanctot said: “Step one is control of braking, acceleration and steering accessible on the vehicle CAN bus.
“Step two is remote wireless connectivity to the car via cellular.
“Step three is providing for remote access to the CAN bus via the telematics control unit interface. Clearly, the FCA systems were configured in such a way as to allow for CAN bus access via the telematics control unit.”
Lanctot added, “There is nothing wrong with that as long as you provide for appropriate security.”
Lanctot, however, pointed out, “It appears that the IP address was too easily identified” by the system used by Jeep Cherokee and “the telematics control unit lacked basic software upgrading capability.”
Lanctot isn’t alone in fingering the IP address issue. Egil Juliussen, director research & principal analyst at IHS Automotive Technology, also told us that the hackers appear to have found “a simple way to get the IP address of a car.” Juliussen explained that once the hackers located the car, they sent code to the infotainment system — built by Harman Kardon –via the ill-gotten IP address.
Juliussen theorized that the hackers then wrote additional code and sent it via CAN bus to the core auto ECU networks to disable mission-critical functions such as engine and brakes.
What about isolation?
Wait. Isn’t the infotainment system supposed to be isolated from mission-critical functions? The “strong isolation” of the two systems is a mantra we hear often when we ask automakers about security in connected cars.
Thr trouble is that a vehicle’s on-board diagnostics (OBD)-II is connected not just to core ECU networks but also to the infotainment system, explained Juliussen, so that automakers can monitor the infotainment equipment. “Chances are that there are CAN bus bridges between the two separate systems.”
Juliussen made it clear that the hacking Miller and Valasek pulled off in the Jeep Cherokee is not exactly child’s play.
Nonetheless, it’s clear that there have been flaws in network security traceable to Sprint, and in the way Harman Kardon’s infotainment system was set up in a vehicle Chrysler’s engineers designed, according to Juliussen.
Juliussen previously told EE Times, “Cyber-security is one of the biggest problems the auto industry faces” and warned that “we’re kind of late [on that].” He sees a silver lining. Now every carmaker building connected cars is going back and reviewing all its connected security.
Each party – from Chrysler to Harman Kardon and Sprint – must have checked that each system they were responsible for designing was functioning correctly. That’s a given. But in order to check the system’s security, designers are now being asked to “break something,” explained Juliussen, to see if any out-of-spec operations (outside of normal arrangement of operations) can be exploited by hackers.
Juliussen said that when the Jeep Cherokee was developed four years ago, cyber security wasn’t nearly the industry’s top priority. It took many years “for the PC industry learn the security issues, the smartphone vendors are learning it now. And it’s time for automakers to catch up.”
Lanctot also noted, “This is early days, so maybe the lack of an intrusion detection system can be forgiven.” But he stressed that the basic elements of security are to “have a dynamically changing IP address along with some kind of firewall,” in addition to “intrusion detection on the vehicle network.”
In his view, Sprint not only failed to dynamically change IP, but also offered no ability to update/upgrade the telematics control unit for bug fixes, content updates, or to update network connectivity firmware.
Indeed, although FCA made software updates for the infotainment system, in response to the hackers’ ravages, the patch is not easily implemented. Car owners will have to perform a manual update via a USB stick or visit to a dealer’s service center.
Just two years ago, when Sprint announced its Velocity system as “a New and Existing Telematics and In-Vehicle Communications Systems,” the company wrote on its website
“With years of mobile customer experience and telecommunications knowledge, Sprint is a solutions provider you can depend on to address today’s technology and prepare your business for tomorrow’s innovation.”
Tomi Engdahl says:
The Coming Terrorist Threat From Autonomous Vehicles
http://yro.slashdot.org/story/15/08/30/1539258/the-coming-terrorist-threat-from-autonomous-vehicles
Alex Rubalcava writes that autonomous vehicles are the greatest force multiplier to emerge in decades for criminals and terrorists and open the door for new types of crime not possible today. According to Rubalcava, the biggest barrier to carrying out terrorist plans until now has been the risk of getting caught or killed by law enforcement so that only depraved hatred, or religious fervor has been able to motivate someone to take on those risks as part of a plan to harm other people. “A future Timothy McVeigh will not need to drive a truck full of fertilizer to the place he intends to detonate it,” writes Rubalcava. “A burner email account, a prepaid debit card purchased with cash, and an account, tied to that burner email, with an AV car service will get him a long way to being able to place explosives near crowds, without ever being there himself.”
According to Rubalcava the reaction to the first car bombing using an AV is going to be massive, and it’s going to be stupid. There will be calls for the government to issue a stop to all AV operations, much in the same way that the FAA made the unprecedented order to ground 4,000-plus planes across the nation after 9/11.
A Roadmap for a World Without Drivers
https://medium.com/@alexrubalcava/a-roadmap-for-a-world-without-drivers-573aede0c968
Tomi Engdahl says:
Uber Hires Two Engineers Who Showed Cars Could Be Hacked
http://www.nytimes.com/2015/08/29/technology/uber-hires-two-engineers-who-showed-cars-could-be-hacked.html?_r=0
Uber is continuing its hiring spree of top technical talent by recruiting two respected computer security engineers, Charlie Miller and Chris Valasek.
Mr. Miller and Mr. Valasek will work in Uber’s offices in Pittsburgh, where the company has based its self-driving car and robotics research. In a statement, Uber said the two men would work closely with Joe Sullivan, Uber’s chief security officer, and John Flynn, the chief information security officer, to “continue building out a world-class safety and security program at Uber.”
The hirings, which were earlier reported by Reuters, are the latest talent grab by the ride-hailing start-up, which is valued at more than $50 billion by investors and has raised more than $6 billion in private capital. This year, Uber hired Mr. Sullivan, a respected information security engineer, away from Facebook. And over the last year, the company has also systematically plucked talent from different divisions of Google, such as its mapping and geo units, poaching more than 100 engineers.
The potential for breaches is escalating as cars transform into Internet-connected computers. A report from Verizon last November found that 14 car manufacturers accounted for 80 percent of the worldwide auto market, and each one has a connected-car strategy. Security experts say one remote hacking of an Uber vehicle could spell disaster for the ride-hailing company.
Mr. Miller and Mr. Valasek have made car hacking a focus. In August, the two demonstrated at the Black Hat and Def Con hacking conferences a way to control hundreds of thousands of vehicles remotely. Over the Internet, they were able to track down cars by their location, see how fast they were traveling and manipulate their blinkers, lights, windshield wipers, radios and navigation and, in some cases, control their brakes and steering.
“I’ve been in security for more than 10 years, and I’ve worked on computers and phones. This time, I wanted to do something that my grandmother would understand. If I tell her, ‘I can hack into your car,’ she understands what that means,” Mr. Miller said in an interview last month.
“Also, I drive cars,” Mr. Miller added. “I would like them to be safe.”
In 2013, they described how they were able to take control of a Ford and a Toyota by plugging in a diagnostic port that could manipulate the speed and steering of the vehicles. Car manufacturers were not so concerned, given that someone would need physical access to the car to take control, and that just as much harm could be inflicted with a knife to the tires.
So the two instead focused on gaining remote access to cars, and discovered a vulnerability in a hardware chip that connected Fiat Chrysler cars to the Internet. From there, they discovered a way to crawl into another hardware chip that controlled the vehicles’ electronics, as well as its locks, windshield wipers, speedometer, lights and blinkers. Depending on how fast the driver was going, they could even engage and disengage the brakes and steering.
Last month, Fiat Chrysler issued a recall of 1.4 million vehicles after Mr. Miller and Mr. Valasek revealed the vulnerability.
Tomi Engdahl says:
The Year of the Car Hacks
http://hackaday.com/2015/09/01/the-year-of-the-car-hacks/
With the summer’s big security conferences over, now is a good time to take a look back on automotive security. With talks about attacks on Chrysler, GM and Tesla, and a whole new Car Hacking village at DEF CON, it’s becoming clear that autosec is a theme that isn’t going away.
Up until this year, the main theme of autosec has been the in-vehicle network. This is the connection between the controllers that run your engine, pulse your anti-lock brakes, fire your airbags, and play your tunes. In most vehicles, they communicate over a protocol called Controller Area Network (CAN).
A number of talks were given on in-vehicle network security, which revealed a common theme: access to the internal network gives control of the vehicle. We even had a series about it here on Hackaday.
The response from the automotive industry was a collective “yeah, we already knew that.” These networks were never designed to be secure, but focused on providing reliable, real-time data transfer between controllers. With data transfer as the main design goal, it was inevitable there would be a few interesting exploits.
Infotainment and Telematics
Automotive companies are working hard on integrating new features in to distinguish their products and create new revenue streams. Want a concierge service? You can pay for GM’s OnStar. Need an in-car WiFi hotspot? Chrysler has that built into uConnect for $35 a month. Want to control every aspect of your vehicle from a touch screen? Maybe the Tesla Model S is for you.
There are two main features that are leading to more connected vehicles: infotainment and telematics. Infotainment systems are the in-vehicle computers that let you play music, get vehicle information, navigate, and more. Telematics systems provide vehicle data to third parties for safety, diagnostics, and management.
Regulators are helping speed up the process. Due to the eCall initiative, all new vehicles sold in Europe after 2018 must provide voice communication and a “minimum set of data” in the event of an accident. This means vehicle will be required by law to have a cellular connection, supporting voice and data.
The Chrysler hack took advantage of a vulnerability that anyone familiar with network security would consider trivial: an open port running an insecure service. If you want to know the details of the hack, [Chris] and [Charlie] have published a detailed paper that’s definitely worth a read.
The crux of the vulnerability relied on an assumption made by Chrysler. Their telematics unit had two processors, one connected to the in-vehicle network and one connected to the internet. The assumption was that the airgap between these devices prevented remote access to the in-vehicle network.
Unfortunately, their airgap was made of copper. It was a SPI connection between the two processors, which allows for a variety of commands to be executed, including a firmware update. With rogue firmware running on the in-vehicle network, we’re back to the five-year old issue of in-vehicle networks being insecure.
[Chris] and [Charlie] decided to focus on a Chrysler Jeep Cherokee, but let’s not place all the blame on Chrysler. The uConnect device running the vulnerable service was actually made by Harman. Harman is the largest manufacturer of automotive audio and infotainment systems. You’ll find their devices in vehicles from Audi, BMW, Land Rover, Mercedes-Benz, Volvo, Buick, and others.
This is how the automotive industry tends to work nowadays. An OEM, like Chrysler, integrates parts from a variety of “Tier One” suppliers. The Tier One suppliers source parts from “Tier Two” suppliers. It’s up to Chrysler to choose these parts, then stick them all together into a vehicle.
When buying from a range of suppliers, security is a hard problem. As an engineer, you’re stuck with integrating parts that were chosen based on a range of criteria, and security isn’t at the forefront of purchasing decisions. OEMs do not always have the resources to evaluate the security of the products they are purchasing, and instead rely on the suppliers to build secure products.
The other issue with suppliers is that fixes happen slowly. Chrysler could not patch this issue themselves, but instead needed to wait for the supplier to do it. After the patch was complete, they likely needed to perform testing and validation of the patch before releasing. This all takes time.
Outside of the security industry, people have been hacking cars for years. Tuners charge money for “chipping” cars to improve performance, remove limiters, and alter settings.
This type of work has good intentions, people pay for modifications to their vehicle. The security industry is more focused on nefarious motives.
Vehicles are also becoming more automated. Advanced Driver Assistance Systems (ADAS) improve safety by giving computers control of the vehicles steering, throttle, and brakes. However, these systems also provide an additional threat to a compromised system.
http://illmatics.com/Remote%20Car%20Hacking.pdf
Tomi Engdahl says:
The cyber-mechanics who protect your car from hackers
https://www.newscientist.com/article/dn27984-the-cyber-mechanics-who-protect-your-car-from-hackers/
A hacking incident led to the recall of 1.4 million Dodge, Jeep, Ram and Chrysler vehicles (Image: Joe Raedle/Getty)
A couple of weeks ago, a small team of security researchers gathered near a car parked outside one of their company’s buildings. The vehicle was on loan to them from a carmaker, and the goal was to find out how hackable it was.
The team did not need to physically connect to the vehicle or even enter it – they simply jacked in over Wi-Fi. When they did, they soon found an unexpected vulnerability.
“There was a route through to the vehicle network where the more sensitive, safety critical systems are,” explains Andy Davis of NCC Group, an information security specialist based in Manchester, UK. He says his team could have used this security breach to fiddle with the car’s automatic braking.
“If someone thought their automated braking was turned on, we could have turned it off without them knowing.”
It’s the kind of penetration test that NCC Group and their partner SBD, an automotive security specialist based in Milton Keynes, UK, do for car companies all the time. In fact, the firms say they carry out work for around 95% of the world’s vehicle manufacturers.
News that security researchers Chris Valasek and Charlie Miller were able to remotely kill the engine of a Jeep while it was on the road made international headlines recently. It also resulted in the recall of 1.4 million vehicles by Fiat Chrysler, which owns Jeep.
Highly secretive
But many people do not realise that car companies are actually doing day-to-day experiments in an attempt to tackle the security issues associated with increasingly high-tech, connected cars. Those in the industry are quick to point out that corporations remain highly secretive about this work for fear of inspiring criminals or giving away technical details to competitors.
“Most manufacturers know there is a problem and they’re working on solutions, but no-one will go public with it,” explains Martin Hunt, who works in automotive penetration testing for UK telecommunications firm BT.
Hunt points out that hackers are often able to gain control of crucial functions in a car – such as braking, steering or switching the engine on and off – through surprising means. A common example is via the in-car “infotainment” system, which provides audio and visual entertainment to passengers.
“Quite often these systems are interconnected via a central control unit. If you can get into one you can get into another,”
One individual who has spent the last couple of years trying to get carmakers to wake up to the threat is US-based security researcher Josh Corman, who has set up an initiative, I Am The Cavalry, to improve the public safety of various technologies. He and others have developed a five-point framework to help vehicle manufacturers better adjust to the threats of hacking.
“They’re adding attack surfaces at a rate of one a year but telling me it’ll take five years to secure them,” says Corman. “We have a lot of catching up to do.”
Tomi Engdahl says:
I Am The Cavalry Advocates Automotive Cyber Safety
https://www.iamthecavalry.org/
Five Star Automotive Cyber Safety Program
https://www.iamthecavalry.org/domains/automotive/5star/
★ Safety by Design
Do you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?
★ Third Party Collaboration
Do you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith?
A collaboration policy supports a positive, productive collaboration between the automotive industry and security researchers.
★ Evidence Capture
Do your vehicle systems provide tamper evident, forensically-sound logging and evidence capture to facilitate safety investigations?
★ Security Updates
Can your vehicles be securely updated in a prompt and agile manner?
★ Segmentation and Isolation
Do you have a published attestation of the physical and logical isolation measures you have implemented to separate critical systems from non-critical systems?
Tomi Engdahl says:
Fiat Chrysler recalls thousands Jeep Renegade SUVs due to hacking risks
http://securityaffairs.co/wordpress/39924/hacking/fiat-chrysler-recalls-8000-suvs.html
Fiat Chrysler has recalled nearly 8,000 Jeep Renegade SUVs in the US to update the software that could be exploited by attackers to hack the vehicles.
No peace for Fiat Chrysler Automobiles after the disclosure of the attack against its Jeep Cherokee model made by the popular hackers Charlie Miller and Chris Valasek. The duo of experts demonstrated how to hack the Fiat Chrysler connected car remotely by exploiting a flaw in the Uconnect automobile system.
A few days later the US National Highway Traffic Safety Administration recalled 1.4 million vehicles to update the flawed software hacked by the security experts. Fiat Chrysler was providing firmware updates available for download on its website and by mail a Flash USB containing the update to its customers. Just yesterday I was writing about this disconcerting decision of the company for providing a software update via Mailed USB explaining the possible risks for the car owners.
Fiat Chrysler USB stick
News of the day is that Fiat Chrysler has recalled nearly 8,000 SUVs to fix the flaws that could allow remote attackers to hack the connected car.
Fiat Chrysler explained it needed to apply software updates to 7,810 Jeep Renegades that were sold in the US market, it also added that some models of the SUV sold in 2015, which comes loaded with certain radios, were vulnerable to the attack.
The automaker added that more that 50 percent of the SUVs needing the software update remained at dealerships across the US, this circumstance allows the company to update the vehicle before being sold to customers.
Fiat Chrysler added that owners of 2015 Jeep Renegade SUVs, equipped with 6.5-inch touchscreens, will be sent a USB device containing the update for the flawed software, alternately customers can download it from the official website. The good news for customers is that there is no charge for the software or, in the case of dealer visit,
Tomi Engdahl says:
Hacked Jeep USB update criticised
http://www.bbc.com/news/technology-34156598
Fiat Chrysler has started distributing a software patch for millions of vehicles, via a USB stick sent in the post.
In July, two hackers revealed they had been able to take control of a Jeep Cherokee via its internet-connected entertainment system.
The car firm has been criticised by security experts who say posting a USB stick is “not a good idea”.
“This is not a good idea. Now they’re out there, letters like this will be easy to imitate,” said Pete Bassill, chief executive of UK firm Hedgehog Security.
“Attackers could send out fake USB sticks and go fishing for victims. It’s the equivalent of email users clicking a malicious link or opening a bad attachment.
“There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in.”
He said that using a device like this had wider implications.
“Hackers will be able to pull the data off the USB stick and reverse-engineer it. They’ll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit,” he told the BBC.
At the time, Fiat Chrysler issued a voluntary recall so that customers could visit a dealership to have the software updated in affected vehicles. It also made a software update available to download from its website for tech-savvy users.
Tomi Engdahl says:
Chrysler Catches Flak for Patching Hack Via Mailed USB
http://www.wired.com/2015/09/chrysler-gets-flak-patching-hack-via-mailed-usb/
Six weeks after hackers revealed vulnerabilities in a 2014 Jeep Cherokee that they could use to take over its transmission and brakes, Chrysler has pushed out its patch for that epic exploit. Now it’s getting another round of criticism for what some are calling a sloppy method of distributing that patch: On more than a million USB drives mailed to drivers via the US Postal Service.
Security pros have long warned computer users not to plug in USB sticks sent to them in the mail—just as they shouldn’t plug in thumb drives given to them by strangers or found in their company’s parking lot—for fear that they could be part of a mass malware mailing campaign. Now Chrysler is asking consumers to do exactly that, potentially paving the way for a future attacker to spoof the USB mailers and trick users into installing malware on their cars or trucks.
“An auto manufacturer is basically conditioning customers into plugging things into their vehicles,” says Mark Trumpbour, an organizer of the New York hacker conference Summercon whose sister-in-law’s husband received the USB patch in the mail Thursday. “This could have the potential to backfire at some point in the future.”
Chrysler, to be fair, did not have very much choice in its USB response. Within days of WIRED’s July story revealing the Jeep hack by security researchers Charlie Miller and Chris Valasek, the company came under pressure from the National Highway Transportation Safety Administration to perform a full recall for the 1.4 million vehicles with a vulnerable Uconnect dashboard computer. Though the company had released a security update for download on its website, it had no ability to push out an “over-the-air” patch via the Internet. A USB mailing was likely its best option to reach as many Chrysler owners as possible. And to the company’s credit, it also implemented a layer of protection on the Uconnects’ Sprint network designed to block Miller and Valasek’s wireless attack.
Tomi Engdahl says:
GM Performs Stealth Update To Fix Security Bug In OnStar
http://mobile.slashdot.org/story/15/09/10/1539239/gm-performs-stealth-update-to-fix-security-bug-in-onsta
Back in 2010, long before the Jeep Cherokee thing, some university researchers demonstrated remote car takeover via cellular (old story here). A new Wired article reveals that this was actually a complete exploit of the OnStar system (and was the same one used in that 60 Minutes car hacking episode last year). Moreover, these cars stayed vulnerable for years — until 2014, when GM created a remote update capability and secretly started pushing updates to all the affected cars.
GM Took 5 Years to Fix a Full-Takeover Hack in Millions of OnStar Cars
http://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-millions-onstar-cars/
When a pair of security researchers showed they could hack a Jeep over the Internet earlier this summer to hijack its brakes and transmission, the impact was swift and explosive: Chrysler issued a software fix before the research was even made public. The National Highway Traffic and Safety Administration launched an investigation. Within days Chrysler issued a 1.4 million vehicle recall.
But when another group of researchers quietly pulled off that same automotive magic trick five years earlier, their work was answered with exactly none of those reactions. That’s in part because the prior group of car hackers, researchers at the University of California at San Diego and the University of Washington, chose not to publicly name the make and model of the vehicle they tested, which has since been revealed to be General Motors’ 2009 Chevy Impala. They also discreetly shared their exploit code only with GM itself rather than publish it.
Tomi Engdahl says:
Intel Takes On Car Hacking, Founds Auto Security Review Board
Chipmaker establishes new Automotive Security Review Board for security tests and audits
http://www.eetimes.com/document.asp?doc_id=1327696&
After a summer full of car hacking revelations, Intel, today, announced the creation of a new Automotive Security Review Board (ASRB), focused on security tests and audits for the automobile industry.
The potential for modern connected cars to be attacked and remotely controlled by malicious hackers is a topic that has received considerable attention recently from security experts, industry stakeholders, regulators, lawmakers, and consumers.
Intel Takes On Car Hacking, Founds Auto Security Review Board
http://www.darkreading.com/vulnerabilities—threats/intel-takes-on-car-hacking-founds-auto-security-review-board/d/d-id/1322172
Chipmaker establishes new Automotive Security Review Board for security tests and audits
After a summer full of car hacking revelations, Intel, today, announced the creation of a new Automotive Security Review Board (ASRB), focused on security tests and audits for the automobile industry.
The potential for modern connected cars to be attacked and remotely controlled by malicious hackers is a topic that has received considerable attention recently from security experts, industry stakeholders, regulators, lawmakers, and consumers.
Demonstrations like one earlier this year where two security researchers showed how attackers could take wireless control of a 2014 Jeep Cherokee’s braking, steering, and transmission control systems, have exacerbated those concerns greatly and lent urgency to efforts to address the problem.
Intel also released a whitepaper describing a preliminary set of security best practices for automakers, component manufactures, suppliers, and distributors in the automobile sector.
ASRB members will have access to Intel automotive’s development platforms for conducting research. Findings will be published publicly on an ongoing basis, Intel said. The member that provides the greatest cybersecurity contribution will be awarded a new car or cash equivalent.
Intel’s security best practices whitepaper, also released today, identified several existing and emerging Internet-connected technologies in modern vehicles that present a malicious hacking risk.
Modern vehicles have over 100 electronic control units, many of which are susceptible to threats that are familiar in the cyber world, such as Trojans, buffer overflow flaws, and privilege escalation exploits, Intel said. With cars connected to the external world via Wi-Fi, cellular networks, and the Internet, the attack surface has become substantially broader over the last few years.
The whitepaper identifies 15 electronic control units that are particularly at risk from hacking. The list includes electronic control units managing steering, engine, and transmission, vehicle access, airbag and entertainment systems. “Current automotive systems are vulnerable,” Intel noted. “Applying best-known practices and lessons learned earlier in the computer industry will be helpful as vehicles become increasingly connected.”
Concerns have been growing in recent times about critical security weaknesses in many of the Internet-connected components integrated in new vehicles these days. Chrysler for instance, recalled 1.4 million vehicles after two security researchers showed how they could bring a Jeep Cherokee traveling at 70 mph to a screeching halt by hacking into its braking system from 10 miles away.
A report released by Senator Edward Markey (D-MA) in February, based on input from 16 major automakers, revealed how 100 percent of new cars have wireless technologies that are vulnerable to hacking and privacy intrusions. The report found that most automakers were unaware or unable to say if their vehicles had been previously hacked while security measures to control unauthorized access to control systems were inconsistent.
Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk
http://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf
Tomi Engdahl says:
News & Analysis
Hacked Jeep: Whom to Blame?
http://www.eetimes.com/document.asp?doc_id=1327266&
So, where, exactly, did hackers find a crack in the firewall of a 2014 Jeep Cherokee? How did they infiltrate it and who’s at fault for failing to foresee the breach?
The failure apparently occurred in not one, but multiple places in the connected car’s system architecture. Blame, according to multiple automotive industry analysts, could also extend to parties beyond Fiat Chrysler Automobiles (FCA). They include Sprint — a system integrator — with whom Chrysler contracted for secure vehicle network access via the telematics control unit, and Harman Kardon, who designed an in-vehicle infotainment system.
The hackers were reportedly able to control a 2014 Jeep Cherokee’s steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed. Most important, they did all this mischief remotely and wirelessly.
Breakdown of security vulnerability
Asked to break down the security vulnerability of the hacked car, Lanctot said: “Step one is control of braking, acceleration and steering accessible on the vehicle CAN bus.
“Step two is remote wireless connectivity to the car via cellular.
“Step three is providing for remote access to the CAN bus via the telematics control unit interface. Clearly, the FCA systems were configured in such a way as to allow for CAN bus access via the telematics control unit.”
Lanctot added, “There is nothing wrong with that as long as you provide for appropriate security.”
Lanctot, however, pointed out, “It appears that the IP address was too easily identified” by the system used by Jeep Cherokee and “the telematics control unit lacked basic software upgrading capability.”
Lanctot isn’t alone in fingering the IP address issue. Egil Juliussen, director research & principal analyst at IHS Automotive Technology, also told us that the hackers appear to have found “a simple way to get the IP address of a car.
Tomi Engdahl says:
CAN Bus Can Be Encrypted, Says Trillium
http://www.eetimes.com/document.asp?doc_id=1328081&
Until the recent wave of carmakers rolling out more and more connected cars for the consumer market, cyber security was always a matter of indifference to car OEMs and Tier Ones. Now, it’s a big deal.
Fresh in everyone’s memory are several celebrated hacking incidents this past summer. These include the vulnerabilities found in Chrysler Jeeps, which resulted in Chrysler’s recall of 1.4 million vehicles, and a flaw in General Motors’ OnStar RemoteLink system, through which a hacker found a way to remotely unlock doors and start engines.
As Egil Juliussen, director research & principal analyst at IHS Automotive, pointed out in a recent presentation to the automotive industry, “Hacking research has shown that nearly all access points can be compromised.” To cope with this reality, technology suppliers are beginning to launch a number of cyber security solutions, he said. They range from hardware security to CAN (Controller Area Network) bus firewalls and ECU software monitoring.
But what the world hasn’t seen yet – and Juliussen hasn’t seen either – is a technology capable of encrypting CAN bus itself.
That’s about to change, according to Trillium, a Japan-based start-up headed by David Uze, former CEO of Freescale Japan. Uze told EE Times this week that a small team of Trillium engineers has developed what it calls SecureCAN — “a CAN bus encryption and key management system for protecting payloads less than 8bytes.”
Essential to this assertion is a claimed ability to handle data “in 8bytes,” instead of the 128-bit block the Rijndael algorithm needs for AES-based encryptions.
Essential to this assertion is a claimed ability to handle data “in 8bytes,” instead of the 128-bit block the Rijndael algorithm needs for AES-based encryptions.
Because of its ultra-light weight block cipher, Trillium’s SecureCAN can encrypt CAN (and LIN) messages in real time, claimed Uze.
Tomi Engdahl says:
Chris Ziegler / The Verge:
Nissan pulls the Leaf’s phone app after security vulnerabilities come to light
http://www.theverge.com/2016/2/25/11116724/nissan-nissanconnect-app-hack-offline
Just a day after news spread that Nissan Leaf’s NissanConnect app could be compromised by hackers to control fan settings (potentially draining the battery) and download logs of past drives, Nissan has pulled the functionality, saying that it is “looking forward to launching updated versions of [its] apps very soon.”
Information security has been a particularly pressing concern in the auto industry, where the concept of the connected car has, at times, moved faster than the industry’s ability to keep hackers at bay. The NissanConnect hack, which allows an individual to download and manipulate settings if they have a Leaf’s VIN number, is not the most serious hack — there doesn’t appear to be any situation where it would put a moving vehicle in harm’s way — but it could effectively disable a car by draining the battery. In the worst case, hackers could also use drive logs to get a sense of when the car’s owner is at home, at work, or elsewhere.
Tomi Engdahl says:
Andy Greenberg / Wired:
FBI, Department of Transportation, and National Highway Traffic Safety Administration warn drivers about threat of over-the-internet attacks on cars — The FBI Warns That Car Hacking Is a Real Risk — It’s been eight months since a pair of security researchers proved beyond any doubt …
The FBI Warns That Car Hacking Is a Real Risk
http://www.wired.com/2016/03/fbi-warns-car-hacking-real-risk/
It’s been eight months since a pair of security researchers proved beyond any doubt that car hacking is more than an action movie plot device when they remotely killed the transmission of a 2014 Jeep Cherokee as I drove it down a St. Louis highway. Now the FBI has caught up with that news, and it’s warning Americans to take the risk of vehicular cybersabotage seriously.
In a public service announcement issued together with the Department of Transportation and the National Highway Traffic and Safety Administration, the FBI on Thursday released a warning to drivers about the threat of over-the-internet attacks on cars and trucks. The announcement doesn’t reveal any sign that the agencies have learned about incidents of car hacking that weren’t already public. But it cites all of last year’s car hacking research to offer a list of tips about how to keep vehicles secure from hackers and recommendations about what to do if you believe your car has been hacked—including a request to notify the FBI.
“Modern motor vehicles often include new connected vehicle technologies that aim to provide benefits such as added safety features, improved fuel economy, and greater overall convenience,” the PSA reads. “Aftermarket devices are also providing consumers with new features to monitor the status of their vehicles. However, with this increased connectivity, it is important that consumers and manufacturers maintain awareness of potential cyber security threats.”
Tomi Engdahl says:
Hackers arrested after stealing more than 30 Jeeps in Texas
Thieves used FCA DealerCONNECT software to carry out their crimes.
http://www.autoblog.com/2016/08/04/hackers-steal-30-jeeps-houston-texas/
It seems the news regarding vehicle hacking continues to get worse, especially when it comes to products from Fiat Chrysler Automobiles. Last year, a Jeep Cherokee in St. Louis, Missouri, was wirelessly hacked from Pittsburgh. Nissan had to shut down its Leaf app because of vulnerabilities. Now, a pair of hackers in Houston, Texas, stole more than 30 Jeeps over a six-month period. The two were arrested by police last Friday while attempting to steal another vehicle.
Tomi Engdahl says:
Car Hacking – Chinese hacker team remotely hacked Tesla Model S
http://securityaffairs.co/wordpress/51469/hacking/tesla-model-s-hack.html
A group of security researchers from the Chinese firm Tencent have found a series of flaws that can be exploited to remotely hack a Tesla Model S.
Security experts at the Keen Lab at Chinese firm Tencent have found a series of vulnerabilities that can be exploited by a remote attacker to hack an unmodified Tesla Model S.
The researchers demonstrated that it is possible to hack the Tesla Model S while it is parked or if it is on the move.
The most scaring part of the hack is when the car is on the move, the hackers were able to activate the brakes from 12 miles, activate the windshield wipers, fold the side view mirrors, and open the trunk.
The researchers are the first team of hackers that is able to compromise CAN Bus to remote control Tesla cars by exploiting a series of flaws.
Tomi Engdahl says:
The Story Behind Hacking the Jeep
http://www.designnews.com/author.asp?section_id=1386&doc_id=281960&cid=nl.x.dn14.edt.aud.dn.20161031.tst004c
Tomi Engdahl says:
Car Security Experts Dump All Their Research and Vulnerabilities Online
http://hackaday.com/2017/05/14/car-security-experts-dump-all-their-research-and-vulnerabilities-online/
[Charlie Miller] and [Chris Valasek] Have just released all their research including (but not limited to) how they hacked a Jeep Cherokee after the newest firmware updates which were rolled out in response to their Hacking of a Cherokee in 2015.
FCA, the Corp that owns Jeep had to recall 1.5 million Cherokee’s to deal with the 2015 hack, issuing them all a patch. However the patch wasn’t all that great it actually gave [Charlie] and [Chris] even more control of the car than they had in the first place once exploited. The papers they have released are a goldmine for anyone interesting in hacking or even just messing around with cars via the CAN bus.
We anticipate seeing an increasing number of security related releases and buzz as summer approaches. It is, after all, Network Security Theatre season.
http://illmatics.com/carhacking.html
Tomi Engdahl says:
General Motors Hires Security Team That Remotely Hacked Jeep
http://www.electronicdesign.com/automotive/general-motors-hires-security-team-remotely-hacked-jeep?PK=UM_Classics04218&utm_rid=CPG05000002750211&utm_campaign=16685&utm_medium=email&elq2=00beb49dcfe040ebb4f541d2bea6e19a
General Motors hired two security researchers that hacked into a Jeep Cherokee over the internet in 2014, cutting its transmission and disabling the brakes in an experiment that still reverberates in the automotive industry.
Chris Valasek and Charlie Miller were both hired by Cruise Automation, the autonomous driving unit that GM formed in 2016.
Tomi Engdahl says:
Hackers can clone millions of Toyota, Hyundai, and Kia keys
Encryption flaws in common anti-theft feature expose vehicles from major OEMs.
https://arstechnica.com/cars/2020/03/hackers-can-clone-millions-of-toyota-hyundai-and-kia-keys/