Jeep Cherokee Hacked… Apparently there’s a lack of vulnerability testing among a handful of manufacturers. Thoughts?
I posted this in another thread but these issues are fairly common across brands each company does various levels of testing.
Modern cars are basically large networks with everything interconnected via the CAN bus so doing something stupid like taking over a radio on a car could potentially give you the ability to inject CAN bus packets and make other systems do unintended things.
If you’re looking at a modern car you can attack from a lot of avenues TPMS sensors, onboard wifi, MP3 parsing in the radio, Onstar, bluetooth, etc
http://resources.infosecinstitute.com/car-hacking-safety-without-security/
Free eBook on the topic here - http://opengarages.org/handbook/
I’m wondering how they were able to disable the brakes because that’s pretty scary stuff. I’m guessing they got into the ABS routines and made the ABS system think there was a wheel lockup when there wasn’t.
I’m looking forward to a script that will force drivers to listen to the 1950’s station on Sirius.
“Should we add vulnerability assessments to the 21-point vehicle inspection? “Um, sir, I can’t pass you until we patch that vuln.””
That probably makes sense actually. This Chrysler one you can even download and install yourself.
“What’d they fail you for, tires or emissions?” “Neither, the goddamn firmware was 3 revs behind.”
This slide deck is pretty solid
@LZ1 Saw one of your buddies was in a debate on FB about how these guys went about this the wrong way by forcing a car off the road and how it was bad for the professional hacker community etc etc.
What do you think?
Sadly I think I takes something headline grabbing like disabling the brakes on a Grand Cherokee and it ending up in a ditch to bring the issue into the mainstream. IS/IT/Security people have known about this issue but the general public didn’t seem to care so nothing really changed. Now that it’s a headline I’ve had 3 non-car people come up to me today and ask me about it. Car manufactures can’t dismiss now so something will get done to address it. Most likely breaking the critical systems off onto a separate network from the non-critical systems that use wireless communication (like TMPS, BT radio etc).
There are a couple views on this
-
Something dramatic like this grabs attention and makes people who don’t understand technology freak out. However that normally causes some knee jerk reaction which won’t fix the underlying issue.
-
Bringing it into a spot light and get companies to actively pursue fixes for this sort of technology.
Charlie and Chis are really really smart I don’t think they would have put anyone in actual risk or what they did was over the top. Everyone wants to be politically correct now a days which is what all the ranting is about my guess is most people in the hacker/sec community think it was really cool they just want take some higher politically correct stance.
Auto companies are taking this sort of stuff pretty seriously already I have friends at Tesla and have others who have done testing for GM. The company I work for currently just responded to a rather large RFP to have us test one of their auto platforms so it’s not like companies are not working towards more security.
The CAN bus design doesn’t lend its self to security which makes the entire thing :tif:
Surprised nobody made any comments about Chris Roberts - http://www.cnn.com/2015/05/17/us/fbi-hacker-flight-computer-systems/ seems like a way worse place to test security 
Yeah, messing with a loaded commercial airliner mid-flight is just fucked up. Not really the same as attacking a Jeep that you specifically told the driver you were going to attack.
Yikes
Fiat Chrysler Recalls 1.4 Million Vehicles to Defend Against Hackshttp://www.bloomberg.com/news/articles/2015-07-24/fiat-chrysler-recalls-1-4-million-autos-to-defend-against-hacks
Next few years are going to really interesting if this sets the standard for car security flaws.
I was expecting this. Once you end up on the news because someone remotely disabled the brakes on a car it’s no longer a “install this when you get a chance” kind of fix.
Anything connected to the internet will eventually be hacked when enough people get involved and are motivated to.
Well scary, the initial audio controls was done through the web facing hack since they decided to connect their cars to the internet. The physical car control was done by hardware hacking which is really impressive and also not something that was static so needed to be loaded on the fly after the car was running. Not like the movies where you simply can hop all over quickly so this was more sophisticated than what the media is making it seem like OMG ANYONE WITH A LAPTOP CAN TAKE OVER YOUR CAR!
The issue too is the USB drive update so they need to implement the patch but needs to go to the USB stick and manually done which obviously will slow roll out and leave more vulnerable out there.
To make things better, senior Daimler engineering exec said he can’t hack a Mercedes-Benz. Not sure if this is valid but def entertaining.
Guess I’ll buy a Mercedes“There is no way you could hack a Mercedes-Benz from outside the car,” a senior Daimler engineering executive said
It is a common saying, don’t connect things that can kill you to the internet.
@dotMudge 6h6 hours ago
Mercedes unhackable? Their opensource licenses imply otherwise: libtiff, libpng…http://moba.i.daimler.com/bai-cars/ba/foss/content/en/assets/FOSS_licences.pdf
cc @0xcharlie @nudehaberdasher
They dropped the full PDF on all their Jeep research http://illmatics.com/Remote%20Car%20Hacking.pdf