Slashdot Mirror

← Back to Stories (view on slashdot.org)

Least Secure Cars Revealed At Black Hat

Posted by Unknown on from the why-bother-cutting-the-brake-lines dept.

Lucas123 (935744) writes Research by two security experts presenting at Black Hat this week has labeled the 2014 Jeep Cherokee, the 2015 Cadillac Escalade and the 2014 Toyota Prius as among the vehicles most vulnerable to hacking because of security holes that can be accessed through a car's Bluetooth, telematics, or on-board phone applications. The most secure cars include the Dodge Viper, the Audi A8, and the Honda Accord, according to Researchers Charlie Miller and Chris Valasek. Millar and Valasek will reveal the full report on Wednesday, but spoke to Dark Reading today with some preliminary data. The two security experts didn't physically test the vehicles in question, but instead used information about the vehicles' automated capabilities and internal network. "We can't say for sure we can hack the Jeep and not the Audi," Valasek told Dark Reading. "But... the radio can always talk to the brakes" because both are on the same network. According to the "Connected Car Cybersecurity" report from ABI Research, there have been "quite a few proof of concepts" demonstrating interception of wireless signals of tire pressure monitoring systems, impairing anti-theft systems, and taking control of self-driving and remote control features through a vehicle's internal bus, known as controller area network (CAN).

37 of 140 comments (clear)

  1. so that's why the Prius' behave that way. by turkeydance · · Score: 4, Funny

    my apologies to the drivers. i thought it was them.

  2. It's my 2004 Focus by gelfling · · Score: 5, Funny

    Because if it starts at all it may very catch on fire.

  3. Bullshit. by mythosaz · · Score: 2, Insightful

    "But... the radio can always talk to the brakes" because both are on the same network.

    Bullshit.

    They might be on the same network, but that doesn't mean they can talk to each other.

    1. Re:Bullshit. by viperidaenz · · Score: 3, Informative

      They're on the same network, which is a broadcast network.
      Everything can talk to everything else.
      A CAN bus is not a switched network. Same goes with Flexray and all other automotive networks.

    2. Re:Bullshit. by Anonymous Coward · · Score: 2, Insightful

      Maybe they can't by design. But in a "radio" I worked on you could spoof CAN and we used that to test our software. Radio acted as if it were a few other devices. For their credit, brakes and the like were on a physically separate network, though.
      I have also never met any sort of security concerns regarding internal data processing and communication protocols. Most internal protocols and implementations I've seen trust the sender 100%.
      I once attended a meeting discussing navigation map data. They weren't the least concerned when the vendor told them their application(which runs as root, because...) would crash when given bad data, but it's okay because they check the self-reported SD serial number. Even if you don't care about your customer, opening up access to bluetooth, wifi, cellular networks, video recording and the like could cost you a few lawsuits.

    3. Re:Bullshit. by Charliemopps · · Score: 4, Informative

      "But... the radio can always talk to the brakes" because both are on the same network.

      Bullshit.

      They might be on the same network, but that doesn't mean they can talk to each other.

      Modern cars are required by law to operate on a CANN Buss which is very similar to old buss networks: http://en.wikipedia.org/wiki/B...
      All devices send and receive on the same wire. So every device can talk to every other device on the network, all the time.
      This works as long as all devices on the network are trusted devices... but then you add bluetooth and wifi? Now you have a network of implicitly trusted devices with a giant hole in it.

      If the radio integrates media controls into the steering wheel and has song titles next to your speedometer, you're screwed. That bluetooth device has full access to the entire network. Now if it treats the bluetooth device like an audio input, and the only wires going into the "bluetooth PCB" are 12vdc, ground, and left and right outputs, then you're probobly ok. But there's no way most consumers are going to know which it is.

      I personally dismantled the radio integration into my Fords CANN bus as soon as I got it. It was a nightmare. Parts of the dash didn't even work with the factory radio removed! I had to buy an after market CPU to plug into the buss to replicate some of the radios functions just so I could use a standard dinn mount head unit. All of this and the radio I got, that's not on the Buss, has more features. Why the hell is the head unit for my stereo controlling major functionality in my car?!!?!

      What's worse, in the newest cars as of next year... devices will be registered by mac address to the cars computer. As a result you'll need to log in with a $6k+ software package you can only buy from Ford, GM, etc... and register the mac addresses of new devices you install. You will not be able to remove or replace anything on your own at home anymore. In fact, I bet the dealer will be the only place you can get repairs done within 20yrs.

    4. Re:Bullshit. by TubeSteak · · Score: 4, Informative

      What's worse, in the newest cars as of next year... devices will be registered by mac address to the cars computer. As a result you'll need to log in with a $6k+ software package you can only buy from Ford, GM, etc... and register the mac addresses of new devices you install. You will not be able to remove or replace anything on your own at home anymore. In fact, I bet the dealer will be the only place you can get repairs done within 20yrs.

      Automakers agree to 'right to repair' deal
      http://www.autonews.com/article/20140125/RETAIL05/301279936/automakers-agree-to-right-to-repair-deal
      January 25, 2014

      Last week, two trade groups representing automakers -- the Alliance of Automobile Manufacturers and the Association of Global Automakers -- announced an agreement with independent garages and retailers to make Massachusetts' law a national standard.

      [...]

      Under the deal, all auto companies would make their diagnostic codes and repair data available in a common format by the 2018 model year, as the Massachusetts law requires. In return, lobbying groups for repair shops and parts retailers would refrain from pursuing state-by-state legislation.

      You couldn't be more wrong.

      --
      [Fuck Beta]
      o0t!
    5. Re:Bullshit. by Rich0 · · Score: 4, Interesting

      Yup. Are the brakes actually controllable via CAN though? If the pedal just operates a transducer which relays instructions via CAN, that seems a bit risky to me. I wouldn't want even a single PHYSICAL linkage as a point of failure for the brakes, let alone an electronic one.

      Granted, even if they have a cable backup, having a trojan apply full brakes without warning at highway speed would not be a fun experience (especially if it could disable ABS - which might or might not be possible but since ABS has self-diagnostics that need to report back to the dash it seems plausible that it could be tampered with). A cable backup would only prevent software from disabling your brakes - not prevent it from applying brakes.

      Really, something like a radio should not be on the same network as safety-critical devices. Heck, do you really want to even do the necessary rigor to ensure that a faulty radio design doesn't cause a safety issue? Nothing should be plugged into a safety-critical bus without serious testing and design controls.

    6. Re:Bullshit. by JoeMerchant · · Score: 2

      They've been playing at this since the 1970s. Scan code systems that sell for $50K. "Open" protocols that you have to be a member of the society to get a copy of, membership fee: $25K plus a reason they deem as valid to join. This was last century.

      Just be glad that the OBD-III proposals with RFID communication requirements never got passed (or did they?) - with that, the same type of toll readers that are more and more common could as easily query your OBD port and read everything about your present vehicle condition - effectively making possible a "go directly to your mechanic and pay to fix your vehicle or get your license revoked" checkpoint anywhere desired, including across a 6 lane interstate where traffic moves at 80mph - yes, the protocol can query all the vehicles on the road simultaneously as they drive through a checkpoint.

    7. Re:Bullshit. by bonehead · · Score: 2

      you type faster than me ;-)
      I just said the same thing. lol
      Also, CAN Buss is not new. It's been in Semis for a very long time.

      Also, the people who write the software for this type of platform are, at least traditionally, much more concerned about available RAM than they are about security. In this arena, the old-school folks have always worked in an environment where isolation from the outside world was pretty much a given.

      As such, even the fairly ineffective security measures that are in place on the Internet haven't even been considered for use in these types of systems. Attaching wireless capabilities to them was very foolish.

      All thing's considered, this all just goes to reinforce my dream of owning a mint condition 1965 Plymouth Barracuda.

    8. Re:Bullshit. by bonehead · · Score: 4, Insightful

      Yup. Are the brakes actually controllable via CAN though?

      Old school brakes, like you'd find in a mid-70's muscle car? Nope.

      Modern anti-lock brakes, that depend on computer control? You bet your ass they can be fucked with through the onboard computer.

      I'm an old-school geek. I've been fascinated and excited by technology for over 40 years now. But in the last half decade, I've been noticing that we're growing way, WAY too fast. We're implementing things and putting them out in the real world as soon as we "can do it". We're not waiting until "we can do it safely".

      It's consumer culture gone wild.

    9. Re:Bullshit. by viperidaenz · · Score: 5, Informative

      Everything was fine until OnStar...
      With OTA updates and the rest of the systems in the car using the CAN bus for diagnostic messages and reprogramming, you've got problems.

      I haven't RTFA but I would assume the Honda Accord isn't as 'hackable' is because they use a separate K-Line bus for diagnostics instead of doing it over the CAN bus. Other than that, every single system in the Accord is connected in some way. The audio bus connects the radio to the aircon unit., The aircon unit is also connected to the body CAN bus (you'd need to reprogram it to make a bridge though). The gauge cluster connects to both the body CAN and the powertrain CAN bus. The ECU, ABS, Traction Control, Air bags, etc are all on the powertrain bus.

      If you took control of the powertrain bus, you could speed the car off down the street (thanks drive-by-wire), lock up the wheels on one side of the car and spin it sideways into a wall (traction control), while setting off the side airbags on the wrong side of the car to increase the impact the occupants receive (not sure if the airbags can be triggered from the CAN though, I doubt it. Can probably disable them though)...

    10. Re:Bullshit. by bonehead · · Score: 5, Interesting

      Everything was fine until OnStar...

      Well, yeah, now that I think about it, I'd have to agree....

      There's absolutely nothing wrong with these systems in your vehicle being able to communicate with each other. I think most of us can agree that there are many benefits to it.

      The problems only arise when the systems gain the ability to communicate to systems outside of your car. And especially when they can do it without your consent, or even knowledge. And OnStar was the first and most obvious example of that ability.

      The first time I ever really noticed OnStar was back when it first came out. A buddy of mine was driving, and we made a stop and he locked his keys in. This was "back in the day" so I immediately started trying to figure out where I could get my hands on a wire coat hanger. He pulled a card out of his wallet, called an 800 number, and a few seconds later all 4 doors unlocked. My initial reaction was "Damn! That's fuckin' cool!"

      About 10 seconds later I thought "Damn! That's fuckin' creepy!"

      And now it's not just OnStar that can do that. Now cars have bluetooth and WiFi, so if it's not secure (and they don't build them with security in mind"), any smart guy with a cell phone and access to Google can do similarly creepy things....

      SIDE NOTE: There's an alley at work where we all go to smoke (yes, I'm a smoker, get over it). On the other side of the alley is another company's parking lot. There are two nearly identical GM SUV's that park in that lot. One has a broken off OnStar antenna, the other has an intact OnStar antenna. All of us refer to the two vehicles as "the smart one" and "the dumb one".

    11. Re:Bullshit. by advocate_one · · Score: 2

      one of these days, there'll be an antenna which you won't know about, the visible one being a dummy... easiest way to hide the antenna would be to put it behind a plastic body panel.

      --
      Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
    12. Re:Bullshit. by MrKaos · · Score: 4, Funny

      you type faster than me ;-)
      I just said the same thing. lol
      Also, CAN Buss is not new. It's been in Semis for a very long time.

      I think the real question is: How much Buss would a CAN Buss Bus if a CAN Bus can CAN Can?

      --
      My ism, it's full of beliefs.
    13. Re:Bullshit. by AmiMoJo · · Score: 2

      You have to weigh up the merits of each system.

      Old style mechanical only brakes:
      - Immune to thus far theoretical remote hacks

      New style computer assisted brakes:
      - Safer (ABS, distributed braking force, 4 wheel steering etc)
      - Warns you of failures before you find out by crashing

      Since modern cars don't seem to be suffering from an epidemic of brake failures I don't think we can say that they are any less reliable than the old mechanical linkage. Thus your choice is between greater safety or protection from theoretical attacks that might not even be able to affect your vehicle. Not that FTA mentions they didn't actually do any of these hacks, they just did a survey and listed the most likely cars to be vulnerable without checking them.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    14. Re:Bullshit. by JoeMerchant · · Score: 2

      The manufacturers think they can do it safely. They even have multinational conferences where they get together and the 2 guys from every company who would rather travel than work sit around and agree with each other that they have put in enough safety checks to protect their customers.

      The problem is, most people can't mentally scale risk up to millions of copies. The basic engineer's metric is: "I tried it on my test rig as many ways as I can think of and nothing ever failed." Put this guy in a "world class" test facility with all the best toys money can buy and he'll write you all kinds of analyses "proving" that their accelerated degradation models guarantee a trillion hour MTBF. Problem is: when you put a million imperfect copies of a thing into the real world, with a million different people operating them in thousands of different use cases in hundreds of different environments, the "world class" test facility becomes a myopic little ivory tower by comparison.

      One of the answers is "post market surveillance" - but that's expensive, politically unpopular, and logistically difficult to implement, though it is getting cheaper and easier, I don't think it's getting any more politically acceptable. Personally, I feel that the commercial arm of the corporations have corrupted the good in onboard diagnostics, putting up a little "feed my mechanics' and dealers' families" light on your dashboard that comes on for every little problem, but still managing to let you get stranded by the side of the road with little to no warning Why would I ever trust such a system to "phone home" with data about my driving habits?

    15. Re:Bullshit. by Indes · · Score: 2

      Considering I wrote the CAN interface for an OEM; Yes, Anything can talk to anything else... BUT...
          That's why there's an interface which will only allow you to send data you're meant to send.

        They also point out two vehicles with the SAME available lineup of head units and identical CAN architecture, then claim they're both the most and least secure vehicles.

        Will one of my interfaces ever talk to a brake module? No, Not without a nasty firmware hack. So no, your radio won't be talking to your brakes, or engine. Sorry.

  4. You're in a maze of twisty articles, all alike... by SlaveToTheGrind · · Score: 2, Insightful

    We've been here before. Two days ago.

  5. They did not hack it by manu0601 · · Score: 5, Interesting

    They did not hack anything, this is just speculation based on documentation. BlackHat used to offer more serious stuff.

    1. Re:They did not hack it by Minupla · · Score: 2

      Here's the difference - we have firewalls on the Internet.

      What they're saying is that the Bluetooth is sitting on the same network as your anti-lock brakes and there is no firewall.

      Not sure about you, but where I work, if I didn't put a firewall between the internet, and my web servers and at least one more between my web servers and the database, I'd be looking for a new job. These guys hooked it up to the "internet" (bluetooth) and decided they didn't need any additional security between there and the "database" (your brakes).

      Security is all about layers, and they've said that Bluetooth is all the security your health and safety critical systems needs. Not sure about you, but that doesn't leave me with a warm and fuzzy feeling.

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  6. Opinion from industry insider by nhtshot · · Score: 5, Interesting

    I work in the automotive after market (ECU tuning). I can actually back up what they're saying. Even if they did come by it via speculation, they're actually pretty much dead on.

    That is primarily because the german cars use what we call a "Can Gateway" but is better of though as a firewall. Every different system in the car has it's own private canbus. Anything that needs to travel between the busses has to go through the gateway. In the case of VW/Audi vehicles, it's locked down quite well. It knows what packets belong on what bus and only allows a very limited subset of properly formatted and required packets to pass between those busses.

    Vehicles that share common can without a gateway are readily exploitable. I could plug a can interface into the headlights, A/C or any other system on the global bus and lock/unlock the doors, roll the windows up/down, trigger the traction control/ABS or even start/stop the car (if it uses a push button start).

    Doing those things requires access to the can wires, but the bus is used for so much now-a-days, there's always plenty of places to access it. Many of them without requiring keys or an open hood.

    1. Re:Opinion from industry insider by nhtshot · · Score: 5, Informative

      "Does nobody do signing or encryption of signals to control systems"

      VW/Audi does. The newest generation use 2048bit RSA signatures for everything. The previous generation used 1024, which is still pretty much unfactorable for a reasonable price.

      But, they can't use encryption of any consequence or signing on the bus. It's all real time and needs to be that way. Would you want your airbag to wait to deploy until it had verified even a 512bit signature on the "oh crap we've been in an accident" message?

      Same thing with ABS.

      The only real place they can use that (and they DO use it here) is for starting. When you're starting a car, there is no imminent danger. In VW/Audi, they have the "immobilizer" system. It uses RSA again. The instrument cluster, ECU and each key have a coded serial number. Each devices holds a hashed/signed copy of the serial numbers of the other 2 and the VIN. If the 3 don't all agree, the car won't start.

      There are some ways around the system, but they require opening the ECU and various other things that are quite time consuming and very obvious. Nobody has (to the best of my knowledge) beaten the immobilizer system via methods that don't require a grinder.

    2. Re:Opinion from industry insider by nhtshot · · Score: 4, Interesting

      I don't work with Fords, so I can't answer your question specifically. In general, the trend in cars is to have fewer controllers and devices on the bus controlling more and more things. In the VW/Audi world, all of the "body control" stuff is handled by a single module under the dash.

      At the same time, many of those modules and the wires between them are accessible easily under the hood. I can reach under a VW, remove a plastic underbody panel and get to the powertrain (most important) canbus without opening the hood. I'd come up greasy, but I could certainly do it from under the car. With a little practice, I could probably do it in under a minute.

      In the VW case though, that wouldn't do any good. I couldn't start the car or unlock the doors (door locks aren't on the powertrain can and the gateway won't pass through a door unlock message originating on powertrain). I could monitor their engine/transmission/ABS though and could turn off the car, change the gears or set/adjust the cruise control once the engine was running. I might even be able to trick the ABS into thinking the car is skidding and get it to lock up the brakes (I haven't played with ABS controllers much, so I'm not 100% certain of this one),

    3. Re:Opinion from industry insider by 0123456 · · Score: 2

      You just need a pre-negotiated shared key. AES encryption is pretty fast.

      However, you still probably don't want to do it, because, if the encryption somehow gets screwed up, your ABS brakes will reject the readings from the brake sensors and cause you to crash when you lock the wheels. There are potential safety issues on both sides.

  7. Re:High speed car chase on "Cops" by Arker · · Score: 2

    Simply letting him get away would be horrible, because of the prevention aspect. If that were standard practice on the part of the cops, then the rate of car theft would certainly go way up.

    But there is another possibility besides letting him go and flying off in a risky high speed chase. There's this old-school police technique called a 'tail' where you follow at a distance and let the target think he's getting away (while of course using your radio to get ahead of him.) Much less chance of injury or death that way. Too old-school for US cops these days, but in some backwards jurisdictions it might still be used.

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.
  8. Too much bullshit by ArchieBunker · · Score: 3, Interesting

    I bought a 99 Volvo S80 and it has the fancy auto dimming rear view mirror. The car was used so of course expensive mirror no longer dims. You can't even swap out a junked mirror because of the address bullshit. You have to keep the circuitry from your mirror and swap only the mirror itself. Otherwise you need the dealer software to reprogram the main computer.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  9. They are by ArchieBunker · · Score: 2

    The brakes are controllable on cars with collision avoidance.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  10. They did not hack it by jeff-nelson3388 · · Score: 2

    I can't understand it either. If they are accusing so many car makes of having vulnerabilities, they should have been able to get access to at least one to formulate an actual attack. If everything on the same network was considered vulnerable by default - the Internet would be vulnerable.

    --
    @_jeff_nelson +jeffnelsonjeffnelson
  11. my beloved jeep wrangler by shadowrat · · Score: 3, Funny

    I guess the wrangler didn't make the list, but it can hardly count as hacking when the hood doesn't even lock closed.

  12. Re:High speed car chase on "Cops" by rogoshen1 · · Score: 2

    considering most car thefts are committed by a very small number of people, anytime one of those little buggers gets tossed in the clink, we're all better off.

  13. Re:High speed car chase on "Cops" by mjwx · · Score: 2

    Well, the criminal then gets to pay for the damage he caused to the car.

    Awww, it's so cute you think rich people are stealing old Astra's.

    If something was stolen from me I would damn sure want to (preferably) get it back or at least get loss compensated.

    This is what we call "Insurance".

    In Australia people are taking to stealing keys as immobilisers have become so common and effective it's easier to break into a house and flog the keys before taking the car. I dont really care that much if they do this and steal my 14 yr old Nissan... It's insured for $13,500. Sure it would be a shame as it's a mint condition Silvia S15 but in the end it's a car I have properly insured.*

    If you dont have your car insured, that's your problem. As for getting it back, well considering the kind of people who steal cars I'm not sure I'd want that either (the first thing Police do on recovered cars is a sharps check, a check for used needles. Insurers will do the same to make sure the cops didn't miss any).

    * I drive a manual, these days that's enough to stop most thieves in their tracks.

    --
    Calling someone a "hater" only means you can not rationally rebut their argument.
  14. Re:High speed car chase on "Cops" by jawtheshark · · Score: 2

    Only in the Northern America and apparently Australia. In Europe, you can bet that everyone can drive sticks. Technically, you can do your driving license on a automatic, but it usually reserved for the physically disabled and you only are allowed to drive automatics with such a license.

    --
    Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
  15. Re:so... by pslytely+psycho · · Score: 2

    "Teenagers........are.......walking.......on.........our........lawns!!!"

    Quickest way to be rid of them...

    Roll out the lawnmower, hedge trimmers, edgers, fertilizer and watch them set new world records as they leave posthaste!!!

    --
    Donald Trump, on a crusade to make Nixon look respectable
  16. Re:But but but but the whole POINT ... by jandrese · · Score: 2

    Not with the protocol itself (because you couldn't trust it anyway), but you could implement crypto on top of the bus to avoid that problem. Everybody signs the messages and only accepts messages from approved sources who have signed their messages correctly.

    --

    I read the internet for the articles.
  17. Re:High speed car chase on "Cops" by jawtheshark · · Score: 2

    I didn't say we're superior. I said "in Europe every one can drive stick". That is fact, not superiority or anything. You interpret it that way. That says more about you than about me.

    --
    Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
  18. OEM by Indes · · Score: 3, Interesting

    I work at an OEM... I know for a fact The Dodge Viper and the Jeep Cherokee share the same line-up of head units and the CAN architecture is identical.

      How are they both the most and least secure?

      (Also, the Radio can't talk to the brakes, as much as they'd like you to think - I'd know, because I wrote the code for the interface that talks on the CAN network.)