Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Exploit On a Production Chrysler To Be Presented At BlackHat

Posted by timothy on from the just-wait-for-full-steer-by-wire dept.

Matt_Bennett writes: A scary remote exploit is going to be published that enables someone connected to the the same wireless (mobile data) network to take over many [automobile] systems, including braking. This is an exploit in Chrysler's Uconnect system. Charlie Miller and Chris Valasek also demonstrated exploits in 2013 that could be done via a direct connection to the system, but this is vastly expanded in scope. The pair convinced Wired writer Andy Greenberg to drive around near St. Louis while they picked apart the car's systems from 10 miles away, killing the radio controls before moving on to things like the transmission.

3 of 173 comments (clear)

  1. Re:Fix It Again Tony by Anonymous Coward · · Score: 5, Informative

    I've taken all the sub-systems out of a 2005 Subaru WRX to build another car from the bits. Although there are a lot of electronic modules, very few of them are connected to each other. The cruise control, airbag, ABS, climate control, heating, entertainment, lighting, and engine control systems are all completely independent from one another. I can 100% guarantee that a compromise in any one of the systems cannot be used to control any of the others on this car.

    My experience tells me that it's mostly cars from the past five years or so that are vulnerable to this type of exploit. Anything pre-CANbus has pretty much zero chance of having complex interconnections. Even most early CANbus cars only use the bus for mundane stuff like sending speedo and tach signals to multiple systems. It's a pretty recent trend to start adding things like door locks and brakes to the main bus.

  2. Re:Valasek and Miller are assholes and should be a by pixelpusher220 · · Score: 3, Informative

    They aren't vague, it's the defined system by which the car connects to the internet, Uconnect. They accessed that over the internet from 10 miles away and controlled the car. This is no different than them using a buffer overflow exploit to gain remote access to a web server.

    It's a perfect example of why encryption back doors are a fools errand. I'm sure it would be nice to stop a criminal who stole your car by turning off the engine...but that opens up the ability to remotely turn off the engine that could be used by anyone gaining the appropriate access. You can't make remote connections 'secure', only levels of security that come with risks.

    --
    People in cars cause accidents....accidents in cars cause people :-D
  3. Re:Valasek and Miller are assholes and should be a by pixelpusher220 · · Score: 3, Informative

    this link has some more technical details linky

    --
    People in cars cause accidents....accidents in cars cause people :-D