Slashdot Mirror
Remote Exploit On a Production Chrysler To Be Presented At BlackHat
Matt_Bennett writes: A scary remote exploit is going to be published that enables someone connected to the the same wireless (mobile data) network
to take over many [automobile] systems, including braking. This is an exploit in Chrysler's Uconnect system. Charlie Miller and Chris Valasek also demonstrated exploits in 2013 that could be done via a direct connection to the system, but this is vastly expanded in scope. The pair convinced Wired writer Andy Greenberg to drive around near St. Louis while they picked apart the car's systems from 10 miles away, killing the radio controls before moving on to things like the transmission.
As I felt with their first video, these "security researchers" play with the steering on a car moving 40mph on a public road. Now they've gone and done this. Playing with the driving controls on a 2 ton vehicle moving at 70 mph on a busy road.
In this video they said "it wouldn't be anything life threatening" which shows that they don't have a clear view of reality in the situation. A seat belt won't
you have a 70mph head on collision with a semi. The driver wasn't informed beforehand that he could bail out of the test by restarting the car, they waiting
until he was panicing to try to tell him that.
What if they made a mistake and turned the car into oncoming traffic? What if their computers were remotely controlled?
Is the situation with car's vulnerabilities serious? Yes of course.
Will this video help to drive home the problem to the public? Maybe, but probably not.
Should they have done this demo on a public road? Absolutely not.
Bottom line, when you are doing a test where there is physical risk, you need to be in control of the environment and not putting the public in harms way.
This isn't your home computer and your email account. This is real life.
Well, other than Fiat, not that I know of.......
Bravo gentlemen. The only way this will get the full and due attention of the media and the car companies is by demonstrating life-threatening risk in the UConnect system. If this were a track test, it would be dismissed by the car companies as contrived, and the media would rather talk about Trump. This will now assuredly end up on the front page unless killed by Chrysler via influence peddling. It's time digital security was a real concern when it comes to my family hurtling down the highway at 75mph in what can now be convincingly argued is a very real digital death trap.
Disagree, in fact I'll probably shake their hands at DEFCON (assuming they're there again).
The fact that they demonstrated vulnerabilities and then showed automakers multiple ways how to avoid such things (#1 firewall or separate networks; #2 technology to detect and kill anomalous signals) and STILL the automakers shipped defective product...is the problem.
>> Will this video help to drive home the problem to the public?
No, but I'd expect a few class action lawsuits will get their attention. I've read a few attorneys' periodicals warming up trial lawyers for IoT product liability, and automakers and their big pockets are sure to be some of their first targets (I think I've seen one settlement already happen).
I'm not really talking about automakers or the vulnerabilities of cars. I'm only saying that Valasek and Miller were irresponsible security researchers for conducting a dangerous test on public road. This is the kind of thing that will give all security research a bad name or at least bring it under heavy scrutiny.
I point you to Admiral Adama of (Battlestar Gallactica) wise words ... "Do not network the ships computers"
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Doesn't it matter what it takes to make this exploit work? For instance, if you have to physically access the vehicle and do something in order to enable the remote exploit. There is a widely know physical exploit called cutting the brake lines, but manufacturers are in no way responsible for creating hard to access and cut brake lines.
These articles often are vague on the implementation requirements to achieve the exploit. That matters, IMHO.
With that said, standard control architecture practices should keep the key controls like steering, braking, acceleration, etc separate from the data monitoring and other systems, and where you can't separate entirely there are methods to manage that as well.
Like medical device manufacturers, they seem to be in lala land compared to most fields that use computers when it comes to security. The worst part is that if the federal government mandates security standards, the most likely outcome is that they will likely only target a few bright lines tests and the standards will never keep pace with the evolving threat models.
I've taken all the sub-systems out of a 2005 Subaru WRX to build another car from the bits. Although there are a lot of electronic modules, very few of them are connected to each other. The cruise control, airbag, ABS, climate control, heating, entertainment, lighting, and engine control systems are all completely independent from one another. I can 100% guarantee that a compromise in any one of the systems cannot be used to control any of the others on this car.
My experience tells me that it's mostly cars from the past five years or so that are vulnerable to this type of exploit. Anything pre-CANbus has pretty much zero chance of having complex interconnections. Even most early CANbus cars only use the bus for mundane stuff like sending speedo and tach signals to multiple systems. It's a pretty recent trend to start adding things like door locks and brakes to the main bus.
But anyone sane on the planet would rather have them sit a car in a large, private, open space and demonstrate that they can control all of the controls without endangering anyone's life, especially people who didn't sign up to have their life endangered and were just driving down a public road.
So you're saying it had a defect (the ability to exploit it), but it wasn't defective?
In general, companies don't tend to know about significant defects when they actually ship the item. That doesn't mean that they're not defects.
"STILL the automakers shipped defective product...is the problem."
Chrysler has been doing this for years. Perfect example is the head-gasket on the Neon. They produced an upgrade repair but NEVER upgraded the product.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
The Uconnect system is one buggy piece of software. Most of my interactions with the system is working around bugs. It updates without you knowing about it in the middle of the night over the Satellite system. It is very order dependent on things working correctly (even though running an automobile isn't that order dependent. The fact that there are remote issues doesn't surprise me all that much. I had a day where the tire system when bonkers and was reporting all sorts of surprising things. Then it stopped. I have had the car not start in a particular order. I have accidentally had the car started and instead of turning off, grind the starter. And because it is all software driven, there is nothing to do but wait. It is also tied into the Media system and bluetooth where I have a lot of interactions that just do not seem to work all that well. But I have been well trained on how to get it to work, until the fix a bug or add a new one, and my workflows have to change.
You know, doing it in a real world setting and demonstrating it is a hell of a lot better than continuing to believe the lie these companies have done an adequate job at security.
And, once again, we see that consumer electronics are almost completely incompetent at any semblance of security.
Which is pretty damned unbelievable if you ask me.
In fact, it sounds like some pretty epic incompetence at security, and reaffirms that corporations need to be held to MUCH higher standards of liability with all of their computers, instead of just saying "oops, we didn't know".
Lost at C:>. Found at C.
They aren't vague, it's the defined system by which the car connects to the internet, Uconnect. They accessed that over the internet from 10 miles away and controlled the car. This is no different than them using a buffer overflow exploit to gain remote access to a web server.
It's a perfect example of why encryption back doors are a fools errand. I'm sure it would be nice to stop a criminal who stole your car by turning off the engine...but that opens up the ability to remotely turn off the engine that could be used by anyone gaining the appropriate access. You can't make remote connections 'secure', only levels of security that come with risks.
People in cars cause accidents....accidents in cars cause people
Straw man. There's no reason these exploits couldn't have been executed in a parking lot (where, in fact, the rest of the test was performed). They would hold the same impact without endangering the public.
This is the same reasons that dangerous medical research is performed in negative room pressure clean-rooms and vehicle safety crash tests are performed in controlled environments and not with vehicles on the interstate. You don't expose uninformed, uninvolved, and non-consenting members of the public when performing dangerous work.
As it was, he stalled out on a bridge in heavy traffic and managed to get to safety. It's not much of a stretch to imagine a worse scenario - there he is in a tight turn in heavy traffic when his vehicle is compromised. Imagine he hits a minivan with 5 kids that then rolls. Now it's not a story of a dedicated journalist and two edgy security researchers - it's a story of murder, or at least manslaughter, and all three are complicit.
Mine has locks.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
I had looked awhile back at a new corvette and last I heard you could NOT get the fscking OnStar system out of the car....
So, wondering if this is another "feature" that isn't optional....
Why is it so hard to get a car without it being fucking connected to everything? I just want performance, and nice looks...I drive a car, I'm not trying to do a spreadsheet while driving for God's sake.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
You can't quantify the level of risk by losing control of a vehicle, because you don't have the data. Neither do they. But there IS a level of risk by simply being on a public road with other cars, and that risk DOES rise with distractions, let alone malfunctions affecting braking, acceleration, or steering. Moreover, they were trying to demonstrate how dangerous the hack can be, so on the one hand, they're implicitly admitting that they put the author and the public at risk, but on the other side of their mouth, they're trying to say there was nothing life-threatening? Sorry, I don't buy it. That was willful negligence. It was irresponsible and reckless, and the "only way to get attention" argument doesn't stick when you fail to escalate in a responsible and methodical manner and skip right to the nuclear option. That was the problem with Snowden, and that's the problem with these characters.
https://www.eff.org/https-everywhere
If the "car" part of the car were completely disconnected from any "outside" communication, the problem would go away.
Now, there are times where allowing outside control of the car is useful, such as remote-start of the heating and A/C systems so the car isn't an icebox or oven when you get in, and (perhaps) a remote-slowdown or remote-prevent-engine-start command as part of an anti-theft-system, but if you are going to do this, you have to do it right and you have to assume that even if you do it right, someone will be able to defeat your security. You have to ask yourself, as a manufacturer, is it really worth it to allow my customers the conveniences of remote-control in exchange for the small but very real risk that an adversary could exploit it to kill my customer or someone else?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I remember thinking in the 90s "no one would be stupid enough to put safety critical computer systems on a network at all..."
And, here we are.
If someone gave me a blank sheet of paper and asked me to sketch out the system for a car's braking controller, I'd slap down a CPLD or microcontroller, and have it use some locked firmware to read the various sensors and send out the control signals.
Oh, they want networking? I'd isolate or use the inherent properties of a CPLD/FPGA programmed in combinatorial logic style (you can program a CPLD/FPGA to act like a microcontroller instead which is vulnerable)
In combinatorial logic style, all the processing is through various gates, and is a boolean combination of flip flops and logic gates. So, say they want the ability to read(but not alter) the current state of the vehicle's brakes. A tiny communication processor (a low pin count PIC is one choice) would receive from the vehicle's CAN bus the command to give the vehicle's brake state. The communication processor would toggle high an outpin pin connected to an input pin on the microcontroller/CPLD that actually controls the brakes. That high pin state would mean that every few control loop cycles, the microcontroller/CPLD would blast out the current state on a serial output pin.
Note that there's no opportunity for a hacker who got into that communication processor to do any worse than toggle a pin on and off. No effect on the steering/braking.
Ok, maybe now we want to be able to change the "style" of steering and braking. So now there's a finite set of legal states that are stylistically desirable. That's when you'd isolate with the inherent property of an FPGA/CPLD state machine to not be capable of any other states BUT the states you defined. (there's no global memory and no stack, so nothing a hacker can do to affect the machine's behavior)
At least they're assholes in the public interest. Is what they did borderline criminal? I'll leave that up to public opinion. But what they've done is justify the fears that many may have had, that what they've seen in movies and television shows isn't fiction but reality. They're not be the heroes we need, but perhaps they're the heroes we deserve. Be thankful at least that no one was injured, and that the truth about this was revealed.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Laptops have had hardware power switches for their transceivers for a long time now, if autos are going to have wireless access to their systems then why the hell isn't there a kill switch for that transceiver so the owner of the vehicle can turn it off?
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Why does a car have a wireless system, and why is this wireless system accessible from outside the car?
If you are not allowed to question your government then the government has answered your question.
Why is it so hard to get a car without it being fucking connected to everything?
Never mind that, why is it so hard to find fucking automotive engineers who have enough sense to keep the critical control buses and the frivolous entertainment/external communication buses separate and not connected to each other?
I don't know whether this is the result of bean counters doing the shit they do, or the hubris of engineers who think, "they won't hack MY system!", but whatever, auto makers need to give their heads a shake and get their shit together. The fact that the exploit outlined in the article is even possible, at all, is just criminal.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
First, the nuclear option is a real-world test with unknowing participants -- the other drivers on the road -- which they did. A parking lot would have worked just as well.
Second, they disabled the transmission. Aside from the fact that acceleration is sometimes necessary to avoid accidents, any significant slowdown below normal speeds on a freeway increases the risk of a collision. Keep in mind that he had music blaring full blast and windshield wipers and fluid obscuring his view at the same time, and no exit strategy since he was on a bridge with no shoulder. That was incredibly irresponsible to put him in that situation.
https://www.eff.org/https-everywhere
You know, doing it in a real world setting and demonstrating it is a hell of a lot better than continuing to believe the lie these companies have done an adequate job at security.
Not if it goes wrong and completely innocent third parties pay the price, it's not.
I am struggling to believe that any rational and normally adjusted person would not see the deep ethical problems with the way this experiment seems to have been conducted, yet there are apparently multiple people in this thread defending it.
Auto technology is certainly an area that needs a lot more attention and probably heavyweight regulation and laws with real teeth to prevent profits taking priority over safety and privacy. But this isn't the way you do it. In fact, this is the way you get the grown-ups to treat you with contempt and want nothing to do with your research, lest they become contaminated by your methods themselves.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
From the nature of the exploits being described:
They put this system on the CAN-BUS, which is used to control engine and control systems. There is NO REASON for an entertainment system to be on this bus. On-Star has the same issues. If you want these devices to have functionality that is on the CAN-BUS, it should be duplicated outside the CAN-BUS. Security researchers have been trying to explain this to the car industry for 10 years (at least) now, and the car industry keeps being willfully ignorant of the security implications of what they are doing. This is far past defect, it is more like intentionally dangerous and possibly malicious.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
this link has some more technical details linky
People in cars cause accidents....accidents in cars cause people
240Z beat a vette? You are on drugs.
Perhaps if you put a mouse (American engine, same as in most corvettes) in the Z it would be competitive. But the vette chassis will hold easily twice the power and you are basically talking about putting a vette drivetrain into Z car.
I owned a 280Z back in the day, they are fun cars, but not even in the vettes class.
We know you love your old benz, you'd have to get a caprice classic to get similar numbers from an American car.
Twice as reliable? Tell me that after you get 3 Hitachi side draft carbs to synch perfectly. The advantage of the 240 over the 280 was lighter weight, at the cost of a lower powered and much less reliable engine. The 240 is the Z you want to put a V8 into, not the one you leave stock.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
My experience tells me that it's mostly cars from the past five years or so that are vulnerable to this type of exploit. Anything pre-CANbus has pretty much zero chance of having complex interconnections.
You do realize that the earliest iterations of the CAN bus date back to the late 1980s, it has been in the majority of US-market vehicles for more than a decade, and by 2008 was a legal requirement in mass-market vehicles, right?
A heck of a lot more than just the last five years of vehicles use the CAN bus. If your vehicle is made within the last decade it's almost a certainty that it uses the CAN bus.
Thanks - those are all good points. Except the 'underestimating the lengths' part. We have more than a decade's worth of news stories about people who have gone to great lengths to hack hardware and software - sometimes because they want additional features, sometimes out of malice, and sometimes just to prove a point. I figure by this time there's no excuse for underestimating what people will do. I think you hit the nail on the head when you suggested cost as the reason.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
People voluntarily wash their windshield while driving all the time. They also drive in the rain, even heavy rain.
And they know its going to happen because they either initiate the action or anticipate it. In this case he didn't know it was going to happen.
People's cars stall on the highway all the time. At no point was he in the situation your link talks about. Even if he had been on the shoulder, that too happens all the time and rarely leads to a problem.
Would you say it's dangerous to have your car stall on the highway? The answer is yes.
So why would you intentionally put yourself or someone else in that position of danger?
Usually people like putting the odds of survival on their side. Test environments are there so we don't have to create unneeded danger.