Remote Exploit On a Production Chrysler To Be Presented At BlackHat

Matt_Bennett writes: A scary remote exploit is going to be published that enables someone connected to the the same wireless (mobile data) network to take over many [automobile] systems, including braking. This is an exploit in Chrysler's Uconnect system. Charlie Miller and Chris Valasek also demonstrated exploits in 2013 that could be done via a direct connection to the system, but this is vastly expanded in scope. The pair convinced Wired writer Andy Greenberg to drive around near St. Louis while they picked apart the car's systems from 10 miles away, killing the radio controls before moving on to things like the transmission.

Valasek and Miller are assholes and should be asha

[suso]

As I felt with their first video, these "security researchers" play with the steering on a car moving 40mph on a public road. Now they've gone and done this. Playing with the driving controls on a 2 ton vehicle moving at 70 mph on a busy road.

In this video they said "it wouldn't be anything life threatening" which shows that they don't have a clear view of reality in the situation. A seat belt won't
you have a 70mph head on collision with a semi. The driver wasn't informed beforehand that he could bail out of the test by restarting the car, they waiting
until he was panicing to try to tell him that.

What if they made a mistake and turned the car into oncoming traffic? What if their computers were remotely controlled?

Is the situation with car's vulnerabilities serious? Yes of course.

Will this video help to drive home the problem to the public? Maybe, but probably not.

Should they have done this demo on a public road? Absolutely not.

Bottom line, when you are doing a test where there is physical risk, you need to be in control of the environment and not putting the public in harms way.

This isn't your home computer and your email account. This is real life.

Re:Valasek and Miller are assholes and should be a

Bravo gentlemen. The only way this will get the full and due attention of the media and the car companies is by demonstrating life-threatening risk in the UConnect system. If this were a track test, it would be dismissed by the car companies as contrived, and the media would rather talk about Trump. This will now assuredly end up on the front page unless killed by Chrysler via influence peddling. It's time digital security was a real concern when it comes to my family hurtling down the highway at 75mph in what can now be convincingly argued is a very real digital death trap.

Re:Valasek and Miller are assholes and should be a

[xxxJonBoyxxx]

Disagree, in fact I'll probably shake their hands at DEFCON (assuming they're there again).

The fact that they demonstrated vulnerabilities and then showed automakers multiple ways how to avoid such things (#1 firewall or separate networks; #2 technology to detect and kill anomalous signals) and STILL the automakers shipped defective product...is the problem.

>> Will this video help to drive home the problem to the public?

No, but I'd expect a few class action lawsuits will get their attention. I've read a few attorneys' periodicals warming up trial lawyers for IoT product liability, and automakers and their big pockets are sure to be some of their first targets (I think I've seen one settlement already happen).

Re:Valasek and Miller are assholes and should be a

[suso]

I'm not really talking about automakers or the vulnerabilities of cars. I'm only saying that Valasek and Miller were irresponsible security researchers for conducting a dangerous test on public road. This is the kind of thing that will give all security research a bad name or at least bring it under heavy scrutiny.

Probably won't stop the auto industry

[MikeRT]

Like medical device manufacturers, they seem to be in lala land compared to most fields that use computers when it comes to security. The worst part is that if the federal government mandates security standards, the most likely outcome is that they will likely only target a few bright lines tests and the standards will never keep pace with the evolving threat models.

Re:Fix It Again Tony

I've taken all the sub-systems out of a 2005 Subaru WRX to build another car from the bits. Although there are a lot of electronic modules, very few of them are connected to each other. The cruise control, airbag, ABS, climate control, heating, entertainment, lighting, and engine control systems are all completely independent from one another. I can 100% guarantee that a compromise in any one of the systems cannot be used to control any of the others on this car.

My experience tells me that it's mostly cars from the past five years or so that are vulnerable to this type of exploit. Anything pre-CANbus has pretty much zero chance of having complex interconnections. Even most early CANbus cars only use the bus for mundane stuff like sending speedo and tach signals to multiple systems. It's a pretty recent trend to start adding things like door locks and brakes to the main bus.

This doesn't surprise me One bit...

The Uconnect system is one buggy piece of software. Most of my interactions with the system is working around bugs. It updates without you knowing about it in the middle of the night over the Satellite system. It is very order dependent on things working correctly (even though running an automobile isn't that order dependent. The fact that there are remote issues doesn't surprise me all that much. I had a day where the tire system when bonkers and was reporting all sorts of surprising things. Then it stopped. I have had the car not start in a particular order. I have accidentally had the car started and instead of turning off, grind the starter. And because it is all software driven, there is nothing to do but wait. It is also tied into the Media system and bluetooth where I have a lot of interactions that just do not seem to work all that well. But I have been well trained on how to get it to work, until the fix a bug or add a new one, and my workflows have to change.

Re:Valasek and Miller are assholes and should be a

[gstoddart]

You know, doing it in a real world setting and demonstrating it is a hell of a lot better than continuing to believe the lie these companies have done an adequate job at security.

And, once again, we see that consumer electronics are almost completely incompetent at any semblance of security.

Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicleâ(TM)s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek wonâ(TM)t identify until their Black Hat talk, Uconnectâ(TM)s cellular connection also lets anyone who knows the carâ(TM)s IP address gain access from anywhere in the country. âoeFrom an attackerâ(TM)s perspective, itâ(TM)s a super nice vulnerability,â Miller says.

Which is pretty damned unbelievable if you ask me.

In fact, it sounds like some pretty epic incompetence at security, and reaffirms that corporations need to be held to MUCH higher standards of liability with all of their computers, instead of just saying "oops, we didn't know".

Re:Valasek and Miller are assholes and should be a

[StikyPad]

You can't quantify the level of risk by losing control of a vehicle, because you don't have the data. Neither do they. But there IS a level of risk by simply being on a public road with other cars, and that risk DOES rise with distractions, let alone malfunctions affecting braking, acceleration, or steering. Moreover, they were trying to demonstrate how dangerous the hack can be, so on the one hand, they're implicitly admitting that they put the author and the public at risk, but on the other side of their mouth, they're trying to say there was nothing life-threatening? Sorry, I don't buy it. That was willful negligence. It was irresponsible and reckless, and the "only way to get attention" argument doesn't stick when you fail to escalate in a responsible and methodical manner and skip right to the nuclear option. That was the problem with Snowden, and that's the problem with these characters.

Why no radio kill switch?

[kheldan]

Laptops have had hardware power switches for their transceivers for a long time now, if autos are going to have wireless access to their systems then why the hell isn't there a kill switch for that transceiver so the owner of the vehicle can turn it off?

Re:Valasek and Miller are assholes and should be a

[jenningsthecat]

Why is it so hard to get a car without it being fucking connected to everything?

Never mind that, why is it so hard to find fucking automotive engineers who have enough sense to keep the critical control buses and the frivolous entertainment/external communication buses separate and not connected to each other?

I don't know whether this is the result of bean counters doing the shit they do, or the hubris of engineers who think, "they won't hack MY system!", but whatever, auto makers need to give their heads a shake and get their shit together. The fact that the exploit outlined in the article is even possible, at all, is just criminal.

Re:Valasek and Miller are assholes and should be a

[Anonymous+Brave+Guy]

You know, doing it in a real world setting and demonstrating it is a hell of a lot better than continuing to believe the lie these companies have done an adequate job at security.

Not if it goes wrong and completely innocent third parties pay the price, it's not.

I am struggling to believe that any rational and normally adjusted person would not see the deep ethical problems with the way this experiment seems to have been conducted, yet there are apparently multiple people in this thread defending it.

Auto technology is certainly an area that needs a lot more attention and probably heavyweight regulation and laws with real teeth to prevent profits taking priority over safety and privacy. But this isn't the way you do it. In fact, this is the way you get the grown-ups to treat you with contempt and want nothing to do with your research, lest they become contaminated by your methods themselves.