Newsflash: Car Network Security Is Still A Horrible, Very Dangerous Joke
from the I'm-sorry-I-can't-do-that,-Dave dept
As we’ve noted for years, the security on most “smart” or “connected” cars is aggressively atrocious. And in fact it’s getting worse. As car infotainment systems get more elaborate, and wireless carriers increasingly push users to add their cellular-connected car to shared data plans, the security of these platforms has sometimes been an afterthought. Hackers this week once again made that perfectly clear after they demonstrated to a Wired reporter that they were able to manipulate and disable a new Jeep Cherokee running Fiat Chrysler’s UConnect platform. While the reporter was driving it:
As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That?s when they cut the transmission. Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
Uconnect utilizes Sprint’s cellular network, and hacker/researchers Charlie Miller and Chris Valasek were able to pwn manipulate nearly everything about the vehicle with a laptop in a house ten miles away. All thanks to one, unspecified vulnerability:
From that entry point, Miller and Valasek?s attack pivots to an adjacent chip in the car?s head unit?the hardware for its entertainment system?silently rewriting the chip?s firmware to plant their code. That rewritten firmware is capable of sending commands through the car?s internal computer network, known as a CAN bus, to its physical components like the engine and wheels.
The two used to have to physically modify cars to get access to these systems, but as vehicles have gone cellular, it has opened the door to a world of new exploits. And if you’ve ever experienced the incomprehensibly-clunky in-car GUI of most in-car infotainment platforms, rest assured that the quality of the system’s security is usually in the same ballpark. Miller and Valasek will publish a portion of their exploit online during a presentation at the Black Hat security conference in Las Vegas next month.
The exploit appears to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015. Chrysler/Fiat posted a notice to its website last week informing users that they need to update their in-car software either via USB stick (you can download the update here) or by taking it in to a dealer. Of course like many patches, most users won’t be paying much attention to the warning. And we’re only talking about Chrysler’s UConnect; there’s a bounty of half-assed security measures implemented in infotainment systems from automakers worldwide just waiting to be tinkered with by pranksters (or worse).
Of course cars aren’t the only tech sector where security has failed to keep pace with ambition. “Smart” TVs have been shown to have similarly awful security, often sharing unencrypted user info (even conversations) with any hacker with a modicum of talent. In the rush to embrace the gee whizzery of the “Internet of things,” there are more than a few companies that apparently forgot to bring security and intelligence along for the ride.
Filed Under: cars, connected cars, hacking, privacy, security
Comments on “Newsflash: Car Network Security Is Still A Horrible, Very Dangerous Joke”
Note to self: Start used car business, market them as “secure.”
This is how they can ‘disappear’ people while making it look like an accident.
Re: Re:
Isn’t this how they murdered Andrew Breitbart?
Why is the entertainment system connected to the car management system. Any real time safety critical control system should be air gapped from the rest of the world, and any used in any vehicle should used signed updates via a USB. I think it is acceptable to ensure that vehicles used on public roads only run manufacturers approved software, because a software bug endangers people other that the owner.
Re: Re:
“I think it is acceptable to ensure that vehicles used on public roads only run manufacturers approved software, because a software bug endangers people other that the owner.”
It should be illegal to modify any car driven on a public road in any way, except by the manufacturer. Only factory dealer parts should be allowed on such cars. It’s for the children!
Re: Re:
This works both ways. If no one but the manufacturer can create updates, than outsiders can’t introduce bugs, but they also can’t fix them either. And outsiders are frequently able to fix bugs faster than the original creators, given the opportunity.
Re: Re: Re:
Only because bugs don’t usually involve life or death situations. A manufacturer that’s potentially liable for damages caused by a bug of this nature will be far more motivated to fix it ASAP. Comparing how long it takes Microsoft or some random software developer to fix a bug to this is not a good comparison.
Re: Re: Re: Re:
It would really be nice to be able to believe that, but history shows otherwise. From the Ford Pinto to the runaway Toyotas a few years ago to problems today like Jeep Grand Cherokee and the Takata shrapnel airbags, we see that manufacturers frequently don’t like to fix potentially fatal problems even when they could be held liable for the damages.
Re: Re:
It is so that you can have the speakers make alert sounds as the safety system requires. Bad implementation but that was why.
Re: Re: Re:
Bad implementation?
No – lame excuse
Re: Re:
“I think it is acceptable to ensure that vehicles used on public roads only run manufacturers approved software, because a software bug endangers people other that the owner.”
I think you need to reread the article. This was a software bug in the manufacturer-supplied software.
Making it either illegal (through legislation) or impractical (through DRM or TPM chips or similar) only increases the chance these bugs are not found. It also takes away valuable modding capabilities to improve your own car.
If the concern is safety, then existing laws either already cover it (e.g. illegal to operate a car that hasn’t passed it’s yearly inspection) or should be written in a manner that does not cut out legitimate tinkering and modding because of overblown fears.
Re: Re: Re:
Not to speak for the OP, but I think he was mostly suggesting that is is stupid to connect the infotainment system that connects via cellular to the safety and mechanical systems in the car.
Re: Re: Re: Re:
That was my main point indeed.
Re: Re: Re: Re:
Having multiple modules on the can bus allows things like speed sensitive wipers and speed sensitive volume controls.
It makes it easy to disable rear hatches or power sliding doors when the car is in gear.
It allows a single display to work for heating and air conditioning and also for audio and video.
In short it does what most networks were designed to do, share information between computers.
That said, yes connecting it to a public attack vector is an trouble waiting to happen.
Unfortunately, people want their phone to connect to everything because …internet.
Re: Re: Re:
There are few people that are competent to work on real time systems. Most who think they are are more likely to cause more bugs than fix the one they are working on. Also testing on public roads is likely to put innocent lives at risk. Most people competent in real time software know better than to trust their life on software that they write without it first going through a thorough review and test procedure.
How many people have access to a test track, which is where any modded control software should be properly tested before use on a public road?
Re: Re: Re: Re:
You seem to be implying that I think people should be driving unsafe cars on public roads.
I do not want that. I want to be able to drive safely.
What I want to prevent is the inevitable overreaction and counterproductive bad legislation that prevents people from legally tinkering or making modification to the cars (and other devices) they own, and not to require approval from the manufacturer. Your words: “only run manufacturers approved software” is what I have a problem with.
The act of driving unsafely, or of operating an unsafe vehicle, is what should be illegal. It should not be illegal if I run different software in my car that Chrysler or Ford or GM or whoever doesn’t like, so long as that software isn’t otherwise dangerous.
Re: Re: Re:2 Re:
For use on public roads, when the software controls brakes and steering etc. it should be certified before use on a public road, and that certification should be based on a full audit, testing via a test harness, and then on a track. Tinker all you like if the car is only used on private grounds or tracks, but not when used on the public roads, unless you can afford all the testing and certification before using the vehicle on a public road.
When it comes to mechanical modification, and experienced mechanic can examine a vehicle and tell whether it is safe or not with 15 minute inspection. The same cannot be done for software, which requires much more time and cost in auditing and testing before it can reasonably be trusted. Also, legal action against a driver is no consolation to the family and friends of any person that they kill or maim.
Re: Re: Re:3 Re:
Even then I can imagine if someone hacked the radio, blasted a very loud and disruptive high pitched sound through it, and disabled your ability to turn off or down the radio it could easily cause an accident while driving. Even the radio should have some regulatory safe guards against such a possibility.
Re: Re: Re:4 Re:
A very loud radio does not stop the driver from pulling over, and then pulling the fuse to switch it off, or summoning help to deal with the problem. A total loss of control of throttle, brakes and/or steering leave the driver helpless.
Re: Re: Re:3 Re:
If I own a car, and I want to tinker with it, I will do so. If I cause something to go wrong and kill someone, then I am responsible. That is how it works. I understand you don’t like it, but that is the way it is.
If I buy a “insert any device here” and modify it, and it malfunctions and kills someone… my fault.
In almost any case you can try and shift personal liability over to the Government by certification and testing but it’s not going to help you when shit goes wrong. You tweak it, and it messes up and hurts someone or their property, it doesn’t matter how much certification it had, YOU are responsible. That is how it is, and that is how it should be in a free country.
Re: Re: Re:
If you want to mod a car your mod should require safety approval from whatever government bodies approve the safety of cars. Why should car manufacturers be required to gain such approval but some Joe blow not. While I generally agree with health freedoms, freedom to tinker with stuff you bought, while I disagree with DRM, this is different. This is a safety issue that involves the safety of others.
Re: Re: Re: Re:
“If you want to mod a car your mod should require safety approval from whatever government bodies approve the safety of cars.”
Great, lets put the government in charge of safety… They can’t even protect our data, what makes you think they can protect the roads? How about we make the very few people that actually try and mod their cars responsible for their actions?
“Why should car manufacturers be required to gain such approval but some Joe blow not. “
Because manufacturers are selling thousands if not hundreds of thousands of cars, and Joe Blow is modding his personally owned car… big difference.
Yet another example of why not everything needs to be connected to the internet – especially when security is not the number one concern when creating the product.
The biggest take away I had from this article was horror that they did this demonstration on a public highway with a good amount of traffic – this should have been demonstrated in a controlled environment where the only people who were endangered were the ones who knowingly participated – not every other car and passenger on the highway at the time. They cut power to the vehicle when there was no place to pull over – in a 70mph zone – completely reckless.
Re: Re:
Yeah! Shoot the messenger! It’s all the fault of the researchers and we should stop people from exposing these kinds of problems!
Re: Re: Re:
That’s not what was said at all. What he said is that it was highly irresponsible of the researchers to do something that could put the car in question at serious risk of a fatal collision while in real highway traffic with plenty of independent vehicles that it could potentially collide with! And he has a very good point.
The fact that he has a very good point does not in any way invalidate the research that was done. It simply points out that it was done in an irresponsible and needlessly dangerous way.
Lucky they didn’t disable the breaks then force acceleration.
Srsly it has been years now that the car CAN bus system is horribly flawed with security holes. It was designed for extremely high availability not confidentiality. This is why it should never be hooked up to a communication point outside of the car.
Re: Re:
“it has been years now that the car CAN bus system is horribly flawed with security holes.”
Exactly this. I’ve programmed for CAN-based systems before, and security is simply not a part of mix. In the old days, this was (barely) acceptable because you had to physically connect to the system to subvert it.
Getting CAN anywhere near an external network is guaranteed to be a serious problem, though.
Saying it is an afterthought implies someone thought about it at all.
On a more serious note, Chrysler ought to be issuing critical updates like that through the relatively well proven mechanism of vehicle recalls. I’m not saying they should have to accept trade-ins of vehicles over defective software, but recall notices, both direct-mailed and published through well-known sites, are a proven mechanism of notifying users that they need to contact their dealer for repairs. In this case the “repair” is just a software update, and the notice could include a blurb about how to do self-service repair.
Re: Re:
They do. This does not actually qualify as a defect that requires a recall.
Now, you could argue that it is a safety concern, but it is actually only a safety concern if someone exploits it and harms someone. By that measure, you would have to recall all cars because someone may drive over another person with it.
Re: Re: Re:
False equivalence much? It’s a safety concern to me when people I don’t know can remotely cause my car to act in ways that may injure me, cause legal liability, or both. If the security is as bad as described in the article, it’s a good bet that the first few remote-murders conducted through these flaws will be written off as “traffic accidents” or similar, rather than investigated as real crimes.
It’s not a safety problem in my car when someone else uses their car to run me off the road, nor is it a safety problem in their car that their car failed to prevent them from running me off the road. It is a safety problem in my car when their laptop politely asks my car to drive itself off the road, and my car obliges.
Re: Re: Re:
There was a recall on Jeep Libertys a few years ago because the gas tank can leak in rear end collisions. But according to you they shouldn’t have had to had the recall since it was only a safety concern if someone rear ends the vehicle.
I don’t think you know what the term “safety concern” means.
10 years from now…
HR: “So, what makes you think you’re a good candidate for the organization?”
Kid: “Well, using the CEO’s health band, I jumped to the HDTV menu system to access the network, since the HDTV is in constant eavesdrop mode. From there, I used an employee’s Blutooth headset to access her laptop as she was streaming from a website. There, I accessed the files of the company to determine what they do, both legally and illegally, and determined my skills would be best applied in the IT department, now that Bob Jones ‘left’ the organization after being investigated for child porn.”
HR: “I see. You will start Monday for orientation.”
Kid: “Cool. It’ll be nice working for Comcast.”
Re: Re:
Who are you kidding? This guy never spoke to anyone in HR. The phone number for HR at Comcast 10 years from now will probably send you into an infinite loop of menu options until you find one that puts you on hold until everyone leaves for the day and then it just hangs up on you.
You know, like it probably does today.
There's an Element of BS to This "Hack"
Is it really a hack at all?
The Jeep appears to belong to the hackers. So they had complete access prior to the Wired reporter arriving.
If they go into their own Jeep, modify the systems through an open port like the OBDII, then remote connect to the car, is that really “hacking into” someone’s car?
I mean, my car has a app. If I have full access to the car, I can link the app to the car. Now I can honk the horn, activate the AC, open the sunroof from anywhere in the world. It’s considered a feature.
People have been able to “hack” vehicles in this remote way for decades, so long as they had prior access. What about cutting the brake lines, or attaching a bomb that is remotely detonated. I could remotely activate a solenoid that shuts off fuel supply — all on a 1920-2015 non-connected car?
This hack demo is theater. It would be far more frightening if they didn’t have prior full access to the vehicle.
Now, I agree that there should be stronger security, and better firewalls between the entertainment and mechanical side. But this Wired story teaches us nothing…other that fear mongering grabs attention.
Re: There's an Element of BS to This "Hack"
I believe the article implied that they bought the cars to be able to reverse engineer the systems. That said, they are able to hack any Jeep that showed up on their sprint connected cell phone, including vehicles they didn’t have prior access to.
Re: Re: There's an Element of BS to This "Hack"
I didn’t see that part of the article.
And to continue, these are the same two guys that sensationalized the “hack” of a Prius in 2013, and that was written up by the same author.
http://goo.gl/MiDhrh
That Prius was completely opened up, and they were patched in with wires and laptops. It was basically a farce to think that the average person could fall victim. How many real victims have turned up in the two years since? Zero. So these guys lack credibility to me when they try to start a panic. I see clickbait.
That said, there are legit aspects to their findings. The weak separation of entertainment system and CANbus is important. That is what Chrysler will rush to patch. They are legit black hat hackers for finding that.
But the remote aspects are just fear-mongering. The hack wasn’t done remotely. It was done in the car, then they went remote to control it. The part that scares people is their cars being remotely hacked from China, Russia, or Nigeria. That is not a revealed possibility.
…Imagine “Dear good sir. I, a Prince of Lagos, have taken control of your car. If you would like it returned to you, please wire $5000 to this bank account. May the good lord bless you, as I’m sure you are a good person.” That is scary, but didn’t happen…yet.
Also, I agree that car security is very important, and like most security, not adequate. Most big companies (and gov’t) seem to rely on “Security through arrogance”, which is one step weaker than “Security by anonymity”.
These two hackers and the author strike me much as the lead-in to the 6 o’clock news: “What’s in your car that might kill you? Stay tuned to find out.”
Re: Re: Re: There's an Element of BS to This "Hack"
Did you even both to read the Wired article? If what they claim is true, NO prior access is needed at all – they are accessing uConnect remotely, using it as a pivot to rewrite the firmware on the fly, and then control the car via that rewritten firmware.
The fact that uConnect is able to interface with CANBUS is very scary, and there is absolutely no reason that it should be connected in any way, shape, or form. The only reason it is connected is so that the manufacturer can read out data stored on the ECU and send it back to them remotely should they want to do that – it would also allow them to update the car remotely, making ECU updates way, way cheaper.
The only reason they probably haven’t gotten further with this is because writing CANBUS software is a huge pain in the ass. Nearly everything in a modern vehicle is controlled via CANBUS – throttle, brakes, steering on cars with electric power steering, transmission, etc. I would not be surprised if other countries intelligence services are already weaponizing this kind of shit… I bet it won’t be long now before some Iranian nuclear engineers end up having their seat belt lock, accelerator floored, brakes disabled, and then steered right off a bridge. The attacker has access to the GPS and reverse-camera (or others if they are available) so it wouldn’t be too hard to do…
Re: Re: Re:2 There's an Element of BS to This "Hack"
“Did you even both to read the Wired article? If what they claim is true, NO prior access is needed at all”
Did you not read what I read? I don’t believe their claim.
If that claim WERE true, they would not have demonstrated on their own Jeep. They would have made their point by telling the wired reporter “Just rent ANY 2014 Jeep when you arrive in Chicago.”
But they didn’t. They supplied the car.
Perhaps they didn’t hack a random vehicle because it isn’t safe? Nope, that is not consistent with their know actions: The fact that they demonstrated on a public interstate shows that, for them, safety concerns are trumped by a dramatic news story.
When an owner modifies his own car, it’s really more of a “mod” than a “hack”. This news story headline would be more honest if it read “Guys Mod Their Car To Be Partially Remote Controllable”.
I admit, I don’t have a whole lot of proof to back up my claim, but then again, they haven’t supplied much either. And given their record of sensationalizing this type of thing, I’ll bet money that it’s an exaggeration.
Re: Re: Re:3 There's an Element of BS to This "Hack"
“Did you not read what I read? I don’t believe their claim.”
Uh, is that supposed to be “Did you not read what I wrote?”
So this is all a fraud, eh? I guess that’s why the manufacturer, who these hackers shared their work with, put out that press release exposing the fraud. Oh wait – no such release exists…
Re: Re: Re:2 There's an Element of BS to This "Hack"
and there is absolutely no reason that it should be connected in any way, shape, or form
Actually, there are lots of good reasons that the uConnect communicates with the CANBUS. I have one of these. They used the infotainment unit to control all kinds of settings in the car including the electronic suspension, exhaust, traction control, etc. There are lots of configurable settings and everything is handled through a single user interface. It can also do things like adjust the volume based on the speed of the vehicle. It’s actually a nice setup and makes a lot of sense to have it aware of everything in the car.
Now, connecting the thing directly to the internet? Yeah, maybe not the best idea without a bit more thought into security.
Re: Re: Re:3 There's an Element of BS to This "Hack"
Not only is connecting it to the Internet a problem, as plugging in a thumb drive of music could enable the system to be taken over. Infotainment and car controls should be kept air gapped.
Re: Re: Re:3 There's an Element of BS to This "Hack"
Most of these controls are handled through on-board buttons or selectors. TCS, VSC, and Adaptive Suspension are all handled through buttons or twist dials – even high end cars are doing this through buttons. If a mfg wants to make these software buttons on an infotainment type system, then any internet connectivity needs to be completely air-gapped and there is no reason to allow remote connection via the internet. What is the possible benefit to the consumer of remotely flashing the ECU over the internet?
The volume-speed thing is done via a microphone – head units with no GPS or connectivity to the ECU have had this for years.
Terrible Desgin
The low speed CAN bus for the body control module and anything that is internet connected such as an infotainment system should be on a completely separate wire. The ONLY access user interactive devices should have to the high speed CAN and engine control module should be for the HUD. Having an internet connected device with access to HS CAN is stupid and negligent.
Re: Terrible Desgin
It is absolutely a terrible design and I am sure they are totally aware of their negligence and simply believe the reward far outweighs the risk. There is a huge upside to the manufacturer to have remote access to the HS CAN and ECU – they have full access to the ECU which will allow them to actively monitor mileage, RPM, throttle and brake position, fuel trims, timing adjustments, etc. which can cut warranty work costs to a fraction of what they are since they can proactively throw on the flashing check engine light and retard timing before a problem gets out of control. Also, it allows them to remotely flash the ECU for any software related service bulletin and such which will further reduce their costs. On top of that, they have the added benefit of being able to to track all of that with the users GPS positioning for marketing through things like geofenced ads and will give them a treasure trove of data to sell.
Not for 60 years has a Hudson Hornet been so attractive as a daily driver.
Just because it says “SMART” somewhere on the product does not mean it actually has any intelligence.
PS:
I love my “DUMB PHONE” !!! It’s a nice fliptop that has text disabled and works like a phone should.
I also love my home designed workstation which when I go Online is on a VPN and up to Date with all the protections us computer people know about.
I also am a proud Dinosaur.I’m sitting on a 20 Grand Book Collection and no it is not on some little hard drive.Mine are real physical books….1st Editions and Pulp Mags.
Already being willed to my heir and all Non-Fictions going up for donation to the local Portland, Maine Library.
Just downloaded the update for our 2014 Cherokee. While I’m not shocked at the flaw, at least it appears Chrysler is fixing it and not just claiming it’s no big deal. That assumes that the fix actually fixes it….
drone strikes little brother?
Obligatory...
They sure don’t make ’em like they used to.
"Old fogey" ahead ...
I’m going to fall back on a truism of mine: “Lots of things can be computerized or automated, but lots of things just shouldn’t be, for many various reasons.” This sounds too much like the latter to me. This is not a trivial problem, and verifying you’ve produced a robust solution is far more complex than they think it is.
Yes, perhaps it *can* be done both safely and effectively eventually, but I very much doubt that those doing it today are going to get it right any time soon, I very much doubt they’ve sufficiently analysed the problem(s), and too many victims are going to be buried before they either get it right or abandon the idea.
This “tech” (and I use that term loosely) is nowhere near ready for prime time, and it’s way too overloaded with corporate BS priorities (simpler and easier updates, customer to corporate communication facilitation, infotainment, …). I do not believe those practicing software or hardware design and implementation have learned sufficiently the lessons the Therac 25 episode offered us (in fact, I doubt they’ve ever even heard of it).
I’m surprised they managed to get the corporate go-ahead, and even more surprised it made it past the regulators. This just stinks of, “It compiles! Ship it!!!”
This sounds like a litigation bonanza in the making. I’ll pass, thanks very much.
The internet of things:
If you are driving a fca car with uConnect ennabled,
every hacker can kill you.
That is Fiat Chrysler Alfa Romeo Dodge Jeep Lancia Ferrari Maserati.
so when will michael hastings assasination become declassified ? FOIA?