Software Integrity Blog


Car-hacking duo returns to Black Hat USA 2016

Dr. Charlie Miller and Chris Valasek once again hacked a vehicle, although not remotely. They also announced their retirement from car hacking.

In their latest talk at Black Hat, the pair used what they called “Message Confliction” to control a car driving at speeds of around 30 mph. They were not able to do so remotely (that is, outside the car). Although they claim it is possible, they nonetheless used a cable plugged into the OBD-II port inside the car to feed the vehicle conflicting information.

The pair started off by talking about what protections are built into the vehicle. For example, much of their attack depends on interrupting the ECUs in the car by putting them into diagnostic mode or “bootrom” mode.

As a protection, vehicles ordinarily cannot be put into bootrom mode if it is traveling more than 5 mph. How does it know? It knows from the sensors. There is a constant feed of information from the ECUs to the CAN bus.

The pair also found that if the ECU should receive conflicting information (say from an attack and legitimate traffic), it would error on the side of caution and shut down.

So the duo decided to play with the natural messages from the ECU. They found that if they could send their own message a few nanoseconds before the legitimate message, the CAN bus would ignore the second (legitimate) message. So they put the legitimate ECU into bootrom mode, allowing them to send their own commands to the CAN bus, effectively taking control of the steering or brake functions. Once in bootrom mode, the ECU would expect some update firmware, so the duo did re-reprogram the ECU, but back to its original state so they didn’t brick their vehicle.

Although Miller and Valasek both work for Uber, they refused to talk about the new relationship and said these hacks were done on their own, on nights and weekends over the last four years. They have spent about $6,500 in mechanics’ fees, include $10 to a farmer who towed their disabled vehicle out of a cornfield last week. The vehicle they used for testing was purchased by IOActive, a company that Valasek left. Now that they have retired from auto hacking, Valasek said they will need a new hobby.

In a statement provided to USA Today, Fiat Chrysler America (FCA) said “while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles.” The carmaker also said that it appeared that Miller and Valasek had rolled back some of the additional protections FCA put in last year in order for their attack to work.

At a press conference afterward, Miller and Valasek clarified they only experimented on American cars. They said that each car was different and the cost of purchasing the car, then learning all the proprietary issues with it was prohibitively high for anyone seeking to hack cars in general. The vulnerabilities they found were specific to the cars they tested and then again specific to the models of cars they tested. The vulnerabilities they found may not be universal.

Over the years they used only a few tools, including one open source tool, Vehicle Spy, and IDA PRO. The latter two are paid products.

They also provided some guidance for the auto industry. They said that the diagnostics mode should only work while the car is in park. They said the CAN bus was never really designed for security, so encryption isn’t an answer here. They did conclude that more resilient software code is needed along with code signing to prevent random updates (such as theirs).


More by this author