Posted by Robert Vamosi on August 5, 2016
Dr. Charlie Miller and Chris Valesek once again hacked a vehicle, although not remotely. They also announced their retirement from car hacking.
In their latest talk at Black Hat, the pair used what they called “Message Confliction” to control a car driving at speeds of around 30 mph. They were not able to do so remotely (that is outside the car). Although they claim it is possible, they nonetheless used a cable plugged into the OBD-II port inside the car to feed the vehicle conflicting information.
The pair started off by talking about what protections are built into the vehicle. For example, much of their attack depends on interrupting the ECUs in the car by putting them into diagnostic mode or “bootrom” mode.
As a protection, vehicles ordinarily cannot be put into bootrom mode if it is traveling more than 5 mph. How does it know? It knows from the sensors. There is a constant feed of information from the ECUs to the CAN bus.
The pair also found that if the ECU should receive conflicting information (say from an attack and legitimate traffic), it would error on the side of caution and shut down.
So the duo decided to play with the natural messages from the ECU. They found that if they could send their own message a few nanoseconds before the legitimate message, the CAN bus would ignore the second (legitimate) message. So they put the legitimate ECU into bootrom mode, allowing them to send their own commands to the CAN bus, effectively taking control of the steering or brake functions. Once in bootrom mode, the ECU would expect some update firmware, so the duo did re-reprogram the ECU, but back to its original state so they didn’t brick their vehicle.
Although Miller and Valesek both work for Uber, they refused to talk about the new relationship and said these hacks were done on their own, on nights and weekends over the last four years. They have spent about $6500 in mechanics fees, include $10 to a farmer who towed their disabled vehicle out of a cornfield last week. The vehicle they used for testing was purchased by IOActive, a company that Valesek left. Now that they have retired from auto hacking, Valesek said they will need a new hobby.
In a statement provided to USA Today, Fiat Chrysler America (FCA) said “while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles.” The car maker also said that it appeared that Miller and Valesek had rolled back some of the additional protections FCA put in last year in order for their attack to work.
At a press conference afterward, Miller and Valesek clarified they only experimented on American cars. They said that each car was different and the cost of purchasing the car, then learning all the proprietary issues with it was prohibitively high for anyone seeking to hack cars in general. The vulnerabilities they found were specific to the cars they tested and then again specific to the models of cars they tested. The vulnerabilities they found may not be universal.
Over the years they used only a few tools, including one open source tool, VehicleSPY, and IDA PRO, the latter two are paid products.
They also provided some guidance for the auto industry. They said that the diagnostics mode should only work while the car is in park. They said the CAN bus was never really designed for security, so encryption isn’t an answer here. They did conclude that more resilient software code is needed along with code signing to prevent random updates (such as theirs).