Hack­ers ex­pose cars

Se­cu­rity re­searchers ex­ploit Jeep and Tesla’s vul­ner­a­bil­i­ties through in­fo­tain­ment sys­tem

The Witness - Wheels - - MOTORING - HEIDI HOOPES

LAST month, se­cu­rity re­searchers Chris Valasek and Char­lie Miller made head­lines when they re­motely hacked a Jeep Cherokee, killing the trans­mis­sion as a

Wired re­porter drove at high speed down the free­way.

Valasek and Miller re­leased the fi­nal piece of their re­search at both Black­hat on Au­gust 5 and DEF CON 23, days be­fore two other re­searchers dis­closed the vul­ner­a­bil­i­ties and strengths of the Tesla S.

Even un­re­lated talks men­tioned some­thing about Tesla or Jeep and reg­u­lar at­ten­dees were en­cour­aged to sit in an of­fi­cially-spon­sored Tesla and hack car com­po­nents in an open sand­box, a first of its kind at DEF CON. Clearly, ve­hi­cle hack­ing had be­come a thing.

Old sys­tem opened door

The vul­ner­a­bil­ity in the Jeep Cherokee re­volved around weak­nesses in the car’s Ucon­nect in­fo­tain­ment sys­tem dis­trib­uted by Har­man. A com­mon strat­egy for hack­ers is to look for vul­ner­a­bil­i­ties in of­ten less-se­cure user-fac­ing sys­tems, then to pivot from there to more se­cure (and im­por­tant) sys­tems. In this case, the hack­ers found an open port and a process in the in­fo­tain­ment sys­tem al­ready de­signed to ex­e­cute code, which al­lowed them to in­ject a few lines of Python.

Now able to nav­i­gate the sys­tem with root priv­i­leges, they spent months to re­verse engi­neer and add their own code to the firmware, pro­vid­ing a means to send ma­li­cious in­struc­tions to sys­tems in­clud­ing the trans­mis­sion and brakes.

Even with­out the firmware ex­ploit, hack­ers can still use the in­fo­tain­ment API to play with func­tions like the ra­dio and wipers, as well as track the car via GPS data. Worse, all of this could be done re­motely, from any­where in the world as long as a hacker was on Sprint’s net­work.

The ex­ploit re­sulted in re­calls of 1,4 mil­lion ve­hi­cles span­ning three years of mod­els in the Fiat Chrysler (FCA) line, in­clud­ing the 2014 Du­rango and the 2013-2014 line of Ram pick­ups. Sprint blocked traf­fic on port 6667 and leg­is­la­tion was in­tro­duced that was months in the mak­ing by U.S. Sen­a­tor Ed­ward Markey.

While Har­man sys­tems are used in many other makes of cars, the com­pany stated that only the FCA ve­hi­cles were vul­ner­a­ble be­cause the car com­pany used an older model of the in­fo­tain­ment sys­tem.

Valasek, who is the di­rec­tor of ve­hi­cle se­cu­rity re­search for IOAc­tive, and Miller pre­vi­ously hacked a 2010 Toy­ota Prius and 2010 Ford Es­cape but this re­quired phys­i­cal ac­cess through the cars’ ports, as we re­ported in Au­gust 2013.

Tesla ‘like an air­plane’

Jeep hasn’t been the only tar­get for se­cu­rity re­searchers in re­cent months. The Tesla S was cho­sen by Marc Rogers and Kevin Ma­haf­fey be­cause they con­sid­ered it the most con­nected car cur­rently in pro­duc­tion, even re­fer­ring to it as a “data cen­tre on wheels”.

They at­tempted to get ac­cess to the same at­tack sur­face as Miller and Valasek did with the Jeep: the in­fo­tain­ment sys­tem. How­ever, they dis­cov­ered that the Tesla’s in­fo­tain­ment sys­tems are set up more like an air­plane than a car, with the im­por­tant items more highly se­cured. While they were able to ob­tain root ac­cess on the in­fo­tain­ment sys­tem, they were only able to per­form ac­tions that were le­git­i­mately in the API, though that still in­cluded al­ter­ing speed read­outs, un­lock­ing and lock­ing doors, open­ing win­dows, and low­er­ing and rais­ing the sus­pen­sion.

While they did dis­cover some weak­nesses, such as a se­cu­rity to­ken that was set as a pass­word in plain text and an older browser that was a cou­ple steps re­moved from the source (which makes for slower up­dates), they also dis­cov­ered some strengths to the Tesla de­sign.

Un­like the Jeep, there is a gate­way be­tween the touch­screen en­ter­tain­ment sys­tem and the auto sys­tems that Rogers and Ma­haf­fey be­lieved wasn’t hack­able, but hadn’t tried yet. Ad­di­tion­ally, interfering with the in­fo­tain­ment API did not cause com­plete ve­hi­cle fail­ure, as with the Jeep, but in­stead gave a warn­ing about ap­ply­ing brakes at speed while re­serv­ing the driver’s abil­ity to use the steer­ing and brakes.

Another ma­jor dif­fer­ence be­tween the Jeep Cherokee and the Tesla S hacks lies in how the com­pa­nies were able to han­dle the fall­out from the sit­u­a­tion. Miller and Valasek ini­tially dis­closed the vul­ner­a­bil­i­ties to FCA months ago on Oc­to­ber 24, 2014, with the re­call not oc­cur­ring un­til shortly be­fore the con­fer­ences.

While ports are now blocked on the af­fected mod­els and driv­ers can’t pur­chase WiFi for an un­patched ve­hi­cle, the re­call and the neg­a­tive pub­lic­ity rep­re­sent a sig­nif­i­cant loss of money and rep­u­ta­tion for the com­pany, as op­posed to Tesla, which was able to re­lease an au­to­mated up­date that was pushed to all users. — Giz­mag.

• Tesla showed up to DEF CON 23 last week to ad­dress the au­di­ence af­ter “tame” hack­ers Marc Rogers and Kevin Ma­haf­fey fin­ished their pre­sen­ta­tion on the dif­fi­cul­ties of hack­ing into Tesla’s sys­tems.

In what the web­site Tomhard­ware de­scribed as a pre­sen­ta­tion that felt “of be­ing co-opted by Tesla, pos­si­bly be­cause of the 20 or so Tesla em­ploy­ees sit­ting in front”, the Tesla em­ploy­ees awarded the hack­ers Tesla chal­lenge coins and an­nounced its bug bounty pro­gramme, run through Bug Crowd, would be in­creased to up to $10 000 (about R120 000).


This month’s Def Con 23 taught if your car has a three-year-old Har­man sys­tem to con­nect to the In­ter­net, hack­ers can get in and take over your ve­hi­cle.

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.