Hackers expose cars
Security researchers exploit Jeep and Tesla’s vulnerabilities through infotainment system
LAST month, security researchers Chris Valasek and Charlie Miller made headlines when they remotely hacked a Jeep Cherokee, killing the transmission as a
Wired reporter drove at high speed down the freeway.
Valasek and Miller released the final piece of their research at both Blackhat on August 5 and DEF CON 23, days before two other researchers disclosed the vulnerabilities and strengths of the Tesla S.
Even unrelated talks mentioned something about Tesla or Jeep and regular attendees were encouraged to sit in an officially-sponsored Tesla and hack car components in an open sandbox, a first of its kind at DEF CON. Clearly, vehicle hacking had become a thing.
Old system opened door
The vulnerability in the Jeep Cherokee revolved around weaknesses in the car’s Uconnect infotainment system distributed by Harman. A common strategy for hackers is to look for vulnerabilities in often less-secure user-facing systems, then to pivot from there to more secure (and important) systems. In this case, the hackers found an open port and a process in the infotainment system already designed to execute code, which allowed them to inject a few lines of Python.
Now able to navigate the system with root privileges, they spent months to reverse engineer and add their own code to the firmware, providing a means to send malicious instructions to systems including the transmission and brakes.
Even without the firmware exploit, hackers can still use the infotainment API to play with functions like the radio and wipers, as well as track the car via GPS data. Worse, all of this could be done remotely, from anywhere in the world as long as a hacker was on Sprint’s network.
The exploit resulted in recalls of 1,4 million vehicles spanning three years of models in the Fiat Chrysler (FCA) line, including the 2014 Durango and the 2013-2014 line of Ram pickups. Sprint blocked traffic on port 6667 and legislation was introduced that was months in the making by U.S. Senator Edward Markey.
While Harman systems are used in many other makes of cars, the company stated that only the FCA vehicles were vulnerable because the car company used an older model of the infotainment system.
Valasek, who is the director of vehicle security research for IOActive, and Miller previously hacked a 2010 Toyota Prius and 2010 Ford Escape but this required physical access through the cars’ ports, as we reported in August 2013.
Tesla ‘like an airplane’
Jeep hasn’t been the only target for security researchers in recent months. The Tesla S was chosen by Marc Rogers and Kevin Mahaffey because they considered it the most connected car currently in production, even referring to it as a “data centre on wheels”.
They attempted to get access to the same attack surface as Miller and Valasek did with the Jeep: the infotainment system. However, they discovered that the Tesla’s infotainment systems are set up more like an airplane than a car, with the important items more highly secured. While they were able to obtain root access on the infotainment system, they were only able to perform actions that were legitimately in the API, though that still included altering speed readouts, unlocking and locking doors, opening windows, and lowering and raising the suspension.
While they did discover some weaknesses, such as a security token that was set as a password in plain text and an older browser that was a couple steps removed from the source (which makes for slower updates), they also discovered some strengths to the Tesla design.
Unlike the Jeep, there is a gateway between the touchscreen entertainment system and the auto systems that Rogers and Mahaffey believed wasn’t hackable, but hadn’t tried yet. Additionally, interfering with the infotainment API did not cause complete vehicle failure, as with the Jeep, but instead gave a warning about applying brakes at speed while reserving the driver’s ability to use the steering and brakes.
Another major difference between the Jeep Cherokee and the Tesla S hacks lies in how the companies were able to handle the fallout from the situation. Miller and Valasek initially disclosed the vulnerabilities to FCA months ago on October 24, 2014, with the recall not occurring until shortly before the conferences.
While ports are now blocked on the affected models and drivers can’t purchase WiFi for an unpatched vehicle, the recall and the negative publicity represent a significant loss of money and reputation for the company, as opposed to Tesla, which was able to release an automated update that was pushed to all users. — Gizmag.
• Tesla showed up to DEF CON 23 last week to address the audience after “tame” hackers Marc Rogers and Kevin Mahaffey finished their presentation on the difficulties of hacking into Tesla’s systems.
In what the website Tomhardware described as a presentation that felt “of being co-opted by Tesla, possibly because of the 20 or so Tesla employees sitting in front”, the Tesla employees awarded the hackers Tesla challenge coins and announced its bug bounty programme, run through Bug Crowd, would be increased to up to $10 000 (about R120 000).
This month’s Def Con 23 taught if your car has a three-year-old Harman system to connect to the Internet, hackers can get in and take over your vehicle.