LAS VEGAS – Charlie Miller and Chris Valasek have proven to be adept backseat drivers.
Noted for their car-hacking exploits, Miller and Valasek have gained fame at hacking conferences and on Fox News for forcing automobiles to do their bidding. However, until today’s talk at the Black Hat 2014 conference, the two researchers’ exploits required them to be plugged in directly to their targets, literally sitting in the back seat of an automobile injecting code into its computers.
Miller and Valasek delivered a brisk talk explaining the soft spots in automobile networks that open a car up to remote exploit. They also provided a quick overview of specific car makers’ and models’ exploitability and demonstrated their version of an intrusion detection system that blocks some of their remote exploits.
“We looked for a big attack surface,” said Miller, a security engineer at Twitter.
Remote car attacks don’t look much different than attacks against conventional networks, Miller said. Attackers need a vulnerability in wireless communication protocol, such as Bluetooth, and then take that over in order to have the ability to pass messages to different functions of the car, such as steering or braking.
The researchers said that many car manufacturers segment their autos’ internal networks, forcing communication through a centralized bus that would require a hacker to go through two hops in order to force the car to brake hard or take over steering, for example. Some vehicles, such as the Cadillac Escalade 2015, have a radio module that sits on a low- and high-speed bus, they said, enabling a hacker to send messages to both ends if they’re able to get in.
“Car hacking is hard,” Miller said. “There’s lots of complexity, and the more technology you introduce, the more problems you have.”
Further complicating the scenario is the difficulty in patching automobile software. Valasek said there are significant costs to the manufacturer, not only in producing the patch, but also in contacting customers who then must take their vehicles to a dealer for a software update.
“It’s going to be really hard when an exploit comes out and everyone has a vulnerability that needs to be fixed,” said Valasek, director of vehicle security research at IOActive.
Once an attacker finds a vulnerability that allows him to send messages over Bluetooth, for example, it’s helpful if the vehicle has a lot of what the researchers call cyber-physical features to exploit. Some of those include self-parking, active lane control, pre-collision systems and adaptive cruise control. All of those require some communication between a sensor and the brakes, acceleration or steering, usually over Bluetooth or some other radio signal.
Some features are more inviting to attackers than others. The passive antitheft system, tire pressure monitoring system or remote keyless entry offer a limited attack surface, either because they don’t exchange a lot of data or require close proximity for communication.
Bluetooth capabilities, the radio data system and telematics systems that allow cellular or Wi-Fi capabilities, significantly expand a car’s attack surface. Worse, on the horizon are either in-car apps, or connectivity to the Internet via a web browser.
“Lots more people know how to write a Web exploit than a TPMS exploit,” Valasek said. “A lot of people can write a malicious app, or pop a browser. If that’s on the same network as your brakes or steering, that’s bad.”
“This is growing, and the scariest area,” Miller added.
Valasek said his and Miller’s goals for this segment of their research was to look at a broader scope of cars, how they communicate wirelessly to the outside world, and provide a lightweight Consumer Reports-type of rating system.
“Why can’t we as an industry start rating automobiles, and hopefully that promotes changes within organizations,” Valasek said.
Miller and Valasek said they will release a 95-page paper detailing their findings on a number of new automobiles from Audi, Honda, Infiniti, Jeep, Dodge and others.