LAS VEGAS—Charlie Miller and Chris Valasek figuratively drove off into the sunset today at Black Hat, hanging up their car hacking exploits for good and leaving behind a pioneering legacy that elevated this type of research into the mainstream.

“It’s time someone else pick it up,” Valasek said. “We did our part and it’s time we hang up car hacking.”

Valasek and Miller have published five extensive research papers and done numerous talks at industry events on vulnerabilities and hacks of Ford, Toyota and Jeep vehicles. Each time they elevated their work into new facets of local and remote attacks against critical functionality such as acceleration, steering and braking that could be abused and affect the physical safety of drivers.

The landmark moment of their work came last year when Fiat Chrysler America instituted a recall of 1.4 million Jeeps in order to patch flaws that could allow an attacker to remotely control the vehicle.

Today’s talk was less sensational and likely won’t have the same dramatic result, Miller and Valasek said. Nonetheless, they demonstrated how they could, with physical access via a diagnostic port, bypass existing checks in communication between vehicle systems that allowed them to control steering with a vehicle at speed.

The problem Miller and Valasek said they had to sidestep was something they called message confliction, in which if certain values read by the vehicle’s CAN Bus (Controller Area Network) conflict, systems shut down. Building on last year’s remote attack where they exploited flaws in the CAN bus to force the Jeep to brake on the highway, this year the researchers reverse engineered firmware in the Electronic Communication Unit (ECU) and figured out how to take it offline and re-flash with their own code.

The result was to trick the vehicle’s power steering control module into thinking it was in diagnostic mode while driving at speed, allowing them to make sharp turns that would be difficult for a driver to recover. A separate attack allowed them to engage the parking brake at speed and keep it engaged, requiring the vehicle to be towed if it could not be reprogrammed.

“The steering is the most concerning one. We were able to turn the wheel at arbitrary speeds, which is obviously dangerous,” Miller said. “We put it into diagnostic mode while driving, which it should not do. In fact, Chrysler is so paranoid about safety, they prohibit it even if the car is running and in park—zero RPMs.

“We were able to go beyond that. We faked the RPMs, faked the speed and put it into diagnostic mode,” Miller said, adding that this was the only issue he and Valasek reported to Fiat Chrysler America.”

Miller and Valasek said update cycles in vehicle design are slow, meaning it could be years before systems are re-engineered with security in mind. In the meantime, they advocate detection systems be built that mimic protections in place in IT environments and that code signing be in place that prevents third-party code from running.

“We need code signing—not two-byte checksums—we need IDS and IPS concepts that we understand well at that level and apply them here,” Valasek said.

Categories: Black Hat, Hacks, IoT

Comments (3)

  1. jdgalt
    1

    The car companies will continue to laugh this off right up until somebody dies, and his family lawyer drags this paper into court. Then it will make them do the job they should be doing now. I hope.

  2. SCI Solutions
    2

    With autonomous cars, car hacking will only be that much more dangerous without someone actively engaging with the cars braking and acceleration (do we need overrides?)

  3. Gerald and Debra Steck
    3

    How about I have had ny entire world destroyed because of an iphone used for hands free calling an apple itunes account with onstar using the account for their monthly payment. The OnStar antenna is capable of apple pay and at the hands of one unencrypted bank at the time (TD) have had my bank accts hacked my home foreclosed on my car repoed by those removing the EDR’s and wanting to hide all of this and paint me as committing all types of fraud. I am now trying not to slit my wrist while I climb out of this 80 foot ditch with no legal help. They sere also able to paint me as just identity theft. I would rather have my brakes controled and killed instantly. Sorry if that’s insensitive but starting over at 50 and appearing like a derelict of society in my opinion is worse. Thanks GM.

Comments are closed.