LAS VEGAS—Charlie Miller and Chris Valasek figuratively drove off into the sunset today at Black Hat, hanging up their car hacking exploits for good and leaving behind a pioneering legacy that elevated this type of research into the mainstream.
“It’s time someone else pick it up,” Valasek said. “We did our part and it’s time we hang up car hacking.”
Valasek and Miller have published five extensive research papers and done numerous talks at industry events on vulnerabilities and hacks of Ford, Toyota and Jeep vehicles. Each time they elevated their work into new facets of local and remote attacks against critical functionality such as acceleration, steering and braking that could be abused and affect the physical safety of drivers.
The landmark moment of their work came last year when Fiat Chrysler America instituted a recall of 1.4 million Jeeps in order to patch flaws that could allow an attacker to remotely control the vehicle.
Today’s talk was less sensational and likely won’t have the same dramatic result, Miller and Valasek said. Nonetheless, they demonstrated how they could, with physical access via a diagnostic port, bypass existing checks in communication between vehicle systems that allowed them to control steering with a vehicle at speed.
The problem Miller and Valasek said they had to sidestep was something they called message confliction, in which if certain values read by the vehicle’s CAN Bus (Controller Area Network) conflict, systems shut down. Building on last year’s remote attack where they exploited flaws in the CAN bus to force the Jeep to brake on the highway, this year the researchers reverse engineered firmware in the Electronic Communication Unit (ECU) and figured out how to take it offline and re-flash with their own code.
The result was to trick the vehicle’s power steering control module into thinking it was in diagnostic mode while driving at speed, allowing them to make sharp turns that would be difficult for a driver to recover. A separate attack allowed them to engage the parking brake at speed and keep it engaged, requiring the vehicle to be towed if it could not be reprogrammed.
“The steering is the most concerning one. We were able to turn the wheel at arbitrary speeds, which is obviously dangerous,” Miller said. “We put it into diagnostic mode while driving, which it should not do. In fact, Chrysler is so paranoid about safety, they prohibit it even if the car is running and in park—zero RPMs.
“We were able to go beyond that. We faked the RPMs, faked the speed and put it into diagnostic mode,” Miller said, adding that this was the only issue he and Valasek reported to Fiat Chrysler America.”
Miller and Valasek said update cycles in vehicle design are slow, meaning it could be years before systems are re-engineered with security in mind. In the meantime, they advocate detection systems be built that mimic protections in place in IT environments and that code signing be in place that prevents third-party code from running.
“We need code signing—not two-byte checksums—we need IDS and IPS concepts that we understand well at that level and apply them here,” Valasek said.