Car Hackers Come back to Black Hat with Fresh Attacks to Drive You Off the Road
Over the last few years, Charlie Miller and Chris Valasek have done dramatic work attacking connected cars. Now, they comeback to Black Hat to demonstrate off their most latest research. And this time, they can do even more.
The Story So Far
The rest of the automotive industry also seems to have heard at least some of the duo’s warnings. Previous attacks had used diagnostic messages sent to microcomputers within the car. “[With] any car made in the last five years, you can’t send diagnostic messages while the car is traveling more than a few miles an hour.”
On the Road Again
For most of the team’s previous attacks, they used diagnostic messages, but fresh confinements prevented that. Plus, they had lost the capability to communicate remotely with their hacked vehicles since Chrysler made switches to the wireless Internet connections.
In order to communicate with the vehicles, Miller and Valasek discovered that a particular USB to Ethernet adapter automatically created an SSH connection when plugged into the Jeep’s dash. The team already knew the password from previous research: dtdonkey.
“I’d like to know what the inwards joke is about ‘dtdonkey,'” said Valasek.
By injecting CAN messages into a vehicle’s network, the researchers found that they were able to perform ordinary tasks like switching the speedometer. More dangerous deeds, like applying the cracks or seizing remote control of the vehicle, are more challenging. The problem was what the team described as “message confliction.”
One of the onboard ECU computers, say, the one responsible for the brakes, would be regularly sending out a CAN message telling “don’t apply the brakes.” If an attacker injected the message to “engage the brakes,” the receiving computer would be confused by the mixed messages. In most cases, the computers are designed to simply shut off in the case of messages confliction, thus preventing future attacks. The team demonstrated this by showcasing how they could switch speedometer output. We could clearly see the needle wobbling back and forward inbetween zero MPG, the car’s true speed, and forty MPH, the ersatz message sent by the team.
Miller and Valasek suggested a different treatment to injecting CAN messages; one that simply went around some of the confinements. Because the car’s computers would shut down if they received too many conflicting messages, the team timed the sending of malicious messages to make sure they arrived just before the legitimate messages.
The team also displayed that they were able to simply disable these microcomputers. To do it, they spoofed the vehicle’s speed to coax the computers the vehicle was stationary and thus able to come in diagnostic mode. Once done, the team compelled the target ECU to reprogram itself. Halfway through the process they stopped, effectively killing the ECU.
This made it possible to lock the emergency brake, alter steering, and even increase the acceleration of vehicles. In one example, the team turned off the power steering, forcing the driver to grapple with the mass of the vehicle plus the now-inert motors intended to assist in driving.
“I’ve driven a car without power steering and [this is] more difficult than that,” said Valasek.
The team also found they were able to engage the automatic parking module while the vehicle was in maneuverability at any speed. This caused the wheel to wank abruptly in one direction, causing smoke, skids, and squealing tires. During one of their tests, the duo wound up in a ditch in rural Missouri, and were rescued by some passersby who charged them a mere $Ten for the effort.
Take It to the Shop
“We need to apply the methodologies we use for corporate IT,” said Valasek.
They also called for the creation of a system to detect and log message confliction. Some vehicles have ‘black box’ recorders for when the airbag is engaged. Logging why the steering module abruptly turned off should be at least as significant. The team seemed especially frustrated on this point because a ordinary device they developed years ago was capable of logging and detecting exactly the kind of attacks they demonstrated.
Related
Attacking connected cars is certainly material for a good techno-thriller novel, but it has little practical application to everyday attackers. There’s comparatively little payout in attacking a single connected car then, say, spamming millions of people with lucrative ransomware. Some futurists are looking forward to a day when cars travel in massive, autonomous fleets. Or even substituting cab and Uber drivers with autonomous systems that simply bring the car directly to you. In that kind of world, where dozens or hundreds of vehicles and passengers could be hijacked or held hostage, connected car research becomes a bit more pressing.
Not for the very first time, Miller and Valasek concluded their presentation by announcing their retirement. “We’re done,” said Valasek, siting the team’s five papers, thousands of lines of code, and collection of “crazy-ass movies.” While the two are ready to stir on to fresh challenges, they pointed out that there was still slew of work to be done in automotive hacking.
“Get your car,” said Miller. “And hack on it.”
Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He’s also PCMag’s foremost authority on weather stations and digital scrapbooking software. When not grinding his tinfoil hat or plumbing the innards of the Dark Web, he can be found working to discern the one hundred Best Android Apps. Prior to PCMag, Max wrote for the International Digital Times, The International Science Times, and The Mary Sue. He has also been known to write for Geek.com. You can go after him on. More »
More Stories by Max
The Norton Core is as stunning as routers come, and it’s packed with security and parental control f. More »
A year after successfully hacking the Tesla Model S, the same team repeats their success at the Blac. More »
Car Hackers Comeback to Black Hat with Fresh Attacks to Drive You Off the Road, News & Opinion
Car Hackers Come back to Black Hat with Fresh Attacks to Drive You Off the Road
Over the last few years, Charlie Miller and Chris Valasek have done dramatic work attacking connected cars. Now, they come back to Black Hat to demonstrate off their most latest research. And this time, they can do even more.
The Story So Far
The rest of the automotive industry also seems to have heard at least some of the duo’s warnings. Previous attacks had used diagnostic messages sent to microcomputers within the car. “[With] any car made in the last five years, you can’t send diagnostic messages while the car is traveling more than a few miles an hour.”
On the Road Again
For most of the team’s previous attacks, they used diagnostic messages, but fresh confinements prevented that. Plus, they had lost the capability to communicate remotely with their hacked vehicles since Chrysler made switches to the wireless Internet connections.
In order to communicate with the vehicles, Miller and Valasek discovered that a particular USB to Ethernet adapter automatically created an SSH connection when plugged into the Jeep’s dash. The team already knew the password from previous research: dtdonkey.
“I’d like to know what the inwards joke is about ‘dtdonkey,'” said Valasek.
By injecting CAN messages into a vehicle’s network, the researchers found that they were able to perform ordinary tasks like switching the speedometer. More dangerous deeds, like applying the violates or seizing remote control of the vehicle, are more challenging. The problem was what the team described as “message confliction.”
One of the onboard ECU computers, say, the one responsible for the brakes, would be regularly sending out a CAN message telling “don’t apply the brakes.” If an attacker injected the message to “engage the brakes,” the receiving computer would be confused by the mixed messages. In most cases, the computers are designed to simply shut off in the case of messages confliction, thus preventing future attacks. The team demonstrated this by showcasing how they could switch speedometer output. We could clearly see the needle wobbling back and forward inbetween zero MPG, the car’s true speed, and forty MPH, the ersatz message sent by the team.
Miller and Valasek suggested a different treatment to injecting CAN messages; one that simply went around some of the confinements. Because the car’s computers would shut down if they received too many conflicting messages, the team timed the sending of malicious messages to make sure they arrived just before the legitimate messages.
The team also showcased that they were able to simply disable these microcomputers. To do it, they spoofed the vehicle’s speed to woo the computers the vehicle was stationary and thus able to inject diagnostic mode. Once done, the team coerced the target ECU to reprogram itself. Halfway through the process they stopped, effectively killing the ECU.
This made it possible to lock the emergency brake, alter steering, and even increase the acceleration of vehicles. In one example, the team turned off the power steering, forcing the driver to grapple with the mass of the vehicle plus the now-inert motors intended to assist in driving.
“I’ve driven a car without power steering and [this is] more difficult than that,” said Valasek.
The team also found they were able to engage the automatic parking module while the vehicle was in movability at any speed. This caused the wheel to masturbate abruptly in one direction, causing smoke, skids, and squealing tires. During one of their tests, the duo wound up in a ditch in rural Missouri, and were rescued by some passersby who charged them a mere $Ten for the effort.
Take It to the Shop
“We need to apply the methodologies we use for corporate IT,” said Valasek.
They also called for the creation of a system to detect and log message confliction. Some vehicles have ‘black box’ recorders for when the airbag is engaged. Logging why the steering module all of a sudden turned off should be at least as significant. The team seemed especially frustrated on this point because a ordinary device they developed years ago was capable of logging and detecting exactly the kind of attacks they demonstrated.
Related
Attacking connected cars is certainly material for a good techno-thriller novel, but it has little practical application to everyday attackers. There’s comparatively little payout in attacking a single connected car then, say, spamming millions of people with lucrative ransomware. Some futurists are looking forward to a day when cars travel in massive, autonomous fleets. Or even substituting cab and Uber drivers with autonomous systems that simply bring the car directly to you. In that kind of world, where dozens or hundreds of vehicles and passengers could be hijacked or held hostage, connected car research becomes a bit more pressing.
Not for the very first time, Miller and Valasek concluded their presentation by announcing their retirement. “We’re done,” said Valasek, siting the team’s five papers, thousands of lines of code, and collection of “crazy-ass movies.” While the two are ready to stir on to fresh challenges, they pointed out that there was still slew of work to be done in automotive hacking.
“Get your car,” said Miller. “And hack on it.”
Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He’s also PCMag’s foremost authority on weather stations and digital scrapbooking software. When not grinding his tinfoil hat or plumbing the insides of the Dark Web, he can be found working to discern the one hundred Best Android Apps. Prior to PCMag, Max wrote for the International Digital Times, The International Science Times, and The Mary Sue. He has also been known to write for Geek.com. You can go after him on. More »
More Stories by Max
The Norton Core is as stunning as routers come, and it’s packed with security and parental control f. More »
A year after successfully hacking the Tesla Model S, the same team repeats their success at the Blac. More »