It was the summer of 2015, and Wired reporter Andy Greenberg was driving a Jeep Cherokee in downtown St. Louis. The vents started blasting cold air at the maximum setting, the radio was blaring Skee-lo at full volume, and the windshield wipers turned on. Unlike the last time his car started acting up, the hackers weren't cackling in the backseat, but 10 miles away.
In this Hacker History video, renowned hackers Charlie Miller and Chris Valasek describe how they compromised the Jeep Cherokee via a vulnerability in Uconnect, the vehicle's Internet-connected entertainment system.
"We sent him [Greenberg] on the highway...and then we killed his engine essentially," Miller says in the video.
The flaw in Uconnect lets anyone with the car's IP address to gain access from anywhere in the country. Miller and Valasek were then able to send commands to the engine and wheels through the car's internal Controller Area Network (CAN). The CAN bus carries information between the vehicle's various electronic control units (ECU) to the central controller. The ECUs handle adaptive cruise control, electronic brakes, parking assist and control of the steering column. That's a lot of things to potentially mess around with.
Fiat Chrysler recalled 1.4 million Jeep Cherokees and issued a patch closing that vulnerability.
"This is the first time that there's been a physical recall of a mass-produced product because of a software security issue," Miller says.
"It's awesome. That's what we want. We want it actually fixed. We don't want it broken forever," Valasek agrees.
We killed his engine.
Automotive security research is important, especially as automakers cram in more and more computers and networked components in the vehicles. Automakers need to improve how they secure their cars earlier in the production cycle because it is far easier to fix the issues while the models are still in the lab, than it is to issue a recall or release a patch.
There are several open source tools and hardware designs supporting car hacking. Security company GRIMM recently opened a security research lab for industrial control systems and connected vehicles. In 2017, Valasek and Miller released their research notes on how they hacked the Jeep along with some tools that they used in order to encourage other people to dig into automotive security.
"[We] released full details of all our work and nobody ever used it for malicious purposes and that was three years ago," Miller said.
Recently, Tencent's Keen Security Lab performed a security audit of several BMW cars and identified 14 different vulnerabilities. Four require physical USB access or have access to the vehicle's ODB diagnostics port, six can be exploited remotely from outside the car, and the remaining four require some kind of physical access to the vehicle. One of the remote vulnerabilities can be exploited over Bluetooth.
We don't want it broken forever.
After reading through the Tencent research, security engineer Florian Roth wondered about the potential attack. It would involve tracking when the target drives to work and on which highway, setting up a rogue base station alongside the route, and sending the command just as the car passes to make the car break.
"Wouldn't it be cheaper and more secure to hire a killer?" Roth asked on Twitter.
"This is true of all car hacking. It’s a tough way to hurt someone," Miller replied.
Miller and Valasek retired from car hacking after demonstrating at Black Hat 2016 how they hacked the Jeep Cherokee again to get even more control over the vehicle. “We are going to hang up car hacking, someone else can pick it up,” Valasek said at the time.
Just when we thought it was safe to drive again, Miller and Valasek are back. They will be talking about their experiences securing self-driving cars at Black Hat 2018.
Will Greenberg agree to another drive with these loons?