Over the last few years, Charlie Miller andChris Valasek have done dramatic work attacking connected cars. Now, they return to Black Hat to show off their most recent research. And this time, they can do even more.
Over the past few years, Miller and Valasek have been at the center of car hacking. Last year, they successfully drove a Jeep off the road with a remote attack. It grabbed headlines around the world, and prompted Chrysler to make major changes in its vehicles, including a vehicle recall, USB updates mailed out to drivers, changes in how Wi-Fi hotspot packages could be purchased, and cutting off all TCP/IP traffic to the vehicles. “This actually made the vulnerability go away,” said Valasek. It also meant that there was no reason the vehicles needed that access in the first place, Miller point out.
The rest of the automotive industry also seems to have heard at least some of the duo’s warnings. Previous attacks had used diagnostic messages sent to microcomputers within the car. “[With] any car made in the last five years, you can’t send diagnostic messages while the car is traveling more than a few miles an hour.”
On the Road Again
Back on stage in 2016, and now gainfully employed by Uber, Miller and Valasek focused on Controller Area Network or CAN messages. Originally developed in 1986, CAN was designed to work very quickly and use short messages to coordinate devices connected to a controller computer. It’s an ideal scheme for embedded systems, such as those found in modern connected cars. In most modern vehicles, CAN messages are sent between the dedicated microcomputers for various vehicle systems, called ECUs (engine control units).
For most of the team’s previous attacks, they used diagnostic messages, but new restrictions prevented that. Plus, they had lost the ability to communicate remotely with their hacked vehicles since Chrysler made changes to the wireless Internet connections.
In order to communicate with the vehicles, Miller and Valasek discovered that a particular USB to Ethernet adapter automatically created an SSH connection when plugged into the Jeep’s dash. The team already knew the password from previous research: dtdonkey.
“I’d like to know what the inside joke is about ‘dtdonkey,'” said Valasek.
By injecting CAN messages into a vehicle’s network, the researchers found that they were able to perform simple tasks like changing the speedometer. More dangerous actions, like applying the breaks or seizing remote control of the vehicle, are more challenging. The problem was what the team described as “message confliction.”
One of the onboard ECU computers, say, the one responsible for the brakes, would be regularly sending out a CAN message saying “don’t apply the brakes.” If an attacker injected the message to “engage the brakes,” the receiving computer would be confused by the mixed messages. In most cases, the computers are designed to simply shut off in the case of messages confliction, thus preventing future attacks. The team demonstrated this by showing how they could change speedometer output. We could clearly see the needle wobbling back and forth between 0 MPG, the car’s true speed, and 40 MPH, the ersatz message sent by the team.
Miller and Valasek offered a different approach to injecting CAN messages; one that simply went around some of the restrictions. Because the car’s computers would shut down if they received too many conflicting messages, the team timed the sending of malicious messages to make sure they arrived just before the legitimate messages.
The team also showed that they were able to simply disable these microcomputers. To do it, they spoofed the vehicle’s speed to convince the computers the vehicle was stationary and thus able to enter diagnostic mode. Once done, the team forced the target ECU to reprogram itself. Halfway through the process they stopped, effectively killing the ECU.
This made it possible to lock the emergency brake, alter steering, and even increase the acceleration of vehicles. In one example, the team turned off the power steering, forcing the driver to grapple with the mass of the vehicle plus the now-inert motors intended to assist in driving.
“I’ve driven a car without power steering and [this is] more difficult than that,” said Valasek.
The team also found they were able to engage the automatic parking module while the vehicle was in motion at any speed. This caused the wheel to jerk suddenly in one direction, causing smoke, skids, and squealing tires. During one of their tests, the duo wound up in a ditch in rural Missouri, and were rescued by some passersby who charged them a mere $10 for the effort.
Take It to the Shop
Looking back at their previous research, and their most recent attacks, Miller and Valasek called on automotive manufacturers to get serious about vehicle security. Code signing, they said, was a critical tool that had not been implemented on cars.
“We need to apply the methodologies we use for corporate IT,” said Valasek.
They also called for the creation of a system to detect and log message confliction. Some vehicles have ‘black box’ recorders for when the airbag is engaged. Logging why the steering module suddenly turned off should be at least as important. The team seemed especially frustrated on this point because a simple device they developed years ago was capable of logging and detecting exactly the kind of attacks they demonstrated.
Attacking connected cars is certainly material for a good techno-thriller novel, but it has little practical application to everyday attackers. There’s comparatively little payout in attacking a single connected car then, say, spamming millions of people with lucrative ransomware. Some futurists are looking forward to a day when cars travel in massive, autonomous fleets. Or even replacing cab and Uber drivers with autonomous systems that simply bring the car directly to you. In that kind of world, where dozens or hundreds of vehicles and passengers could be hijacked or held hostage, connected car research becomes a bit more pressing.
Not for the first time, Miller and Valasek concluded their presentation by announcing their retirement. “We’re done,” said Valasek, siting the team’s five papers, thousands of lines of code, and collection of “crazy-ass videos.” While the two are ready to move on to new challenges, they pointed out that there was still plenty of work to be done in automotive hacking.
By MAX EDDY