Charlie Miller and Chris Valasek, the researchers who last year showed that cars can be remotely hijacked, are back with a new demonstration, and this time they managed to take over a vehicle’s acceleration, brakes and steering.
Miller and Valasek started hacking cars in 2013, when they demonstrated on a Ford Escape and a Toyota Prius that an attacker with physical access to a vehicle’s computer systems can kill the brakes and power steering, honk the horn, spoof the GPS, hijack the speedometer, and take control of the steering wheel.
In 2015, the researchers went even further and showed how a hacker could remotely breach cars made by Fiat Chrysler Automobiles (FCA) and perform various actions via their Uconnect in-vehicle connectivity system. The duo demonstrated on a 2014 Jeep Cherokee that they could remotely take over the infotainment system, kill the engine and disable the brakes. Their research led to FCA recalling 1.4 million vehicles in order to update the vulnerable software.
The experts, who currently work for Uber, continued to analyze the 2014 Jeep and found new attack vectors that can be exploited by an attacker who has physical access to the car’s systems. The attack method, which they plan on detailing this week at the Black Hat security conference in Las Vegas, relies on Controller Area Network (CAN) bus message injections.
Miller and Valasek told Wired that they managed to perform various actions by sending specially crafted messages on the CAN, a vehicle bus standard that allows microcontrollers and devices to communicate with each other. The researchers said they bypassed CAN network safeguards and took over some of the vehicle’s functions by attacking electronic control units (ECUs).
An ECU controls one or more electrical subsystems in a vehicle. By putting critical ECUs in “bootrom” mode, the mode used when conducting firmware updates, the researchers managed to knock the legitimate ECU offline and send malicious commands to the targeted component. The method has allowed the experts to turn the steering wheel, including at high speeds, disable power steering, and control the brakes.
Using a different attack method, they also managed to take control of the Jeep’s cruise control and cause the car to accelerate quickly.
FCA, which recently launched a bug bounty program, has been informed about the researchers’ findings, but the company is not too concerned due to the fact that the attack requires physical access to the targeted vehicle’s onboard diagnostic (OBD) port. The carmaker pointed out in a statement sent to SecurityWeek that the exploits require “extensive technical knowledge, extended periods of time to write code, and prolonged physical access.”
Fiat Chrysler also noted that the Jeep used by the researchers in their demo did not have the “security enhanced software” installed on it last year as part of the company’s safety recall. However, the hackers told Wired that the updated infotainment software was unlikely to block their attacks.
The company believes it’s not appropriate to disclose information that could help or encourage individuals to gain unauthorized access to a vehicle’s systems. Fiat Chrysler representatives told SecurityWeek that the latest research would qualify for the FCA US bug bounty program.
“However, since the researchers chose to make their findings public instead of proceeding with our facilitated disclosure program through Bugcrowd, their research would no longer be eligible for submission through the FCA US Bug Bounty Program,” the company said.
While the latest attack method requires physical access to the targeted vehicle, Miller and Valasek are concerned that someone might find a way to remotely exploit the vulnerabilities they have identified.
The work of Miller, Valasek and others have made the automotive industry and authorities realize that cybersecurity should be taken seriously. Last month, for instance, the Automotive Information Sharing and Analysis Center (Auto-ISAC) announced the development of vehicle cybersecurity best practices.
Research in this field has also led to the creation of security firms that specialize in protecting cars. For example, Karamba Security is working on solutions designed to harden ECUs and ensure that only authorized code and applications can be executed.
*Updated with clarification from FCA that the research would have qualified for its bug bounty program
Related: FBI Reminds That Cars are Increasingly Vulnerable to Remote Exploits
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
Latest News
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Zoom Expands Privacy Options for European Customers
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Apple Unveils Upcoming Privacy and Security Features
