Charlie Miller and Chris Valasek, the researchers who last year showed that cars can be remotely hijacked, are back with a new demonstration, and this time they managed to take over a vehicle’s acceleration, brakes and steering.
Miller and Valasek started hacking cars in 2013, when they demonstrated on a Ford Escape and a Toyota Prius that an attacker with physical access to a vehicle’s computer systems can kill the brakes and power steering, honk the horn, spoof the GPS, hijack the speedometer, and take control of the steering wheel.
In 2015, the researchers went even further and showed how a hacker could remotely breach cars made by Fiat Chrysler Automobiles (FCA) and perform various actions via their Uconnect in-vehicle connectivity system. The duo demonstrated on a 2014 Jeep Cherokee that they could remotely take over the infotainment system, kill the engine and disable the brakes. Their research led to FCA recalling 1.4 million vehicles in order to update the vulnerable software.
The experts, who currently work for Uber, continued to analyze the 2014 Jeep and found new attack vectors that can be exploited by an attacker who has physical access to the car’s systems. The attack method, which they plan on detailing this week at the Black Hat security conference in Las Vegas, relies on Controller Area Network (CAN) bus message injections.
Miller and Valasek told Wired that they managed to perform various actions by sending specially crafted messages on the CAN, a vehicle bus standard that allows microcontrollers and devices to communicate with each other. The researchers said they bypassed CAN network safeguards and took over some of the vehicle’s functions by attacking electronic control units (ECUs).
An ECU controls one or more electrical subsystems in a vehicle. By putting critical ECUs in “bootrom” mode, the mode used when conducting firmware updates, the researchers managed to knock the legitimate ECU offline and send malicious commands to the targeted component. The method has allowed the experts to turn the steering wheel, including at high speeds, disable power steering, and control the brakes.
Using a different attack method, they also managed to take control of the Jeep’s cruise control and cause the car to accelerate quickly.
FCA, which recently launched a bug bounty program, has been informed about the researchers’ findings, but the company is not too concerned due to the fact that the attack requires physical access to the targeted vehicle’s onboard diagnostic (OBD) port. The carmaker pointed out in a statement sent to SecurityWeek that the exploits require “extensive technical knowledge, extended periods of time to write code, and prolonged physical access.”
Fiat Chrysler also noted that the Jeep used by the researchers in their demo did not have the “security enhanced software” installed on it last year as part of the company’s safety recall. However, the hackers told Wired that the updated infotainment software was unlikely to block their attacks.
The company believes it’s not appropriate to disclose information that could help or encourage individuals to gain unauthorized access to a vehicle’s systems. Fiat Chrysler representatives told SecurityWeek that the latest research would qualify for the FCA US bug bounty program.
“However, since the researchers chose to make their findings public instead of proceeding with our facilitated disclosure program through Bugcrowd, their research would no longer be eligible for submission through the FCA US Bug Bounty Program,” the company said.
While the latest attack method requires physical access to the targeted vehicle, Miller and Valasek are concerned that someone might find a way to remotely exploit the vulnerabilities they have identified.
The work of Miller, Valasek and others have made the automotive industry and authorities realize that cybersecurity should be taken seriously. Last month, for instance, the Automotive Information Sharing and Analysis Center (Auto-ISAC) announced the development of vehicle cybersecurity best practices.
Research in this field has also led to the creation of security firms that specialize in protecting cars. For example, Karamba Security is working on solutions designed to harden ECUs and ensure that only authorized code and applications can be executed.
*Updated with clarification from FCA that the research would have qualified for its bug bounty program
Related: FBI Reminds That Cars are Increasingly Vulnerable to Remote Exploits