The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse

The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse

Almost exactly a year ago, Chrysler announced a recall for 1.Four million vehicles after a pair of hackers demonstrated to WIRED that they could remotely hijack a Jeep's digital systems over the Internet. For Chrysler, the fix was embarrassing and costly. But now those two researchers have returned with work that asks Chrysler and the automotive industry to imagine an alternate reality, one where instead of reporting their research to the automaker so it could be immovable, they had kept working on it in secret—the way malicious hackers would have. In doing so, they've developed a fresh hack that offers a sobering lesson: It could have been—and still could be—much worse.

At the Black Hat security conference later this week, automotive cybersecurity researchers Charlie Miller and Chris Valasek will present a fresh arsenal of attacks against the same two thousand fourteen Jeep Cherokee they hacked in 2015. Last year, they remotely hacked into the car and paralyzed it on highway I-64—while I was driving in traffic. They could even disable the car's brakes at low speeds. By sending cautiously crafted messages on the vehicle's internal network known as a CAN bus, they're now able to pull off even more dangerous, unprecedented tricks like causing unintended acceleration and stuffing on the car's brakes or turning the vehicle's steering wheel at any speed. “Imagine last year if instead of cutting the transmission on the highway, we'd turned the wheel one hundred eighty degrees,” says Chris Valasek. I can imagine. But he spells it out anyway. “You wouldn’t be on the phone with us. You’d be dead.”

Unlike last year, Miller and Valasek who now work at Uber's Advanced Technology Center, can't perform those fresh attacks over the Internet—only with a laptop directly plugged into the Jeep's CAN network via a port under its dashboard. Gratefully, their previous work helped Chrysler create a security update to fix the flaw that gave them their earlier, remote access to the Jeep's guts. This hack, however, is still possible on patched Jeeps like the one they tested. And the real reason for extending their Jeep attack is to demonstrate what the total consequences of a digital attack on cars or trucks would have looked like in the absence of that patch; Their full-speed attack on the Jeep's steering and acceleration is what could happen the next time sophisticated hackers find a wireless foothold on a vehicle's network.

And make no mistake, auto hackers say: there will be another wireless car attack method found sooner or later.

“There will almost certainly proceed to be remote vulnerabilities in the future,” says Karl Koscher, a researcher at the University of California at San Diego who found one of the very first car-hacking mechanisms for GM's Onstar in 2010. Miller and Valasek's latest work shows, he says, that “if you can get on the right CAN bus through those vulnerabilities, you can use these technics to take pretty dramatic control of the car.”

Here's a movie of their steering attack demonstration:

How the Fresh Attacks Work

Instead of focusing on that initial wireless foothold, this time Miller and Valasek dreamed to to bypass a set of safeguards deeper in vehicles' networks. Vehicle CAN network components are designed to stand against certain dangerous digital signals: The diagnostic mode that Miller and Valasek used to disable the Jeep's brakes, for example, wouldn't work at any speed above five miles per hour, and the automatic parking assist feature they used to turn its steering wheel only worked when the vehicle was in switch roles and traveling at the same low speeds.

But Miller and Valasek have now found technologies to bypass some of those safeguards, with disturbing results. Here's how their fresh attacks worked: Instead of merely compromising one of the so-called electronic control units or ECUs on a target car's CAN network and using it to spoof messages to the car's steering or brakes, they also attacked the ECU that sends legitimate directives to those components, which would otherwise contradict their malicious guidelines and prevent their attack. By putting that 2nd ECU into “bootrom” mode—the very first step in updating the ECU's firmware that a mechanic might use to fix a bug—they were able to paralyze that virginal ECU and send malicious directives to the target component without interference. “You have one computer in the car telling it to do one thing and we’re telling it to do something else,” says Miller. “Essentially our solution is to knock the other computer offline.”

Imagine last year if instead of cutting the transmission on the highway, we'd turned the wheel one hundred eighty degrees. You wouldn’t be on the phone with us. You’d be dead.

The result: They're now able to override contradicting signals that tell the parking brake not to activate, for example, and thus bring the vehicle to a halt from any speed in seconds. And in combination with another vulnerability they found in the steering module ECU, they can disable the steering so that the wheel resists the driver's attempts to turn it. They can also digitally turn the wheel themselves at any speed. When they tested that last attack while driving at thirty miles per hour on an empty road running through cornfields north of St. Louis, Miller and Valasek say they lost control of the Jeep, crashed it into a ditch, and had to wait for a friendly local to tow them out.

In a separate attack that doesn't require any such ECU bootrom tricks, they also found they could turn on and alter the settings on the Jeep's cruise control, permitting them to accelerate the Jeep by ems of miles per hour in a few seconds. But they note that as with any cruise control, the driver could simply hit the brake to disable that unintended acceleration—if they notice that it's happening. A careful driver with two forearms on the wheel could also overpower the steering attack, too, Miller and Valasek admit. But if the attack took a driver by surprise, it could still do harm. “It's not like I can just take control of the car and drive you to my house and you can't stop me,” Miller says. “But if you’re not paying attention, it’s certainly dangerous.”

When WIRED reached out to Chrysler's parent company Fiat Chrysler Automobiles, (FCA) the company responded in a statement emphasizing that Miller and Valasek's attack could not have been performed remotely. “This demonstration required a computer to be physically connected into the vehicle’s onboard diagnostic (OBD) port and present in the vehicle,” FCA's statement reads. “while we admire their creativity, it emerges that the researchers have not identified any fresh remote way to compromise a two thousand fourteen Jeep Cherokee or other FCA US vehicles.” The statement also claims that Miller and Valasek's Jeep “shows up to have been altered back to an older level of software,” the company adds. “It is very unlikely that this exploit could be possible. if the vehicle software were still at the latest level.”

Miller and Valasek confirm that as part of their earlier testing, they did install on their Jeep an older version of the infotainment software that Chrysler patched to prevent remote attacks. But they dispute Chrysler's claim that patch against remote attacks would have made any difference: Their latest work, they say, didn't touch that infotainment system at all, focusing on other components of the vehicle altogether.

What This Means For Future Car Hacks

Tho’ Miller and Valasek haven't found a fresh way to perform their attacks remotely, it's not hard to imagine fresh avenues hackers could find to remotely access the Jeep's CAN network or those of other vehicles. In 2011, researchers at the University of California at San Diego and the University of Washington found ways into a Chevy Impala's innards that included everything from its OnStar connection to a hacked smartphone connected to its infotainment system via Bluetooth to a CD containing a malicious file inserted into its CD player. And last year some of the same UCSD researchers demonstrated that common, Internet-connected insurance insurance dongles plugged into vehicles' dashboards could create the same remote hacking vulnerabilities.

Related movie: