DEF CON focuses on vehicle security and beyond in wake of Jeep hack
Last month, security researchers Chris Valasek and Charlie Miller made headlines when they remotely hacked a Jeep Cherokee, killing the transmission as a Wired reporter drove at high-speed down the freeway. But with cars representing only a subset of the Internet of Things, it's likely that many companies that had previously never considered whether their products were virtually as well as physically safe will similarly be responding to disclosures of exploits and courting future employees at hacker conventions in the future. Security researchers at DEF CON described the many attack surfaces of today's connected vehicle and pointed to potential improvements to protect consumers.
Valasek and Miller released the final piece of their research at both Blackhat on August 5 and DEF CON 23, days before two other researchers disclosed the vulnerabilities and strengths of the Tesla S. Even unrelated talks mentioned something about Tesla or Jeep and regular attendees were encouraged to sit in an officially-sponsored Tesla and hack car components in an open sandbox, a first of its kind at DEF CON. Clearly, vehicle hacking had become a thing.
The vulnerability in the Jeep Cherokee revolved around weaknesses in the car's Uconnect infotainment system distributed by Harman. A common strategy for hackers is to look for vulnerabilities in often less-secure user-facing systems, then to pivot from there to more secure (and important) systems. In this case, the hackers found an open port and a process in the infotainment system already designed to execute code, which allowed them to inject a few lines of Python.
Now able to navigate the system with root privileges, they reverse engineered and added their own code to the firmware, providing a means to send malicious instructions to systems including the transmission and brakes. Even without the firmware exploit, hackers can still use the infotainment API to play with functions like the radio and wipers, as well as track the car via GPS data. Worse, all of this could be done remotely, from anywhere in the world as long as a hacker was on Sprint's network.
The exploit resulted in recalls of 1.4 million vehicles spanning three years of models in the Fiat Chrysler (FCA) line, including the 2014 Durango and the 2013-2014 line of Ram pickups. Sprint blocked traffic on port 6667 and legislation was introduced that was months in the making by US Senator Edward Markey. While Harman systems are used in many other makes of cars, the company stated that only the FCA vehicles were vulnerable because the car company used an older model of the infotainment system.
Valasek, who is the Director of Vehicle Security Research for IOActive, and Miller previously hacked a 2010 Toyota Prius and 2010 Ford Escape but this required physical access through the cars' ports, as we reported in August 2013.
Jeep hasn't been the only target for security researchers in recent months. The Tesla S was chosen by Marc Rogers and Kevin Mahaffey because they considered it the most connected car currently in production, even referring to it as a “data center on wheels.” They attempted to get access to the same attack surface as Miller and Valasek did with the Jeep: the infotainment system.
However, they discovered that the Tesla's infotainment systems are set up more like an airplane than a car, with the important items more highly secured. While they were able to obtain root access on the infotainment system, they were only able to perform actions that were legitimately in the API, though that still included altering speed readouts, unlocking and locking doors, opening windows, and lowering and raising the suspension.
While they did discover some weaknesses, such as a security token that was set as a password in plain text and an older browser that was a couple steps removed from the source (which makes for slower updates), they also discovered some strengths to the Tesla design. Unlike the Jeep, there is a gateway between the touchscreen entertainment system and the auto systems that Rogers and Mahaffey believed wasn't hackable, but hadn't tried yet. Additionally, interfering with the infotainment API did not cause complete vehicle failure, as with the Jeep, but instead gave a warning about applying brakes at speed while reserving the driver's ability to use the steering and brakes.
Another major difference between the Jeep Cherokee and the Tesla S hacks lies in how the companies were able to handle the fallout from the situation. Miller and Valasek initially disclosed the vulnerabilities to FCA months ago on October 24, 2014, with the recall not occurring until shortly before the conferences. While ports are now blocked on the affected models and drivers can't purchase Wi-Fi for an unpatched vehicle, the recall and the negative publicity represent a significant loss of money and reputation for the company, as opposed to Tesla, which was able to release an automated update that was pushed to all users
Meanwhile, Tesla showed up to DEF CON to address the audience after Rogers and Mahaffey finished their presentation, awarding the researchers Tesla challenge coins and announcing that its bug bounty program, run through Bug Crowd, would be increased to up to US$10,000.
In a presentation illustrating that some modern hacks rely on weaknesses that should have already been solved, Samy Kamkar demonstrated an attack at DEF CON that relies on vulnerabilities with some cars and garage's RF systems. Famed for his earlier exploits with MySpace and SkyJack, he introduced a device called Rolljam that automates an attack hackers have been aware of for years.
When a car owner clicks his key fob to unlock the car, the Rolljam jams the signal from reaching the car, thus encouraging the owner to click the key fob again, sending another signal. After jamming and saving the second signal, Rolljam plays back the first signal, unlocking the car for the still unwary owner. However, the hacker retains the next signal the car will be listening for, providing a way to unlock the car remotely from the key fob at a future date. Kamkar pointed out that this is a problem that was solved years ago, with no reason that car owners should still be worried about the same solved vulnerabilities.
The easiest and safest assumption for automakers to hold is not that perfect software is possible, but that all systems will fail. In a presentation prior to DEF CON where Tesla security engineers were present, Josh Corman, a policy strategist who advocates for changes to the security of consumer goods, observed that it took Microsoft 15 years to progress from suing those who hacked Microsoft software to integrating and encouraging hacker discovery into their system of bug review. Corman says that the car industry does not have the luxury of 15 years to embrace security researchers exploring bugs in their systems, and that it needs to be more like 3-5 years.
To the extent car parts are already sent for manufacturing years out from a vehicle's production year, some car companies are already a few years out from being able to respond to flaws in their systems. Yet manufacturers that have switched to over-the-air (OTA) updates have a more flexible model for responding to flaws when they're discovered.
Corman also observes that security is often an afterthought with cars, taking a backseat to perceived market needs. So security needs to become a design consideration itself, rather than something that gets addressed only after it becomes a problem. In March of this year, Ford announced that its vehicles would receive OTA updates because of the financial and design benefits over the otherwise inevitable forced recalls.
While Valasek and Miller certainly made news, this is not just a Jeep problem, but a connected vehicle problem, and not just an American problem, but an international one. Until now, security has not been as profitable as rolling out new technologies faster than competitors. However, there are some things that consumers can do to protect themselves, both when buying a vehicle and in encouraging the industry to move in the right direction.
Firstly, car buyers can look for vehicles that support OTA updates that don't require a subscription. While many of us may hold onto our phones or home computers for a number of years, they can be easily and quickly replaced if need be. But things like cars, lighting systems, and home security systems are generally held onto for lengthy periods. And when they are replaced, they may be sold on to others as second-hand gear. Hence, updates also need to be easy to implement and without cost.
Consumers can compare their vehicle to Miller and Valasek's (admittedly dense) ranked list of potentially vulnerable cars (PDF) or read Markey's report of automaker-submitted data (PDF). Obviously, a place on the list does not mean that the car is hackable anytime soon, especially as the Jeep hack required acquiring and rewriting portions of firmware which will vary from vehicle to vehicle, but it raises points to research or see addressed by automakers.
Awareness of how much information is harvested and stored by connected vehicles is also critical. A new industry is springing up in the shadow of smart cars dedicated to the mining of data that a driver inadvertently leaves behind. Berla is such a company, specializing in vehicle system and GPS forensics. A representative at the conference said that often consumers don't realize the level of detail present in some vehicle logs, such as time and GPS stamps of a door opening. While these systems are used by Berla for legitimate means, the information is potentially there for anyone to access.
Lastly, pressure from consumers may convince automakers of the financial incentives of not just data privacy, which is the usual interpretation of security, but also in securing vehicle systems from attacks. Regulation of the industry is likely coming, spearheaded in the US by Markey's legislation and other government agencies becoming involved. But changes need not come from regulation, but from automakers accepting their responsibility to consumers and self-regulating.
Connectivity, be it through cars or other products, offers many advantages, but with it comes potential vulnerabilities, as evidenced previously in operating systems, mobile phones, E-commerce websites, and now cars. And as more and more products and industries rush to get their products online, the potential for harm increases. A smart sensor-enabled city that intelligently allocates resources, where infrastructure communicates with cars, and cars with mobile devices, necessitates that the pay to play is educated diligence and the buyer must beware.
Source: DEF CON 23