Quantcast

Remote Exploitation of an Unaltered Passenger Vehicle 2: Connecting to the WPA2 Network

The researchers touch upon jailbreaking the Uconnect and shift the focus to attacking the Jeep’s head unit over Wi-Fi, in particular the hurdles along the way.

Head unit jailbreak

Head unit jailbreak

Chris Valasek: Real quick – jailbreak (see right-hand image). Charlie gave you a teaser last year during the talk. It was a great way for us to learn about this system, dump binaries off, do reversing, sniff traffic, basically everything you want to do when you are trying to hack a system. Invaluable. This absolutely, positively is not required for what we are talking about today, just to make that very-very clear, but… Oh, I did the video.

Jailbroken Uconnect

Jailbroken Uconnect

Charlie Miller: So, here is just the effect of jailbreaking (see left-hand image). You can see on the screen it says “Jailbroken”. Normally, it doesn’t say that. Again, if I wanted to remotely attack some car in California I don’t have to get there with a USB stick and jailbreak it. You don’t do that. But for us to find out where files are and play around, it was useful.

Remote attack over Wi-Fi

Remote attack over Wi-Fi

So, we talked about all those different remote attack services, and the first one that we wanted to look at was Wi-Fi (see right-hand image), because that was something we kind of understood. Bluetooth – we don’t know too much about it. Tire pressure monitoring systems – I know nothing about those. So we wanted to start with something that was kind of familiar, and we started with Wi-Fi. This is the screen that you get for Wi-Fi, and you’ll notice that by default you get WPA2 as your security. I should mention that the Jeep and some other cars offer up a Wi-Fi hotspot so you can sit in the back seat and get on the Internet.

Chris Valasek: The kids can be on the Nintendo DS.

Hurdles with Wi-Fi exploitation

Hurdles with Wi-Fi exploitation

Charlie Miller: It’s pretty sweet, I really like it. In order to do that, you need to have the password to get on WPA2. So, if you want to attack a car over this Wi-Fi hotspot that it generates, there’s a couple of problems with it. One is that it’s not on by default, you have to pay for it (see right-hand image). And it’s quite expensive, so about 35 bucks a month – I bought this for, like, a year. You’re welcome.

Chris Valasek: You’re welcome, everyone, for Charlie paying 300 bucks.

Charlie Miller: But anyway, the point is not many people are going to buy this, and even if you did find a car where it was on, you would have to figure out how to connect to the WPA2 network, which is sort of nontrivial.

WPA2 password generation

WPA2 password generation

We’ll still talk about that a little bit just to show how it would work, because for a while this is the only way we knew how to attack the car. The first thing that you’ll see is this (see right-hand image), which is the reverse engineering of the way that the password is generated for the WPA2 system, and you’ll see that they call ‘time(NULL)’ and then they figure out a random password link between 8 and 12, and then random characters from, like, lowercase and uppercase ASCII and number, so there’s 62 of them. The point is you get this really long password that’s random, and you can’t just guess it very easily.

Chris Valasek: It’s going to be really hard to guess even if you’re cracking it. You’re not going to be lucky doing it.

Figuring out the password

Figuring out the password

Charlie Miller: But the fact that they based it on time means that there’s really only one password for every second and the time when they would have turned the car on. So, if you can figure out the time that they turned the car on for the first time, then you can have a pretty good guess what the password is (see right-hand image). And so, here’s just some numbers – I do have a PhD in math…

Chris Valasek: He’s pretty good at math.

Charlie Miller: Yeah, I can use the calculator as well as the next person. But anyway, if you do the math you will find out that if you know what year it is, which you probably have a pretty good idea about because it’s a car, it will take 15 million password tries before you would guess that, if you wanted to just care about a month. So it’s 15 million per month, and then you can make some sort of assumptions. But the point is, you could imagine doing an attack in about an hour, which is kind of a drag, right? So you have to, essentially, find a car on the highway, drive next to it for an hour…

Chris Valasek: That’s just creepy. But Charlie, I ask you how does it get the time?

Snippet of code setting the clock

Snippet of code setting the clock

Charlie Miller: Are you sure we didn’t practice? So then you’re like, okay, fine, how do we know what time it was? Because the very first time you turn the car on, it doesn’t necessarily know what time it is. And so, this is some of the code that sets the clock initially (see right-hand image), and you can see it says ‘getV850RealtimeClock()’. V850 is the other chip that we’ll talk about later, but it’s the one that has direct communications with the cellular network, and so it’s trying to get the time through cellular stuff, just like how your phone gets time. But it follows down here and it says if it fails to get that time, it defaults to the first day of the first month of 2013.

Chris Valasek: January 1, 2013 – that’s the default date.

Charlie’s WPA2 password

Charlie’s WPA2 password

Charlie Miller: Right. So I was like, okay, whatever. But I looked at my password, and it was this long, complicated thing (see right-hand image). And so there’s this mapping between what second the clock was turned on and your password. But you can kind of go backwards with that mapping, too. So I was like, well, I wonder what time I turned my car on, it’s kind of interesting, right? So I looked, and it said I turned my car on January 1, 2013, 00:00:32 GMT. What that means is, when I turned my car on, it didn’t know what time it was. It took 32 seconds for the Wi-Fi thing to kind of get going, and then it created the password from that.

Chris Valasek: You could imagine cars coming out of the plant, being turned on, and they all have a very small subset of passwords.

Charlie Miller: Right, so you would expect, maybe, there will only be 10 or 20 different passwords in reality.

Chris Valasek: You don’t have to creep on someone for an hour, you only have to creep on them for a couple of seconds.

Charlie Miller: Yeah. I like how you’re so worried about creeping on someone by driving around.

Chris Valasek: I creep on people all the time.

Charlie Miller: You don’t mind crashing them, but you don’t want to get close to them.

Chris Valasek: Yeah, I don’t want to get them creeped out, but I don’t mind driving them off the road.

Nmap scan report

Nmap scan report

Charlie Miller: Anyway, it’s actually not that difficult to figure out what the password is on WPA2 network in this case. And so, you could connect to a Wi-Fi network, but the biggest problem is you still have this issue where they probably don’t have Wi-Fi in the first place. So, let’s just forget about that issue for a moment and power on, which is what you do when you research. You can run Nmap scan of the Wi-Fi hotspot, and you’ll see there’s a bunch of open ports (see right-hand image). The one that we care most about is port 6667, which Nmap says is IRC.

Chris Valasek: We were pretty stoked, we’re like: sweet, this thing is running IRC, this is awesome! Great car, love it!

Not quite that D-Bus

Not quite that D-Bus

Charlie Miller: I was like, I knew this car was cool, but now I just really love it. So, it turns out it’s not IRC. It’s something called D-Bus. If you don’t know what D-Bus is, it’s an interprocess communication mechanism so that different processes can talk to each other (see image below). It’s like RPCs, calling methods, so it’s a way different processes on the machine can talk to each other, which right away you start to think like “Well, probably, maybe I shouldn’t be able to pretend I’m a process on the machine and talk to other processes on the machine.”

D-Bus on the Jeep: any authentication?

D-Bus on the Jeep: any authentication?

Chris Valasek: I would think so. That’s how I would design it.

Charlie Miller: But the designers of D-Bus thought of that, and they have authentication built into it, where you need to have some sort of password or key or something. I don’t know because the Jeep didn’t have one. So you can see over here on the right, part of the D-Bus protocols, you can try to auth and you can say “I’m just some anonymous dude,” and the Jeep says “OK, you have a session.”

Chris Valasek: Basically, this is RPC with no authentication, because you can remotely connect and then we’ll show you that you can do stuff.

Charlie Miller: Probably not intended by the manufacturer.

Chris Valasek: I wouldn’t think so.
 

Read previous: Remote Exploitation of an Unaltered Passenger Vehicle

Read next: Remote Exploitation of an Unaltered Passenger Vehicle 3: Uconnect Payloads

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: