Charlie and Chris demonstrate what can be remotely done to a modern vehicle’s HVAC and infotainment system through deploying payloads on the head unit.Charlie Miller: So, we used a protocol called Dfeet, which we’ll show you in a second. What it looks like is it’s a cool GUI. And then, when we wrote our scripts and – not to give away the teaser – exploits as well, we used something called Dbus-Python. This Dfeet thing, you can fire it up, it looks like this (see right-hand image). You can see all these “harman” services that you can talk to. Each of these services has different methods that you can call. Here’s an example of using that GUI again to find out what methods are available for particular services (see right-hand image), and you can just read down here and see some of the more interesting ones. There’s a service called “com.harman.service.LayerManager”, and it has methods like “viewDTV_HMI2” and all this kind of crazy stuff.
Chris Valasek: You could imagine how many things are implemented over this. It’s probably easy to use, to make calls, it works, awesome, right? So I’m sure there are just methods upon methods upon methods.
Charlie Miller: Right. So, already, right now you could probably imagine doing things to the Jeep that are bad. But of course, we want a shell. Oh, I should mention the D-Bus service runs as root, so if you can get a shell, you’re root.
Chris Valasek: One small detail.Charlie Miller: …Which you would kind of expect – it’s not a multi-user system, it’s a Jeep. So we’re like, okay, let’s start looking through these methods and seeing if there’s any one that has some sort of vulnerability that would allow us to get commands running. The first thing I thought of was command injection, because then you don’t have to mess with shellcode. I’ve spent enough time in my life looking at debugging, I don’t want to do that anymore. So I looked around and found this “NavTrailService” (see right-hand image), which was a really great service. I don’t know what it really does, but it gives you shells – I know for sure.
Chris Valasek: It should be called “ShellTrailService”.
Charlie Miller: Right. This particular service is backed by Lua scripts, so you can just read the Lua and see if there are problems. And you can see here you are allowed to pass in through this method “params”, which is in this case a filename, and then it just shells out to the system and runs “remove” your filename. So, if you give a filename like “blah;stuff”, it will just run that “stuff”.
Chris Valasek: Or you can just give it a “\”, and that removes everything as well.
Charlie Miller: Yeah. Don’t do that either. Anyway, this is bad. From this alone, if you connect to the Wi-Fi you could get root stuff running, and I was proud of myself. I’ve been hacking for 15 years or whatever, and this is really awesome. I found a bug, I knew it would be there – boom!
Chris Valasek: And once we started looking at the code, it was just everywhere.Charlie Miller: But then my elation of what a super-uber hacker I was kind of came down. When I looked further down the list of methods for NavTrailService, I saw there was one of them called “execute” (see right-hand image). You can probably guess what this shell does. It doesn’t kill you. What it does is, if you give it a command it executes it.
Chris Valasek: If you want to own 1.4 million vehicles, there are four lines of Python. We wanted it to be sexier – that’s it, right there!
Charlie Miller: You can see this is four lines of Python, like he says, and at the end it invokes the “execute” method, and then you specify what the command is – in this case it’s “netcat”, “/bin/sh” and stuff.
Chris Valasek: And the nice thing is they have “netcat” and all those good utilities already on there for you, so you don’t even have to do it. They’re already there for you, just invoke them.Charlie Miller: So, remote root shell, four lines of Python. That’s it. One funny thing is that at Defcon and Black Hat last year we were talking about the attack surface of the Jeep, and at one point Chris, eloquently in this picture, is showing “nmap” of the Jeep, and you can see port 6667 is open (see right-hand image), and of course we laughed about how it was IRC. Basically, that was what our whole talk this year is about, it was on that slide last year. Chris Valasek: Now we can execute, we’re on the infotainment system, we’re on the head unit. That means we can execute a bunch of cool Lua scripts that do stuff. We wrote GPS Tracker 3000 (see right-hand image). 3001 is going to sound really silly, but we’ll worry about that then.
Charlie Miller: Then it’ll just be retro.
Chris Valasek: Yeah, then it will, like Nintendo game stuff. Basically, what it did is we got the Jeep to send its GPS coordinates to a web server, and we would pull that web server every so often and then put a pin drop on the Google Map. We could get this running and I could watch Charlie go to the grocery store and I could tell you “Hey, he’s speeding up, because the pins are getting farther apart,” or “Hey, he’s slowing down, the pins are getting closer together.” So we have nice Google Map tracking for all your NSA needs, you can track him wherever he goes, it is pretty sweet.
Charlie Miller: You don’t actually even need to run code to do this. This is just one of the methods that the D-Bus service exports for you.
Chris Valasek: Exactly. You don’t even need to exploit it, you just ask it.
Charlie Miller: You’re like “Yo, what’s your GPS?”Chris Valasek: And it’s like “Oh, here you go man.” You have probably seen the Wired videos on HVAC – we could turn A/C, heating on (see right-hand image). You give it a number, it blows cold air in Andy Greenberg’s face; I think that’s why this method was designed.
Charlie Miller: And it’s funny because the only reason we’re putting this code up here is so you could see how simple it is. You may think “Oh, turning on the air condition, that’s probably super-hard.”Chris Valasek: … Yeah, like memory corruption and stuff. No, we’re just running a Lua script. We wish it were sexier, but it’s not. Actually I don’t, because I liked it being easy. Radio volume – you can just give it a number (see right-hand image), I think 32 is the loudest.
Charlie Miller: … Some number that is not reasonable. So this is, basically, a lot of the things we can do just on the Uconnect (watch video below). You can’t really hear us talking because we just turned up the radio station. It’s so loud you can’t even talk, and you can’t turn it down. This is what we’re gonna do to Greenberg on the highway. Then Chris turned off the car. You think that would fix it, but it doesn’t. Anyway, you can control the radio, the air conditioning, the GPS. You could imagine turning on the microphone – anything that has to do with just the radio you can do at this point.
So, that was super fun. You know, I like hip hop as much as the next person. But it’s still, like, the individual has to buy Wi-Fi. Only idiots like me would pay 30 bucks a month for Wi-Fi.
Chris Valasek: We learned the first time around when we plugged in and sent messages and controlled cars, we thought it was so cool, and then everyone shit all over us, saying “Ah, they’re plugged in.” We’re like “Nope, there’s no holding back this time, we keep making it better.”
Charlie Miller: Yeah, that would have been the headline of the story: “Have to buy Wi-Fi? Don’t buy Wi-Fi!” It would just set back the Wi-Fi industry 10 years.
Chris Valasek: Call centers are closing all across America.
Charlie Miller: And Asia.