Remote Exploitation of an Unaltered Passenger Vehicle 4: Attacks Over Cellular Network

Having described a proof of concept regarding vehicle attacks over Wi-Fi, Charlie Miller and Chris Valasek move on to the cellular exploitation scenario.

Port scan results

Port scan results

Charlie Miller: So, well, let’s see if we can do this over the cellular network, because then not only can you get from far away, but everyone will be vulnerable and they’ll just need to pay for Wi-Fi. The first thing that we did was we just ran netstat to see (see right-hand image). And you can see all the ports except the one guy. It’s not just bound to the Wi-Fi interface, for example. It’s bound to all the interfaces. And so we’re like, well, it seems like maybe you can get to it over the cellular network. Of course, we had no idea how to do that.

Chris Valasek: I don’t know how cell phones work and, honestly, I don’t like them.

Retrieving the vehicle's IP

Retrieving the vehicle’s IP

Charlie Miller: I know how iPhones work, but I don’t know how they talk to other iPhones. So we needed to find out what the IP address of the Jeep was so that we could try to talk to it (see right-hand image). The sort of interesting thing was there were all these IP addresses, we didn’t know which were which, but the “uap0” is the one for the Wi-Fi interface. And then you get this “ppp0” – the one on the left is what your IP address is locally, on the Sprint network; and then the other one,, is what it looks like if you connect out to a service, outside of the Sprint network. I had no problem buying one of these femtocells, it’s like – you buy something, that’s easy.

Chris Valasek: I bought, like, three femtocells, and I would try to get them working, and I would have to call Sprint, and I bought a phone with a contract that I no longer need. And every time I would get a new femtocell for me, baby, brand-new, and I would call them – they’d go “Oh, you know, that’s stolen.” I was like “What?! It’s brand-new, how can it be stolen?” I bought three or four femtocells, they’re all stolen, but we eventually got one working.

Communications via femtocell

Communications via femtocell

Charlie Miller: Anyway, we hooked up the femtocell (see right-hand image), and then I got on a Sprint cell phone connected to the femtocell, the Jeep happily connected to this Sprint femtocell, and then I was able to talk to port 6667 from my phone to the Jeep. So, then we no longer had to worry about whether Wi-Fi was on. Even if the Wi-Fi has never been turned on in its entire life, the cellular connection is on and I can talk to it.

Chris Valasek: Yeah, we were so ecstatic, because hey, we’re doing all this over cellular, we didn’t need to change anything. With that four-line Python exploit, the only thing we needed to change was the IP address. That took some research time.

Charlie Miller: So, now we had extended from only people who had Wi-Fi to anyone, but we still had to be within the femtocell’s range.

Chris Valasek: Remember the cellular service is on, you don’t have to buy it, right? If you have this head unit, it exists, whether or not you are paying for anything – it just exists whether you know it or not.

Charlie Miller: So, first I got rid of the femtocell and I saw it still worked. Then I was like, oh, it’s maybe the range of a cell tower, I don’t know what that is. But anyway, it was more than 30 meters, and I was like “Yes!”

Chris Valasek: We’re gaining range.

Charlie Miller: Then I drove to the airport by my house and left the Jeep at my house. I tried it from there and it still worked. So I was like “Nice, we’re up to five miles or something!” And then I said “Chris, try it.” So he tries it from Pittsburgh, I’m in St. Louis – it doesn’t work. So we’re like, ah, man, damn it! I drove to the airport to be more than one tower away, so maybe it can be a few towers. Anyway, it was a bummer. We had no idea exactly how far it worked.

So, what's the range?

So, what’s the range?

And then I thought I should go on a road trip. I turned on my car, left it on my driveway and I took off in my other car down the highway. You can see I’m in some little truck stop somewhere (see right-hand image).

Chris Valasek: Bloomsdale, Missouri. Beautiful Bloomsdale.

Charlie Miller: Yeah, and I tried from there – it still worked. So, now we are talking about 60-70 miles. Then finally…

Far enough

Far enough

Chris Valasek: Finally, I get my act together and get my nice Sprint contract found – I have a contract for two years now – set it as the Wi-Fi hotspot, use my computer to use that as a hotspot, lo and behold, bling – I can reach Charlie’s car from Pittsburgh in St. Louis (see right-hand image).

Charlie Miller: Basically, he totally screwed up earlier.

Chris Valasek: Yeah, I totally screwed up earlier. I was like “I can’t get to it,” because I don’t know how to internet, and then I relearned how to internet and then internet’ed.

Charlie Miller: So, the point now is it’s no longer 10 miles, it’s very far. We don’t know for sure how far at this point. It turns out, we are in the Sprint network, which is the entire United States.

Chris Valasek: That’s nationwide, probably some of Canada, probably some of Mexico.

Charlie Miller: Now you can just scan the Internet, and we know what port we’re looking for – 6667; and if you find that port, it’s either an IRC server on the Sprint network, probably not, or it’s a vulnerable vehicle.

Chris Valasek: We consider it a win-win: it’s either a car or an IRC server, and either way we’re in, we’re good.

Mass scanning for cars

Mass scanning for cars

Charlie Miller: Yeah, anyway it’s sweet. We don’t know for sure what Sprint’s IP range is, but every time you turn your car on and off you get a different IP address. And just doing that a bunch, you kind of get an idea of where it shows up. And so, it seems like it’s always in “21.something” or “25.something” (see right-hand image). So you can just scan cars and know that they are vulnerable because this service was on. You don’t have to worry about what version it was. If that service is there, it’s talking to you and you can do stuff, right?

And then you can tickle it a little bit more. It’s just, essentially, like a web server that you can download information from, it’s a thing that gives you information. So we did that.

Chris Valasek: This should have been nominated for the best server-side exploit for the Pwnies.

GPS data and VINs

GPS data and VINs

Charlie Miller: You’re a judge, so you don’t qualify. Anyway, we got the GPS information of the vehicle just by asking politely on port 6667. And then we also do the VIN number for the vehicle, which you can look up and see what kind of car it is (see right-hand image). Then we wrote this clever script called “shutupdave”.

Chris Valasek: It goes back to “shutuptheo”. I mean, in the long tradition of “shutup” scripts, here’s ours.

Another cool script

Another cool script

Charlie Miller: Right. This one (see right-hand image) is targeted towards Dave, I tell, who is anti-junk-hacking and anti-stone-hacking. He says hacking cars is easy, stupid, pointless, and no impact. So shut up Dave! You can run this script and it just scans the Internet, finds cars that are vulnerable and then tells you what kind of car it is, it’s pretty crazy. And probably the scariest moment of all of our research was the very first time that I ran that and I got the GPS information. I called Chris and said “Hey Chris, I just did it and it’s a car that’s driving across Oklahoma right now!” It was like, oh no.

Chris Valasek: I was like “Let me do it.” Then it did it and I was like “It’s driving across Nebraska.” He’s like “I quit, car hacking is too real for me, I’m out.”

Vulnerable vehicles

Vulnerable vehicles

Charlie Miller: Yeah, that was too real for me. It was way more fun when it was my car in my driveway. And then it was like “Oh my God, all these cars are vulnerable.” Originally, when we talked to Chrysler they told us that it was only 2014 models. We didn’t really ask, but they didn’t really tell us how many cars were affected. And so, we did this scanning just out of curiosity to see what kind of cars we could find that were vulnerable, and what years, what makes, what models, how many there are. We ran this script for a little bit, and these (see right-hand image) are the cars that we found that were vulnerable just by scanning the Internet. The sweetest one was Dodge Viper for sure. So we found the Dodge Viper, and it was a high-end one.

Chris Valasek: SRT version, someone spent a pretty penny on that car.

Charlie Miller: Yeah, and we could have just cranked the radio on one. We didn’t do that, but we could have. Anyway, this is the list of vehicles, so the interesting thing, before all the recall happened, was that not only was it 2014, but it was 2013 cars, 2015 cars and so on – lots of vulnerable vehicles. It turns out there’s actually more than this that we never just happened to find.

Quantitative estimates

Quantitative estimates

Again, now we know the answer of how many vehicles are vulnerable, it’s 1.4 million, because that’s what they recalled. But we didn’t know. I was like “There has to be a way to figure this out.” I’ve scanned it, and there should be a way to do this. And it turns out, I had this great idea and I went home and googled it, and some dude who wanted to know the population of owls did the exact same thing (see right-hand image). The thing you have to think about is as follows: I was scanning cars, every time you turn your car on and off you get a new IP address, but I was getting the VIN number. So I scanned about 2000 cars and I noticed that I only found 20 that I found a duplicate VIN number for. That means there must be a lot of cars, because if I would have scanned 2000 cars and they were almost all duplicates of each other, then there are not that many cars.

Chris Valasek: Remember VINs are unique to a car. They are like your fingerprints. Each car has a VIN, and they don’t change.

Charlie Miller: Right, so I thought I had to come up with some really complicated formula, but it turns out the owl dude had this formula, I just plugged the VIN numbers. And the number that it came up with was around 400,000, which turned out to be a low estimate. But anyway, it was a lot of cars. That’s why we did the scanning.

Read previous: Remote Exploitation of an Unaltered Passenger Vehicle 3: Uconnect Payloads

Read next: Remote Exploitation of an Unaltered Passenger Vehicle 5: Sending CAN Messages

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: