Remote Exploitation of an Unaltered Passenger Vehicle

0
417

Twitter’s Charlie Miller and IOActive’s Chris Valasek present their research on the buzz topic of remotely hacking into the controls of the modern vehicles.

The researchers
The researchers
Chris Valasek: I don’t know if we need introductions anymore. I’m Chris Valasek, Director of Vehicle Security Research at IOActive, and next to me is Charlie Miller, Security Engineer at Twitter – together we are ‘wild stallions’!

Charlie Miller: That’s why we don’t practice the talk, because otherwise I would have cut that joke.

Based on the white paper
Based on the white paper
Chris Valasek: Yeah, you would have cut that. Disclaimer: I think we got some complaints last year, it’s like us joking around, which is going to be again, so if you don’t like it – the door is that way. We have a 90-page paper, 92 (see right-hand image). It’s going to be long, it has all the details. This is a lot of information, this is a year’s worth of work, probably more. We can’t pack it all into the talk, so get the paper. It has everything that we did, and more.

Charlie Miller: It won’t be as entertaining, hopefully.

Chris Valasek: A PSA before we start. Please, just stop saying whatever you have, whatever thing you make is unhackable, because you are going to look silly.

Nothing's unhackable
Nothing’s unhackable
Charlie Miller: This (see right-hand image) is from some newspaper. A Daimler engineering executive says “There is no way you could hack a Mercedes-Benz from outside the car.” And then he goes on to say “You can’t really hack it. You have a control gateway and you have to go through that.”

Chris Valasek: … There is no way a gateway of any sort has ever been compromised.

Charlie Miller: Right, so you mean you have to hack the gateway? Can’t do that.

Topics to cover
Topics to cover
Chris Valasek: Overview – we are going to talk about how we got remote code running on the head unit from Wi-Fi cellular, some payloads, and then we are going to talk about the part that took us forever, which was V850 stuff reversing (see right-hand image). Then some cyberphysical stuff, and then even more fun about disclosure, blah-blah-blah.

Charlie Miller: Yeah, and then even though we told Chrysler that we weren’t going to drop any new vulnerabilities or whatever, we are going to drop a lot.

Chris Valasek: We are going to drop all of it!

Charlie Miller: Just kidding. A Chrysler executive has just pooped his pants.

Remote compromise
Remote compromise
Chris Valasek: A lot of people think about remote attacks just as this: there’s telematics, Wi-Fi, Bluetooth, tire pressure monitors – all kinds of stuff (see right-hand image). We focused on the Wi-Fi and the telematics systems because we felt that would give us the best shot for a win.

Charlie Miller: Basically, there are lots of different ways that cars take input from the outside world. These are some of them. As time goes on, there will be more of those.

Chris Valasek: Absolutely! I think in-car apps are probably going to start pushing that and we are going to see all that stuff that people are familiar with.

Charlie Miller: So, that’s the first bit of remote attacks: you’ve got to get data to the car somehow.

The lateralization challenge
The lateralization challenge
Chris Valasek: And as we found out, the chips that do that don’t usually – at least, in our case did not – do communications with in-vehicle network. This applies to CAN bus stuff or LIN or Flexray or any of that. So you have to figure out a way to get from that remote piece to the piece that communicates with the car (see right-hand image). Two separate pieces – that’s sometimes a hard problem.

Charlie Miller: Right. So someone tells you they can remotely hack your car and then they say something like “Oh, and then you could just do brakes or something,” they might not realize that the second step is really hard.

CAN message analysis
CAN message analysis
Chris Valasek: And we foresaw this, now we are smarter. CAN message analysis – if you want to send CAN messages that do things, you need to understand their IDs and their data (see right-hand image). The best way we found to do this is get a car and record them with a sniffer, see what they do, change them, all that good stuff. You need to do this part if you want physical control. You don’t have to be physically jacked in to the car to do it when you are doing it remotely, but you need it to begin with.

Charlie Miller: This is the one part where you need a car at least for a little while, so maybe it’s a rental or it’s a car you own. But at some point you need to figure out how the messages work. It’s going to be specific for a particular manufacturer, model, year. We don’t know exactly what the details are, but you are going to need one to at least look at for a little bit.

CAN message injection
CAN message injection
Chris Valasek: We released stuff for Ford, Toyota, and now Jeep, so there’s some information out there. Lastly, CAN message injection: you have to find a way from a remote source to make that remote source send it to the internal source that sends out a message that does cool stuff (see right-hand image). This is what you want to do, right? You want to control the car. Turning up the radios? Fine. But wrecking into the ditch – even finer.

Wrecking into the ditch
Wrecking into the ditch
Charlie Miller: … Speaking of wrecking into the ditch. This picture is funny (see right-hand image). I noticed when putting this slide deck that the brakes aren’t working in this picture, that’s why he’s going into the ditch. But the brake lights are on.

Chris Valasek: So there’s probably a physical switch that’s the lights, and the rest is that.

Charlie Miller: Anyway, a little about the vehicle.

The vehicle to try messing with
The vehicle to try messing with
Chris Valasek: If you don’t know yet, 2014 Jeep Cherokee (see right-hand image). I think that’s been out there. It’s a great car, I like it!

Charlie Miller: I highly recommend it!

Uconnect unit
Uconnect unit
Chris Valasek: Yeah, I would drive it. You are welcome, Fiat Chrysler! It has a Uconnect unit (see left-hand image). That’s the infotainment system, the thing that does communications to the outside world, made by Harman. They do all kinds of audio and video stuff, but they are also heavily used in automobiles.

Charlie Miller: Yeah, so the head unit is, basically, this thing in the middle that looks kind of like a computer screen, it’s a touch screen, and then maybe some of the stuff around it.

'Car computer' components
‘Car computer’ components
Chris Valasek: Exactly, that’s what most people think of as a ‘car computer’. And if you take these guys apart, you can see there’s a screen that you touch; it used a Sierra Wireless chipset to do cellular and wireless communications; and then the other daughterboard piece was Renesas V850 (see right-hand image). Legally, there was an air gap, because it’s two daughterboards, but in reality we are going to show you how it wasn’t truly an air gap, and this stuff ran QNX.

The ARM processor running QNX
The ARM processor running QNX
Charlie Miller: So, the main chip on there ran QNX, and it was an ARM processor (see right-hand image). QNX is kind of Linux-like, and so you could get a shell at some point and run commands. And so, it was nice for us, at least me, because I was sort of familiar with that, although half the commands you would expect to work don’t work.

Head unit jailbreak
Head unit jailbreak
Chris Valasek: Real quick – jailbreak (see right-hand image). Charlie gave you a teaser last year during the talk. It was a great way for us to learn about this system, dump binaries off, do reversing, sniff traffic, basically everything you want to do when you are trying to hack a system. Invaluable. This absolutely, positively is not required for what we are talking about today, just to make that very-very clear, but… Oh, I did the video.

Jailbroken Uconnect
Jailbroken Uconnect
Charlie Miller: So, here is just the effect of jailbreaking (see left-hand image). You can see on the screen it says “Jailbroken”. Normally, it doesn’t say that. Again, if I wanted to remotely attack some car in California I don’t have to get there with a USB stick and jailbreak it. You don’t do that. But for us to find out where files are and play around, it was useful.

Remote attack over Wi-Fi
Remote attack over Wi-Fi
So, we talked about all those different remote attack services, and the first one that we wanted to look at was Wi-Fi (see right-hand image), because that was something we kind of understood. Bluetooth – we don’t know too much about it. Tire pressure monitoring systems – I know nothing about those. So we wanted to start with something that was kind of familiar, and we started with Wi-Fi. This is the screen that you get for Wi-Fi, and you’ll notice that by default you get WPA2 as your security. I should mention that the Jeep and some other cars offer up a Wi-Fi hotspot so you can sit in the back seat and get on the Internet.

Chris Valasek: The kids can be on the Nintendo DS.

Hurdles with Wi-Fi exploitation
Hurdles with Wi-Fi exploitation
Charlie Miller: It’s pretty sweet, I really like it. In order to do that, you need to have the password to get on WPA2. So, if you want to attack a car over this Wi-Fi hotspot that it generates, there’s a couple of problems with it. One is that it’s not on by default, you have to pay for it (see right-hand image). And it’s quite expensive, so about 35 bucks a month – I bought this for, like, a year. You’re welcome.

Chris Valasek: You’re welcome, everyone, for Charlie paying 300 bucks.

Charlie Miller: But anyway, the point is not many people are going to buy this, and even if you did find a car where it was on, you would have to figure out how to connect to the WPA2 network, which is sort of nontrivial.

WPA2 password generation
WPA2 password generation
We’ll still talk about that a little bit just to show how it would work, because for a while this is the only way we knew how to attack the car. The first thing that you’ll see is this (see right-hand image), which is the reverse engineering of the way that the password is generated for the WPA2 system, and you’ll see that they call ‘time(NULL)’ and then they figure out a random password link between 8 and 12, and then random characters from, like, lowercase and uppercase ASCII and number, so there’s 62 of them. The point is you get this really long password that’s random, and you can’t just guess it very easily.

Chris Valasek: It’s going to be really hard to guess even if you’re cracking it. You’re not going to be lucky doing it.

Figuring out the password
Figuring out the password
Charlie Miller: But the fact that they based it on time means that there’s really only one password for every second and the time when they would have turned the car on. So, if you can figure out the time that they turned the car on for the first time, then you can have a pretty good guess what the password is (see right-hand image). And so, here’s just some numbers – I do have a PhD in math…

Chris Valasek: He’s pretty good at math.

Charlie Miller: Yeah, I can use the calculator as well as the next person. But anyway, if you do the math you will find out that if you know what year it is, which you probably have a pretty good idea about because it’s a car, it will take 15 million password tries before you would guess that, if you wanted to just care about a month. So it’s 15 million per month, and then you can make some sort of assumptions. But the point is, you could imagine doing an attack in about an hour, which is kind of a drag, right? So you have to, essentially, find a car on the highway, drive next to it for an hour…

Chris Valasek: That’s just creepy. But Charlie, I ask you how does it get the time?

Snippet of code setting the clock
Snippet of code setting the clock
Charlie Miller: Are you sure we didn’t practice? So then you’re like, okay, fine, how do we know what time it was? Because the very first time you turn the car on, it doesn’t necessarily know what time it is. And so, this is some of the code that sets the clock initially (see right-hand image), and you can see it says ‘getV850RealtimeClock()’. V850 is the other chip that we’ll talk about later, but it’s the one that has direct communications with the cellular network, and so it’s trying to get the time through cellular stuff, just like how your phone gets time. But it follows down here and it says if it fails to get that time, it defaults to the first day of the first month of 2013.

Chris Valasek: January 1, 2013 – that’s the default date.

Charlie’s WPA2 password
Charlie’s WPA2 password
Charlie Miller: Right. So I was like, okay, whatever. But I looked at my password, and it was this long, complicated thing (see right-hand image). And so there’s this mapping between what second the clock was turned on and your password. But you can kind of go backwards with that mapping, too. So I was like, well, I wonder what time I turned my car on, it’s kind of interesting, right? So I looked, and it said I turned my car on January 1, 2013, 00:00:32 GMT. What that means is, when I turned my car on, it didn’t know what time it was. It took 32 seconds for the Wi-Fi thing to kind of get going, and then it created the password from that.

Chris Valasek: You could imagine cars coming out of the plant, being turned on, and they all have a very small subset of passwords.

Charlie Miller: Right, so you would expect, maybe, there will only be 10 or 20 different passwords in reality.

Chris Valasek: You don’t have to creep on someone for an hour, you only have to creep on them for a couple of seconds.

Charlie Miller: Yeah. I like how you’re so worried about creeping on someone by driving around.

Chris Valasek: I creep on people all the time.

Charlie Miller: You don’t mind crashing them, but you don’t want to get close to them.

Chris Valasek: Yeah, I don’t want to get them creeped out, but I don’t mind driving them off the road.

Nmap scan report
Nmap scan report
Charlie Miller: Anyway, it’s actually not that difficult to figure out what the password is on WPA2 network in this case. And so, you could connect to a Wi-Fi network, but the biggest problem is you still have this issue where they probably don’t have Wi-Fi in the first place. So, let’s just forget about that issue for a moment and power on, which is what you do when you research. You can run Nmap scan of the Wi-Fi hotspot, and you’ll see there’s a bunch of open ports (see right-hand image). The one that we care most about is port 6667, which Nmap says is IRC.

Chris Valasek: We were pretty stoked, we’re like: sweet, this thing is running IRC, this is awesome! Great car, love it!

Not quite that D-Bus
Not quite that D-Bus
Charlie Miller: I was like, I knew this car was cool, but now I just really love it. So, it turns out it’s not IRC. It’s something called D-Bus. If you don’t know what D-Bus is, it’s an interprocess communication mechanism so that different processes can talk to each other (see image below). It’s like RPCs, calling methods, so it’s a way different processes on the machine can talk to each other, which right away you start to think like “Well, probably, maybe I shouldn’t be able to pretend I’m a process on the machine and talk to other processes on the machine.”

D-Bus on the Jeep: any authentication?
D-Bus on the Jeep: any authentication?
Chris Valasek: I would think so. That’s how I would design it.

Charlie Miller: But the designers of D-Bus thought of that, and they have authentication built into it, where you need to have some sort of password or key or something. I don’t know because the Jeep didn’t have one. So you can see over here on the right, part of the D-Bus protocols, you can try to auth and you can say “I’m just some anonymous dude,” and the Jeep says “OK, you have a session.”

Chris Valasek: Basically, this is RPC with no authentication, because you can remotely connect and then we’ll show you that you can do stuff.

Charlie Miller: Probably not intended by the manufacturer.

Chris Valasek: I wouldn’t think so.

Dfeet GUI
Dfeet GUI
Charlie Miller: So, we used a protocol called Dfeet, which we’ll show you in a second. What it looks like is it’s a cool GUI. And then, when we wrote our scripts and – not to give away the teaser – exploits as well, we used something called Dbus-Python. This Dfeet thing, you can fire it up, it looks like this (see right-hand image). You can see all these “harman” services that you can talk to. Each of these services has different methods that you can call.

D-Bus methods for a specific service
D-Bus methods for a specific service
Here’s an example of using that GUI again to find out what methods are available for particular services (see right-hand image), and you can just read down here and see some of the more interesting ones. There’s a service called “com.harman.service.LayerManager”, and it has methods like “viewDTV_HMI2” and all this kind of crazy stuff.

Chris Valasek: You could imagine how many things are implemented over this. It’s probably easy to use, to make calls, it works, awesome, right? So I’m sure there are just methods upon methods upon methods.

Charlie Miller: Right. So, already, right now you could probably imagine doing things to the Jeep that are bad. But of course, we want a shell. Oh, I should mention the D-Bus service runs as root, so if you can get a shell, you’re root.

Chris Valasek: One small detail.

NavTrailService
NavTrailService
Charlie Miller: …Which you would kind of expect – it’s not a multi-user system, it’s a Jeep. So we’re like, okay, let’s start looking through these methods and seeing if there’s any one that has some sort of vulnerability that would allow us to get commands running. The first thing I thought of was command injection, because then you don’t have to mess with shellcode. I’ve spent enough time in my life looking at debugging, I don’t want to do that anymore. So I looked around and found this “NavTrailService” (see right-hand image), which was a really great service. I don’t know what it really does, but it gives you shells – I know for sure.

Chris Valasek: It should be called “ShellTrailService”.

Charlie Miller: Right. This particular service is backed by Lua scripts, so you can just read the Lua and see if there are problems. And you can see here you are allowed to pass in through this method “params”, which is in this case a filename, and then it just shells out to the system and runs “remove” your filename. So, if you give a filename like “blah;stuff”, it will just run that “stuff”.

Chris Valasek: Or you can just give it a “\”, and that removes everything as well.

Charlie Miller: Yeah. Don’t do that either. Anyway, this is bad. From this alone, if you connect to the Wi-Fi you could get root stuff running, and I was proud of myself. I’ve been hacking for 15 years or whatever, and this is really awesome. I found a bug, I knew it would be there – boom!

Chris Valasek: And once we started looking at the code, it was just everywhere.

The 'execute' method for NavTrailService
The ‘execute’ method for NavTrailService
Charlie Miller: But then my elation of what a super-uber hacker I was kind of came down. When I looked further down the list of methods for NavTrailService, I saw there was one of them called “execute” (see right-hand image). You can probably guess what this shell does. It doesn’t kill you. What it does is, if you give it a command it executes it.

Chris Valasek: If you want to own 1.4 million vehicles, there are four lines of Python. We wanted it to be sexier – that’s it, right there!

If you want to own 1.4 million vehicles, there are four lines of Python.

Charlie Miller: You can see this is four lines of Python, like he says, and at the end it invokes the “execute” method, and then you specify what the command is – in this case it’s “netcat”, “/bin/sh” and stuff.

Chris Valasek: And the nice thing is they have “netcat” and all those good utilities already on there for you, so you don’t even have to do it. They’re already there for you, just invoke them.

The vulnerability isn't new
The vulnerability isn’t new
Charlie Miller: So, remote root shell, four lines of Python. That’s it. One funny thing is that at Defcon and Black Hat last year we were talking about the attack surface of the Jeep, and at one point Chris, eloquently in this picture, is showing “nmap” of the Jeep, and you can see port 6667 is open (see right-hand image), and of course we laughed about how it was IRC. Basically, that was what our whole talk this year is about, it was on that slide last year.

Lua script for GPS tracking
Lua script for GPS tracking
Chris Valasek: Now we can execute, we’re on the infotainment system, we’re on the head unit. That means we can execute a bunch of cool Lua scripts that do stuff. We wrote GPS Tracker 3000 (see right-hand image). 3001 is going to sound really silly, but we’ll worry about that then.

Charlie Miller: Then it’ll just be retro.

Chris Valasek: Yeah, then it will, like Nintendo game stuff. Basically, what it did is we got the Jeep to send its GPS coordinates to a web server, and we would pull that web server every so often and then put a pin drop on the Google Map. We could get this running and I could watch Charlie go to the grocery store and I could tell you “Hey, he’s speeding up, because the pins are getting farther apart,” or “Hey, he’s slowing down, the pins are getting closer together.” So we have nice Google Map tracking for all your NSA needs, you can track him wherever he goes, it is pretty sweet.

Charlie Miller: You don’t actually even need to run code to do this. This is just one of the methods that the D-Bus service exports for you.

Chris Valasek: Exactly. You don’t even need to exploit it, you just ask it.

Charlie Miller: You’re like “Yo, what’s your GPS?”

Exploiting HVAC
Exploiting HVAC
Chris Valasek: And it’s like “Oh, here you go man.” You have probably seen the Wired videos on HVAC – we could turn A/C, heating on (see right-hand image). You give it a number, it blows cold air in Andy Greenberg’s face; I think that’s why this method was designed.

Charlie Miller: And it’s funny because the only reason we’re putting this code up here is so you could see how simple it is. You may think “Oh, turning on the air condition, that’s probably super-hard.”

Cranking up the radio volume
Cranking up the radio volume
Chris Valasek: … Yeah, like memory corruption and stuff. No, we’re just running a Lua script. We wish it were sexier, but it’s not. Actually I don’t, because I liked it being easy. Radio volume – you can just give it a number (see right-hand image), I think 32 is the loudest.

Charlie Miller: … Some number that is not reasonable. So this is, basically, a lot of the things we can do just on the Uconnect (watch video below). You can’t really hear us talking because we just turned up the radio station. It’s so loud you can’t even talk, and you can’t turn it down. This is what we’re gonna do to Greenberg on the highway. Then Chris turned off the car. You think that would fix it, but it doesn’t. Anyway, you can control the radio, the air conditioning, the GPS. You could imagine turning on the microphone – anything that has to do with just the radio you can do at this point.

Remote Uconnect hack demo

So, that was super fun. You know, I like hip hop as much as the next person. But it’s still, like, the individual has to buy Wi-Fi. Only idiots like me would pay 30 bucks a month for Wi-Fi.

Chris Valasek: We learned the first time around when we plugged in and sent messages and controlled cars, we thought it was so cool, and then everyone shit all over us, saying “Ah, they’re plugged in.” We’re like “Nope, there’s no holding back this time, we keep making it better.”

Charlie Miller: Yeah, that would have been the headline of the story: “Have to buy Wi-Fi? Don’t buy Wi-Fi!” It would just set back the Wi-Fi industry 10 years.

Chris Valasek: Call centers are closing all across America.

Charlie Miller: And Asia.

Port scan results
Port scan results
Charlie Miller: So, well, let’s see if we can do this over the cellular network, because then not only can you get from far away, but everyone will be vulnerable and they’ll just need to pay for Wi-Fi. The first thing that we did was we just ran netstat to see (see right-hand image). And you can see all the ports except the one guy. It’s not just bound to the Wi-Fi interface, for example. It’s bound to all the interfaces. And so we’re like, well, it seems like maybe you can get to it over the cellular network. Of course, we had no idea how to do that.

Chris Valasek: I don’t know how cell phones work and, honestly, I don’t like them.

Retrieving the vehicle's IP
Retrieving the vehicle’s IP
Charlie Miller: I know how iPhones work, but I don’t know how they talk to other iPhones. So we needed to find out what the IP address of the Jeep was so that we could try to talk to it (see right-hand image). The sort of interesting thing was there were all these IP addresses, we didn’t know which were which, but the “uap0” is the one for the Wi-Fi interface. And then you get this “ppp0” – the one on the left is what your IP address is locally, on the Sprint network; and then the other one, 68.28.89.85, is what it looks like if you connect out to a service, outside of the Sprint network. I had no problem buying one of these femtocells, it’s like – you buy something, that’s easy.

Chris Valasek: I bought, like, three femtocells, and I would try to get them working, and I would have to call Sprint, and I bought a phone with a contract that I no longer need. And every time I would get a new femtocell for me, baby, brand-new, and I would call them – they’d go “Oh, you know, that’s stolen.” I was like “What?! It’s brand-new, how can it be stolen?” I bought three or four femtocells, they’re all stolen, but we eventually got one working.

Communications via femtocell
Communications via femtocell
Charlie Miller: Anyway, we hooked up the femtocell (see right-hand image), and then I got on a Sprint cell phone connected to the femtocell, the Jeep happily connected to this Sprint femtocell, and then I was able to talk to port 6667 from my phone to the Jeep. So, then we no longer had to worry about whether Wi-Fi was on. Even if the Wi-Fi has never been turned on in its entire life, the cellular connection is on and I can talk to it.

Chris Valasek: Yeah, we were so ecstatic, because hey, we’re doing all this over cellular, we didn’t need to change anything. With that four-line Python exploit, the only thing we needed to change was the IP address. That took some research time.

Charlie Miller: So, now we had extended from only people who had Wi-Fi to anyone, but we still had to be within the femtocell’s range.

Chris Valasek: Remember the cellular service is on, you don’t have to buy it, right? If you have this head unit, it exists, whether or not you are paying for anything – it just exists whether you know it or not.

Charlie Miller: So, first I got rid of the femtocell and I saw it still worked. Then I was like, oh, it’s maybe the range of a cell tower, I don’t know what that is. But anyway, it was more than 30 meters, and I was like “Yes!”

Chris Valasek: We’re gaining range.

Charlie Miller: Then I drove to the airport by my house and left the Jeep at my house. I tried it from there and it still worked. So I was like “Nice, we’re up to five miles or something!” And then I said “Chris, try it.” So he tries it from Pittsburgh, I’m in St. Louis – it doesn’t work. So we’re like, ah, man, damn it! I drove to the airport to be more than one tower away, so maybe it can be a few towers. Anyway, it was a bummer. We had no idea exactly how far it worked.

So, what's the range?
So, what’s the range?
And then I thought I should go on a road trip. I turned on my car, left it on my driveway and I took off in my other car down the highway. You can see I’m in some little truck stop somewhere (see right-hand image).

Chris Valasek: Bloomsdale, Missouri. Beautiful Bloomsdale.

Charlie Miller: Yeah, and I tried from there – it still worked. So, now we are talking about 60-70 miles. Then finally…

Far enough
Far enough
Chris Valasek: Finally, I get my act together and get my nice Sprint contract found – I have a contract for two years now – set it as the Wi-Fi hotspot, use my computer to use that as a hotspot, lo and behold, bling – I can reach Charlie’s car from Pittsburgh in St. Louis (see right-hand image).

Charlie Miller: Basically, he totally screwed up earlier.

Chris Valasek: Yeah, I totally screwed up earlier. I was like “I can’t get to it,” because I don’t know how to internet, and then I relearned how to internet and then internet’ed.

Charlie Miller: So, the point now is it’s no longer 10 miles, it’s very far. We don’t know for sure how far at this point. It turns out, we are in the Sprint network, which is the entire United States.

Chris Valasek: That’s nationwide, probably some of Canada, probably some of Mexico.

Charlie Miller: Now you can just scan the Internet, and we know what port we’re looking for – 6667; and if you find that port, it’s either an IRC server on the Sprint network, probably not, or it’s a vulnerable vehicle.

Chris Valasek: We consider it a win-win: it’s either a car or an IRC server, and either way we’re in, we’re good.

Mass scanning for cars
Mass scanning for cars
Charlie Miller: Yeah, anyway it’s sweet. We don’t know for sure what Sprint’s IP range is, but every time you turn your car on and off you get a different IP address. And just doing that a bunch, you kind of get an idea of where it shows up. And so, it seems like it’s always in “21.something” or “25.something” (see right-hand image). So you can just scan cars and know that they are vulnerable because this service was on. You don’t have to worry about what version it was. If that service is there, it’s talking to you and you can do stuff, right?

And then you can tickle it a little bit more. It’s just, essentially, like a web server that you can download information from, it’s a thing that gives you information. So we did that.

Chris Valasek: This should have been nominated for the best server-side exploit for the Pwnies.

GPS data and VINs
GPS data and VINs
Charlie Miller: You’re a judge, so you don’t qualify. Anyway, we got the GPS information of the vehicle just by asking politely on port 6667. And then we also do the VIN number for the vehicle, which you can look up and see what kind of car it is (see right-hand image). Then we wrote this clever script called “shutupdave”.

Chris Valasek: It goes back to “shutuptheo”. I mean, in the long tradition of “shutup” scripts, here’s ours.

Another cool script
Another cool script
Charlie Miller: Right. This one (see right-hand image) is targeted towards Dave, I tell, who is anti-junk-hacking and anti-stone-hacking. He says hacking cars is easy, stupid, pointless, and no impact. So shut up Dave! You can run this script and it just scans the Internet, finds cars that are vulnerable and then tells you what kind of car it is, it’s pretty crazy. And probably the scariest moment of all of our research was the very first time that I ran that and I got the GPS information. I called Chris and said “Hey Chris, I just did it and it’s a car that’s driving across Oklahoma right now!” It was like, oh no.

Chris Valasek: I was like “Let me do it.” Then it did it and I was like “It’s driving across Nebraska.” He’s like “I quit, car hacking is too real for me, I’m out.”

Vulnerable vehicles
Vulnerable vehicles
Charlie Miller: Yeah, that was too real for me. It was way more fun when it was my car in my driveway. And then it was like “Oh my God, all these cars are vulnerable.” Originally, when we talked to Chrysler they told us that it was only 2014 models. We didn’t really ask, but they didn’t really tell us how many cars were affected. And so, we did this scanning just out of curiosity to see what kind of cars we could find that were vulnerable, and what years, what makes, what models, how many there are. We ran this script for a little bit, and these (see right-hand image) are the cars that we found that were vulnerable just by scanning the Internet. The sweetest one was Dodge Viper for sure. So we found the Dodge Viper, and it was a high-end one.

Chris Valasek: SRT version, someone spent a pretty penny on that car.

Charlie Miller: Yeah, and we could have just cranked the radio on one. We didn’t do that, but we could have. Anyway, this is the list of vehicles, so the interesting thing, before all the recall happened, was that not only was it 2014, but it was 2013 cars, 2015 cars and so on – lots of vulnerable vehicles. It turns out there’s actually more than this that we never just happened to find.

Quantitative estimates
Quantitative estimates
Again, now we know the answer of how many vehicles are vulnerable, it’s 1.4 million, because that’s what they recalled. But we didn’t know. I was like “There has to be a way to figure this out.” I’ve scanned it, and there should be a way to do this. And it turns out, I had this great idea and I went home and googled it, and some dude who wanted to know the population of owls did the exact same thing (see right-hand image). The thing you have to think about is as follows: I was scanning cars, every time you turn your car on and off you get a new IP address, but I was getting the VIN number. So I scanned about 2000 cars and I noticed that I only found 20 that I found a duplicate VIN number for. That means there must be a lot of cars, because if I would have scanned 2000 cars and they were almost all duplicates of each other, then there are not that many cars.

Chris Valasek: Remember VINs are unique to a car. They are like your fingerprints. Each car has a VIN, and they don’t change.

Charlie Miller: Right, so I thought I had to come up with some really complicated formula, but it turns out the owl dude had this formula, I just plugged the VIN numbers. And the number that it came up with was around 400,000, which turned out to be a low estimate. But anyway, it was a lot of cars. That’s why we did the scanning.

Time to mess with Uconnect
Time to mess with Uconnect
Charlie Miller: So far in this story, we could only play with your radio. It’s kind of cool, but not super-cool.

The CAN messages challenge
The CAN messages challenge
Chris Valasek: What we had to do now is figure out how this part worked (see left-hand image). We showed these diagrams last year at Black Hat, and we knew the radio touch but with CAN buses we just needed to figure out how.

Charlie Miller: And this is one of the reasons we chose the Jeep in the first place, because it has this diagram and it’s like, okay, if you own the radio – you own all the CAN buses, game over.

How it works
How it works
Chris Valasek: Yeah, we named it the most hackable car because that’s what we thought we could get into the easiest. The way it actually works is you have this OMAP board that has all your stuff on it, and it was connected to a daughterboard that had a V850 chip through a serial line – they implemented SPI for their communications (see right-hand image).

Charlie Miller: That’s Serial Peripheral Interface. So the V850 is on the CAN network; the V850 can send CAN messages; the V850 can listen to CAN messages. The OMAP chip that we’re on can’t. It can only talk to the other chip.

Chris Valasek: This is the problem: we can’t send CAN messages in to control a car. We just had unique CAN message injection.

Isolation principle
Isolation principle
Charlie Miller: And this is why Chrysler and other companies have correctly said “No, there’s isolation between the infotainment system and the CAN network.” They are kind of right. You know, there were many months that I tried to send CAN messages
Must update the firmware
Must update the firmware
from the OMAP chip, trying to figure it out.

Chris Valasek: Yeah, going through Lua scripts trying to figure out which ones may be able to send CAN messages. You spent a lot of time trying to figure that out. But as we know, close only counts in horseshoes and hand grenades, so ‘kinda’ isn’t right. We identified the chip as V850ES/FJ3 series chip, and the nice thing is we knew we had a firmware for it because it came in the IoC update that you could download offline (see left-hand image above).

Charlie Miller: Right. So, when you plug the USB stick update into your car, it updates the files on the OMAP chip, but it also can reflash and update the V850 chip with new firmware.

Chris Valasek: Long story short, there is also a script that says “Hey, take this as a parameter and flash the V850 chip over SPI.” There is no code signing and there’s really no check, so all you have to do is come up with a bootleg firmware that you wrote yourself that does stuff, and you can update the chip, no questions asked.

CAN modules and addressing
CAN modules and addressing
So, that’s how you get from being on the head unit to actually being on the V850 chip.

I’m going to fly through the rest of this (see right-hand image), because it’s really boring.

CAN registers
CAN registers
We read datasheets a lot. We read a lot of datasheets (see left-hand image).

Charlie Miller: This is three months of reading datasheets.

Base addresses found
Base addresses found
Chris Valasek: Finally, the nice thing is, IDA Pro had a processor module for the V850ES, we found the base addresses (see right-hand image).

Charlie Miller: This is hacking, not ‘Mr. Robot’.

Chris Valasek: Yeah, this is the hacking part. We were just sitting there for three months going through all this crap.

Charlie Miller: Even if Christian Slater really-really wanted to hack a car, it’s still going to take three months.

Segments and initial values
Segments and initial values
Chris Valasek: Exactly. So, we set up the segments and we found a bunch of cool values (see right-hand image). There’s gp-relative addressing – again, read the paper, there’s a bunch of sections. We found where CAN buffers were and cross-referenced those to other pieces in the code (see left-hand image).
CAN buffer cross-references
CAN buffer cross-references
According to the datasheet, here are values that set things
Setting CAN data values
Setting CAN data values
like the ID and the data and all that good stuff. Our only problem was we couldn’t call this function directly from anywhere (see right-hand image). So we knew we could set up data, we knew we could get this function to send it if we wanted, but we had no way to call it.

SPI parser
SPI parser
So, what did we do? We’re like, okay, we’ll find the SPI parser and figure out if we can send SPI messages and then, basically, trampoline that code into some other code, where we write shellcode and do code with code (see right-hand image).

Charlie Miller: Basically, since that made no sense…

Chris Valasek: I was trying to be funny.

Charlie Miller: Yeah, so first we looked in the existing firmware to see if there was some way the OMAP could sort of signal to send an arbitrary CAN message. But no matter how hard we looked, we couldn’t find that way. So we decided we would have to make a method that would do that, and then we would send a SPI (Serial Peripheral Interface) message to the V850, saying “Okay, send this message with this data now please.” That’s the approach we had to adopt.

Memory corruption bugs
Memory corruption bugs
Chris Valasek: The sidebar – there’s a bunch of memcpy’s to fixed-sized buffers that take the size from the SPI message (see right-hand image). Again, I think we gave up looking for these after we found a few.

Charlie Miller: Yeah. So the point is, we are going to reflash the firmware, the V850 chip, because there’s no code signing. But even if they had code signing, we could bypass that by exploiting these memory corruption bugs on the V850 from SPI.

Finally sending CAN messages
Finally sending CAN messages
Chris Valasek: But luckily, we didn’t. We wrote shellcode by hand, that’s kind of cool, right? Basically, it was, hey, use the SPI code as the trampoline; if it sees this byte it jumps to our shellcode that we put in unused section of the ROM; our shellcode sets up the buffers, blah-blah-blah, sends a message, returns – we’re all good (see right-hand image), boom! That’s how you send messages from being on a wireless chip through SPI to reprogram the V850 chip.
V850 upgrade hurdles
V850 upgrade hurdles
The V850 now contains our backdoored firmware. If it receives this command, it’s going to look at these bytes; if it sees that byte it’s going to trampoline to our code; that’s going to take the data out of the SPI messages we just sent and use that as CAN data. And we can send arbitrary messages. That’s how you can physically control a car from wireless to internal.

Charlie Miller: Right. One little hurdle that we had to bypass on the way, though, was that this system, while it is designed for the OMAP chip to update the V850 chip, it’s only designed to do that with a USB stick in and the guy sort of pressing the buttons and that sort of stuff, which we don’t have remotely (see left-hand image above). And so there was just some sort of exercise to go through to do that, and it’s kind of hard because you can only update the V850 if it’s in bootloader mode. And if you put it in bootloader mode it resets the OMAP chip and then you lose control. Anyway, read the paper if you want details. It was slightly difficult.

Consequences of messing with V850
Consequences of messing with V850
Chris Valasek: What happens when it goes wrong? It was covered on your warranty every time (see right-hand image), which is the best part.

Charlie Miller: Yeah, one thing I got to say for Chrysler is they stand behind their products.

Chris Valasek: They do, that’s for sure.

Charlie Miller: This happened twice. If you mess up flash in the V850, then the head unit just doesn’t work anymore. The first time, what happened was I was flashing it – and there’s no output that it’s going on – so it’s flashing, I didn’t know how it was doing and I was like “Fuck this,” and I just turned it off. It was half-flashed and it never came back on again. Don’t do that. The real upgrade mechanism doesn’t let you do that, it has safety. I had no safety, I was driving with my seat belt off. So, then I took it to the dealer and they’re like “What happened?” I was like “The screen doesn’t come on anymore…” I tried not to use words like “head unit” or “chip”, so I went on to say “The screen is all black, I don’t know.”

Chris Valasek: And Charlie was just texting me “I think they’re buying it, they’re gonna give us a new head unit.” I was like “Alright, sweet!”

Charlie Miller: To be fair, I never lied. The screen did not work. And then the second time, I think I screwed up something different. I told them “There’s something wrong, it doesn’t work again.”

Step 1
Step 1
Chris Valasek: Let’s go through, very simply, how this works. You get on a cell network. You have your cell phone, you have your laptop, you have Masscan, you’re scanning for cars.
Step 2
Step 2
You find one with an IP (see right-hand image), you connect to it, then you get code running on that OMAP chip (see left-hand image). But that OMAP chip can’t send CAN messages, so from that OMAP chip you reprogram the V850 chip with your backdoored firmware (see right-hand image below).
Step 3
Step 3
That way, you can send messages to the OMAP chip. The OMAP chip takes that data, sends it on the SPI line to the V850. The V850 consumes it. Since you have it backdoored, you send CAN messages.
Step 4
Step 4
Then you put Andy in a ditch (see left-hand image). That’s step 4 of the attack – send arbitrary CAN messages.

Charlie Miller: One thing to say real quick is that if you walk up to a Jeep, you don’t know its IP address, and we don’t know a way to really find its IP address besides looking at the VIN or the GPS and then just scanning all the Jeeps until you find that one. That’s one limitation. It’s easier to hack all the Jeeps than to hack an individual Jeep.

Chris Valasek: … Which is kind of backwards.

Installing backdoored firmware on V850 chip

Charlie Miller: Here’s the whole attack chain (watch video above). We are going to fire the exploit, reflash the V850 chip and then be able to send CAN messages. This is the whole attack. So I sent the exploit, it’s downloading the firmware, it’s flashing the V850; right now you can see it’s black. It takes about 30 seconds for the V850 to be completely reflashed. Now it’s rebooting back up into normal mode. At this point, the backdoored firmware is there, we’re good to go.

Chris Valasek: You see how long it took to install the backdoored firmware. You would notice the screen go off for a little bit, but it’s not alarming by any means.

Charlie Miller: And don’t turn off the car. You can do that while you’re driving down the road, whatever.

Chris Valasek: We’ve been working on this for a long time – you can see it’s winter when this video was made.

Charlie Miller: Yeah. And we were very responsible. We reported this so long ago.

Chris Valasek: There’s snow on the ground.

Charlie Miller: Come on! I have a winter hat on. So let me fast-forward it a little bit. Now I’m waiting for the Wi-Fi to come back up. It’s like 7 a.m. or something. I can only hack off-hours. Now I’m going to tell it to turn the windshield wipers on, which requires CAN messages. There you go, it’s running! Yeah! That’s end-to-end hack right there!

Chris Valasek: If that were a Pwn2Own, everyone would say “Charlie Miller hacks a Jeep in 30 seconds!” But in reality, that’s a year’s worth of work.

Charlie Miller: Maybe a minute on that one. They’d be like “Charlie Miller getting slow, takes one minute.”

Diagnostic instruments
Diagnostic instruments
Chris Valasek: Alright, we had diagnostic tools (see right-hand image), I’m going to burn through this as well. Unfortunately, for the Jeep they were set at near 7 grand, and I told them I was the best tuner in Western PA for Jeeps, so they hooked me up, paid for all that.
Unlocks for security access
Unlocks for security access
There are security unlocks to get security access (see left-hand image). We talked about these things before. It wasn’t traditional, couldn’t find the algorithms actually in the code. It was Java, so it decompiled nice for us, but we couldn’t find anything.
Retrieving decryption passwords
Retrieving decryption passwords
They had obfuscated strings. After digging around for a while we found these constructors, where they actually took those files that were encrypted, in the previous screen in the upper right, and decrypted them. And the cool thing was all their decryption passwords were leetspeak, so this one is “generation” (see right-hand image).

Charlie Miller: They wrote their tools in Java and they paid for this commercial obfuscator.

Chris Valasek: And then I just slapped it in the face.

Charlie Miller: Just totally reversed it anyway.

Checksums
Checksums
Chris Valasek: I do condone violence on crappy code. That’s the only thing I condone violence for. Also, we couldn’t figure out the checksums for the car (see right-hand image), they were different than anything we’ve seen.
The hardware
The hardware
The best way to do that is grab yourself some hardware (see left-hand image), get yourself some firmware (see right-hand image),
The firmware
The firmware
reverse yourself some firmware, and then look for XOR, because we figured that’s involved. And lo and behold, we found the checksum routines for everything used in the Jeep, so that’ll be in our package and it’ll show you how to do all that stuff.

Charlie Miller: And that allows you to send arbitrary CAN messages of whatever you want instead of just replaying.

Chris Valasek: Right. Before, we had to replay because we didn’t know the checksum, so we had to replay messages we saw. But with this, we could craft arbitrary messages with any bytes, run this checksum routine, and it would fix it up. That took us a couple of weeks.

Capturing CAN messages from collision prevention system – fail

Charlie Miller: Yeah, that was a lot. So, all that was left was finding messages to send, like how do I control the steering wheel, how do I control the brakes? And the way you do that is you just drive around and make those situations happen and then record it. If you came to our talk last year, we showed this video where we were trying to get the automatic collision prevention system to engage, we could capture the packets (watch video above).

Hopefully metal cans will do the trick
Hopefully metal cans will do the trick
The way we did that is we got some cardboard boxes out and we drove into them, hoping they would stop us. And it didn’t work. Afterwards, after the talk, everyone kept coming up: “You idiots, it only works on metal.” So this year we got ourselves some metal (see right-hand image).

Chris Valasek: By the way, the people at Home Depot probably thought we were sociopaths, we just bought a bunch of trash cans.

Charlie Miller: This year, we also put a phone with a camera running on the thing we were going to hit, if we hit it. Hopefully, it would stop in time. That’s what this view is (watch video below). This is trying to find a place to actually do the testing. We set up the trash cans, and people just keep walking up to the trash cans.

The Jeep vs. metal trash cans – another fail

Chris Valasek: Oh, trash cans with a camera on them. Then we had to scare this little girl out of the parking lot.

Charlie Miller: It’s like “Get out of here!” So, we finally found a place to do it. Here we are, this is heading towards the camera.

Chris Valasek: The camera exploded upon impact.

Charlie Miller: If you listen, you can hear how fast we’re going. We’re hauling ass around this corner. But anyway, that’s the end of that camera’s footage for some reason – you’ll find out why in a second. So, here is the side view footage.

Chris Valasek: It got a little bit loud. And… oh, no!

Charlie Miller: Once again, the collision prevention system did not work.

Chris Valasek: This is in front of this kid’s school, by the way.

Charlie Miller: Yeah. Having metal did not make any difference at all.

Chris Valasek: It didn’t make any difference. So, if you are going to get metal, don’t try it. We tested. Doesn’t work. Save yourself a couple hundred bucks.

CAN message examples
CAN message examples
Charlie Miller: We figured out eventually how to do that.

Chris Valasek: These are the Lua scripts that we would use to actually send CAN messages on the car (see right-hand image). You see they are in this weird format. Look in the paper, it will tell you the format and how we used it.

Turning on windshield wipers remotely

Charlie Miller: Here’s some of the stuff we could do (watch video above). You can make the windshield wipers come up with the spray, so it’s kind of hard to see what’s going on. Of course we did that to poor Andy Greenberg.

Chris Valasek: We also tested the turn signals.

Messing with the speedometer and vehicle controls

Charlie Miller: So, here I’m doing 70, but if you look my speedometer drops to 40 (watch video above).

Chris Valasek: And you’ll be like “I swear, officer, I wasn’t speeding. I have proof, I have camera on it.”

Charlie Miller: You can do locks as well. Here I am, pulling up. I’m going to get out of the car, lock it and walk away.

Chris Valasek: You should hear the beep when he locks it.

Charlie Miller: I swear it just beeped.

Chris Valasek: Then I sent the commands to unlock the doors over the cellular network, unlocked the doors, and I could get my coffee back even though Charlie locked it in there.

Another type of CAN messages
Another type of CAN messages
Charlie Miller: And then, here’s what we actually did to Greenberg. Here’s where you make the transmission stop functioning. I’m giving it full gas, I’m in “drive”, but it won’t go anywhere. I try switching gears, and it’s still. I’m just stuck. Those are normal CAN messages. You can also send diagnostic ones (see right-hand image). Check out our papers for the difference between those. But here’s the brakes not working (watch video below), which is what we put Andy in a ditch with. We don’t put ourselves in ditches.

Disabling car brakes and remote steering

Chris Valasek: That’s for Greenberg.

Charlie Miller: So, Chris is trying to stop here, but you can see he’s still actually moving.

Chris Valasek: We think if we did enough research we could do those at speed someday, but that’s for a later day.

Charlie Miller: I’ll skip over how you do more complicated attacks, but here’s the effects. Here’s controlling steering.

Chris Valasek: Essentially, it takes the ECU offline. Then we send messages pretending that we’re the ECU, picking up all the traffic left off. That way, it will listen to only our messages.

Charlie Miller: So I’m driving this car remotely. If you listen, I’m driving next to a pole.

Chris Valasek: He’s trying to parallel-park.

Charlie Miller: I almost hit the pole, but I didn’t. Anyway, you can control the steering pretty well, it’s pretty awesome.

Chris Valasek: Braking – the same way, take the ECU offline, send the message, and the car will stop without someone pressing the brakes.

The sequence of events
The sequence of events
Charlie Miller: So, we disclosed it in October 2014 (see right-hand image). The cool thing that happened was after the Greenberg story happened. Not only did they eventually do the recall and have fixes for the thing, but Sprint blocks port 6667 traffic now, so you can’t get to even the cars that aren’t patched, which is super-awesome.

The cars can no longer be hacked
The cars can no longer be hacked
Chris Valasek: Yeah, that’s the biggest fix, Sprint not allowing you to communicate on that port.

Charlie Miller: So, right now there are no cars that we can hack. Here’s a video rendition of us disclosing this information (watch video below). Some website had this, and it’s fucking hilarious. Chrysler animobots look very scared.

Chrysler officials ridiculed after the Jeep hack story
Testing not welcome
Testing not welcome
Chris Valasek: They do look scared.

Charlie Miller: And then, this is me trying to get other people to let me test something on their vehicles (see right-hand image). And for some reason, they wouldn’t let us test.

Ports now filtered
Ports now filtered
Chris Valasek: Selfish jerks.

The infamous car recall
The infamous car recall
Charlie Miller: The effect of the patch is this (see left-hand image). Instead of ports being open, now they are filtered. That’s the fix. Cars got recalled (see right-hand image).

New legislation introduced
New legislation introduced
Chris Valasek: Recall. That’s cool. Hackers did something, a physical change happened, and it wasn’t within the InfoSec community, it was within the real world. Lawmen want to do laws – that’s something (see left-hand image).

Chrysler stock fluctuation
Chrysler stock fluctuation
Charlie Miller: Yeah, we worked with these senators, and they introduced this legislation at the day of the story. I’m not going to brag about this, but we made the stock go down (see right-hand image).

Google stock impacted too
Google stock impacted too
Chris Valasek: If we were lesser men we would have shorted it, but we are honest people.

New follower on Twitter
New follower on Twitter
Charlie Miller: Yeah, we could have. Bugs do affect stock price (see left-hand image).

Chris Valasek: And if you’re really cool, Twitter will follow you the day after the Wired story comes out (see right-hand image), to make sure you’re up to no more mischief.

Charlie Miller: So, now Chrysler follows Chris.

Takeaways
Takeaways
Chris Valasek: I’ll go through this real quick (see right-hand image). Remote compromises are capable, we don’t have to prove this anymore. We don’t have to do it on every car. Just know that it’s possible. This is not a Fiat Chrysler issue, this is an ‘everybody’ issue. This is the OEMs, this is the Tier-1s that give them stuff, and this is the telecom companies that provide them communications. They all need to work together to get these fixed. It was better that Sprint blocked the port and Chrysler released the patch than just one of them acting alone. And, like I said, hackers can make a real-world difference. This isn’t just InfoSec anymore. We affect the real world. People know about this stuff that aren’t in the industry, and it’s awesome, and we want people to continue to do this work. Take this, go to new cars, do new stuff.

Charlie Miller: Yup. And that’s it, thanks everybody!

LEAVE A REPLY

Please enter your comment!
Please enter your name here