Remote Exploitation of an Unaltered Passenger Vehicle 6: Exploit Chain

The researchers continue looking into the vehicle attack workflow and examine cyber physical internals as well as the checksums to be able to control the Jeep.

Step 1

Step 1

Chris Valasek: Let’s go through, very simply, how this works. You get on a cell network. You have your cell phone, you have your laptop, you have Masscan, you’re scanning for cars.
Step 2

Step 2

You find one with an IP (see right-hand image), you connect to it, then you get code running on that OMAP chip (see left-hand image). But that OMAP chip can’t send CAN messages, so from that OMAP chip you reprogram the V850 chip with your backdoored firmware (see right-hand image below).
Step 3

Step 3

That way, you can send messages to the OMAP chip. The OMAP chip takes that data, sends it on the SPI line to the V850. The V850 consumes it. Since you have it backdoored, you send CAN messages.
Step 4

Step 4

Then you put Andy in a ditch (see left-hand image). That’s step 4 of the attack – send arbitrary CAN messages.

Charlie Miller: One thing to say real quick is that if you walk up to a Jeep, you don’t know its IP address, and we don’t know a way to really find its IP address besides looking at the VIN or the GPS and then just scanning all the Jeeps until you find that one. That’s one limitation. It’s easier to hack all the Jeeps than to hack an individual Jeep.

Chris Valasek: … Which is kind of backwards.

Installing backdoored firmware on V850 chip

Charlie Miller: Here’s the whole attack chain (watch video above). We are going to fire the exploit, reflash the V850 chip and then be able to send CAN messages. This is the whole attack. So I sent the exploit, it’s downloading the firmware, it’s flashing the V850; right now you can see it’s black. It takes about 30 seconds for the V850 to be completely reflashed. Now it’s rebooting back up into normal mode. At this point, the backdoored firmware is there, we’re good to go.

Chris Valasek: You see how long it took to install the backdoored firmware. You would notice the screen go off for a little bit, but it’s not alarming by any means.

Charlie Miller: And don’t turn off the car. You can do that while you’re driving down the road, whatever.

Chris Valasek: We’ve been working on this for a long time – you can see it’s winter when this video was made.

Charlie Miller: Yeah. And we were very responsible. We reported this so long ago.

Chris Valasek: There’s snow on the ground.

Charlie Miller: Come on! I have a winter hat on. So let me fast-forward it a little bit. Now I’m waiting for the Wi-Fi to come back up. It’s like 7 a.m. or something. I can only hack off-hours. Now I’m going to tell it to turn the windshield wipers on, which requires CAN messages. There you go, it’s running! Yeah! That’s end-to-end hack right there!

Chris Valasek: If that were a Pwn2Own, everyone would say “Charlie Miller hacks a Jeep in 30 seconds!” But in reality, that’s a year’s worth of work.

Charlie Miller: Maybe a minute on that one. They’d be like “Charlie Miller getting slow, takes one minute.”

Diagnostic instruments

Diagnostic instruments

Chris Valasek: Alright, we had diagnostic tools (see right-hand image), I’m going to burn through this as well. Unfortunately, for the Jeep they were set at near 7 grand, and I told them I was the best tuner in Western PA for Jeeps, so they hooked me up, paid for all that.
Unlocks for security access

Unlocks for security access

There are security unlocks to get security access (see left-hand image). We talked about these things before. It wasn’t traditional, couldn’t find the algorithms actually in the code. It was Java, so it decompiled nice for us, but we couldn’t find anything.
Retrieving decryption passwords

Retrieving decryption passwords

They had obfuscated strings. After digging around for a while we found these constructors, where they actually took those files that were encrypted, in the previous screen in the upper right, and decrypted them. And the cool thing was all their decryption passwords were leetspeak, so this one is “generation” (see right-hand image).

Charlie Miller: They wrote their tools in Java and they paid for this commercial obfuscator.

Chris Valasek: And then I just slapped it in the face.

Charlie Miller: Just totally reversed it anyway.



Chris Valasek: I do condone violence on crappy code. That’s the only thing I condone violence for. Also, we couldn’t figure out the checksums for the car (see right-hand image), they were different than anything we’ve seen.
The hardware

The hardware

The best way to do that is grab yourself some hardware (see left-hand image), get yourself some firmware (see right-hand image),
The firmware

The firmware

reverse yourself some firmware, and then look for XOR, because we figured that’s involved. And lo and behold, we found the checksum routines for everything used in the Jeep, so that’ll be in our package and it’ll show you how to do all that stuff.

Charlie Miller: And that allows you to send arbitrary CAN messages of whatever you want instead of just replaying.

Chris Valasek: Right. Before, we had to replay because we didn’t know the checksum, so we had to replay messages we saw. But with this, we could craft arbitrary messages with any bytes, run this checksum routine, and it would fix it up. That took us a couple of weeks.

Capturing CAN messages from collision prevention system – fail

Charlie Miller: Yeah, that was a lot. So, all that was left was finding messages to send, like how do I control the steering wheel, how do I control the brakes? And the way you do that is you just drive around and make those situations happen and then record it. If you came to our talk last year, we showed this video where we were trying to get the automatic collision prevention system to engage, we could capture the packets (watch video above).

Hopefully metal cans will do the trick

Hopefully metal cans will do the trick

The way we did that is we got some cardboard boxes out and we drove into them, hoping they would stop us. And it didn’t work. Afterwards, after the talk, everyone kept coming up: “You idiots, it only works on metal.” So this year we got ourselves some metal (see right-hand image).

Chris Valasek: By the way, the people at Home Depot probably thought we were sociopaths, we just bought a bunch of trash cans.

Charlie Miller: This year, we also put a phone with a camera running on the thing we were going to hit, if we hit it. Hopefully, it would stop in time. That’s what this view is (watch video below). This is trying to find a place to actually do the testing. We set up the trash cans, and people just keep walking up to the trash cans.

The Jeep vs. metal trash cans – another fail

Chris Valasek: Oh, trash cans with a camera on them. Then we had to scare this little girl out of the parking lot.

Charlie Miller: It’s like “Get out of here!” So, we finally found a place to do it. Here we are, this is heading towards the camera.

Chris Valasek: The camera exploded upon impact.

Charlie Miller: If you listen, you can hear how fast we’re going. We’re hauling ass around this corner. But anyway, that’s the end of that camera’s footage for some reason – you’ll find out why in a second. So, here is the side view footage.

Chris Valasek: It got a little bit loud. And… oh, no!

Charlie Miller: Once again, the collision prevention system did not work.

Chris Valasek: This is in front of this kid’s school, by the way.

Charlie Miller: Yeah. Having metal did not make any difference at all.

Chris Valasek: It didn’t make any difference. So, if you are going to get metal, don’t try it. We tested. Doesn’t work. Save yourself a couple hundred bucks.

Read previous: Remote Exploitation of an Unaltered Passenger Vehicle 5: Sending CAN Messages

Read next: Remote Exploitation of an Unaltered Passenger Vehicle 7: Cyber Physical Action

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: