This is the final part of Black Hat USA presentation by Charlie Miller and Chris Valasek, where they show a few demos of what can be done to a car remotely.Charlie Miller: We figured out eventually how to do that.
Chris Valasek: These are the Lua scripts that we would use to actually send CAN messages on the car (see right-hand image). You see they are in this weird format. Look in the paper, it will tell you the format and how we used it.
Charlie Miller: Here’s some of the stuff we could do (watch video above). You can make the windshield wipers come up with the spray, so it’s kind of hard to see what’s going on. Of course we did that to poor Andy Greenberg.
Chris Valasek: We also tested the turn signals.
Charlie Miller: So, here I’m doing 70, but if you look my speedometer drops to 40 (watch video above).
Chris Valasek: And you’ll be like “I swear, officer, I wasn’t speeding. I have proof, I have camera on it.”
Charlie Miller: You can do locks as well. Here I am, pulling up. I’m going to get out of the car, lock it and walk away.
Chris Valasek: You should hear the beep when he locks it.
Charlie Miller: I swear it just beeped.
Chris Valasek: Then I sent the commands to unlock the doors over the cellular network, unlocked the doors, and I could get my coffee back even though Charlie locked it in there.Charlie Miller: And then, here’s what we actually did to Greenberg. Here’s where you make the transmission stop functioning. I’m giving it full gas, I’m in “drive”, but it won’t go anywhere. I try switching gears, and it’s still. I’m just stuck. Those are normal CAN messages. You can also send diagnostic ones (see right-hand image). Check out our papers for the difference between those. But here’s the brakes not working (watch video below), which is what we put Andy in a ditch with. We don’t put ourselves in ditches.
Chris Valasek: That’s for Greenberg.
Charlie Miller: So, Chris is trying to stop here, but you can see he’s still actually moving.
Chris Valasek: We think if we did enough research we could do those at speed someday, but that’s for a later day.
Charlie Miller: I’ll skip over how you do more complicated attacks, but here’s the effects. Here’s controlling steering.
Chris Valasek: Essentially, it takes the ECU offline. Then we send messages pretending that we’re the ECU, picking up all the traffic left off. That way, it will listen to only our messages.
Charlie Miller: So I’m driving this car remotely. If you listen, I’m driving next to a pole.
Chris Valasek: He’s trying to parallel-park.
Charlie Miller: I almost hit the pole, but I didn’t. Anyway, you can control the steering pretty well, it’s pretty awesome.
Chris Valasek: Braking – the same way, take the ECU offline, send the message, and the car will stop without someone pressing the brakes.Charlie Miller: So, we disclosed it in October 2014 (see right-hand image). The cool thing that happened was after the Greenberg story happened. Not only did they eventually do the recall and have fixes for the thing, but Sprint blocks port 6667 traffic now, so you can’t get to even the cars that aren’t patched, which is super-awesome. Chris Valasek: Yeah, that’s the biggest fix, Sprint not allowing you to communicate on that port.
Charlie Miller: So, right now there are no cars that we can hack. Here’s a video rendition of us disclosing this information (watch video below). Some website had this, and it’s fucking hilarious. Chrysler animobots look very scared.Chris Valasek: They do look scared.
Charlie Miller: And then, this is me trying to get other people to let me test something on their vehicles (see right-hand image). And for some reason, they wouldn’t let us test.Chris Valasek: Selfish jerks. Charlie Miller: The effect of the patch is this (see left-hand image). Instead of ports being open, now they are filtered. That’s the fix. Cars got recalled (see right-hand image). Chris Valasek: Recall. That’s cool. Hackers did something, a physical change happened, and it wasn’t within the InfoSec community, it was within the real world. Lawmen want to do laws – that’s something (see left-hand image). Charlie Miller: Yeah, we worked with these senators, and they introduced this legislation at the day of the story. I’m not going to brag about this, but we made the stock go down (see right-hand image). Chris Valasek: If we were lesser men we would have shorted it, but we are honest people. Charlie Miller: Yeah, we could have. Bugs do affect stock price (see left-hand image).
Chris Valasek: And if you’re really cool, Twitter will follow you the day after the Wired story comes out (see right-hand image), to make sure you’re up to no more mischief.
Charlie Miller: So, now Chrysler follows Chris.Chris Valasek: I’ll go through this real quick (see right-hand image). Remote compromises are capable, we don’t have to prove this anymore. We don’t have to do it on every car. Just know that it’s possible. This is not a Fiat Chrysler issue, this is an ‘everybody’ issue. This is the OEMs, this is the Tier-1s that give them stuff, and this is the telecom companies that provide them communications. They all need to work together to get these fixed. It was better that Sprint blocked the port and Chrysler released the patch than just one of them acting alone. And, like I said, hackers can make a real-world difference. This isn’t just InfoSec anymore. We affect the real world. People know about this stuff that aren’t in the industry, and it’s awesome, and we want people to continue to do this work. Take this, go to new cars, do new stuff.
Charlie Miller: Yup. And that’s it, thanks everybody!