Twitter’s Charlie Miller and IOActive’s Chris Valasek present their research on the buzz topic of remotely hacking into the controls of the modern vehicles.Chris Valasek: I don’t know if we need introductions anymore. I’m Chris Valasek, Director of Vehicle Security Research at IOActive, and next to me is Charlie Miller, Security Engineer at Twitter – together we are ‘wild stallions’!
Charlie Miller: That’s why we don’t practice the talk, because otherwise I would have cut that joke.Chris Valasek: Yeah, you would have cut that. Disclaimer: I think we got some complaints last year, it’s like us joking around, which is going to be again, so if you don’t like it – the door is that way. We have a 90-page paper, 92 (see right-hand image). It’s going to be long, it has all the details. This is a lot of information, this is a year’s worth of work, probably more. We can’t pack it all into the talk, so get the paper. It has everything that we did, and more.
Charlie Miller: It won’t be as entertaining, hopefully.
Chris Valasek: A PSA before we start. Please, just stop saying whatever you have, whatever thing you make is unhackable, because you are going to look silly.Charlie Miller: This (see right-hand image) is from some newspaper. A Daimler engineering executive says “There is no way you could hack a Mercedes-Benz from outside the car.” And then he goes on to say “You can’t really hack it. You have a control gateway and you have to go through that.”
Chris Valasek: … There is no way a gateway of any sort has ever been compromised.
Charlie Miller: Right, so you mean you have to hack the gateway? Can’t do that.Chris Valasek: Overview – we are going to talk about how we got remote code running on the head unit from Wi-Fi cellular, some payloads, and then we are going to talk about the part that took us forever, which was V850 stuff reversing (see right-hand image). Then some cyberphysical stuff, and then even more fun about disclosure, blah-blah-blah.
Charlie Miller: Yeah, and then even though we told Chrysler that we weren’t going to drop any new vulnerabilities or whatever, we are going to drop a lot.
Chris Valasek: We are going to drop all of it!
Charlie Miller: Just kidding. A Chrysler executive has just pooped his pants.Chris Valasek: A lot of people think about remote attacks just as this: there’s telematics, Wi-Fi, Bluetooth, tire pressure monitors – all kinds of stuff (see right-hand image). We focused on the Wi-Fi and the telematics systems because we felt that would give us the best shot for a win.
Charlie Miller: Basically, there are lots of different ways that cars take input from the outside world. These are some of them. As time goes on, there will be more of those.
Chris Valasek: Absolutely! I think in-car apps are probably going to start pushing that and we are going to see all that stuff that people are familiar with.
Charlie Miller: So, that’s the first bit of remote attacks: you’ve got to get data to the car somehow.Chris Valasek: And as we found out, the chips that do that don’t usually – at least, in our case did not – do communications with in-vehicle network. This applies to CAN bus stuff or LIN or Flexray or any of that. So you have to figure out a way to get from that remote piece to the piece that communicates with the car (see right-hand image). Two separate pieces – that’s sometimes a hard problem.
Charlie Miller: Right. So someone tells you they can remotely hack your car and then they say something like “Oh, and then you could just do brakes or something,” they might not realize that the second step is really hard.Chris Valasek: And we foresaw this, now we are smarter. CAN message analysis – if you want to send CAN messages that do things, you need to understand their IDs and their data (see right-hand image). The best way we found to do this is get a car and record them with a sniffer, see what they do, change them, all that good stuff. You need to do this part if you want physical control. You don’t have to be physically jacked in to the car to do it when you are doing it remotely, but you need it to begin with.
Charlie Miller: This is the one part where you need a car at least for a little while, so maybe it’s a rental or it’s a car you own. But at some point you need to figure out how the messages work. It’s going to be specific for a particular manufacturer, model, year. We don’t know exactly what the details are, but you are going to need one to at least look at for a little bit.Chris Valasek: We released stuff for Ford, Toyota, and now Jeep, so there’s some information out there. Lastly, CAN message injection: you have to find a way from a remote source to make that remote source send it to the internal source that sends out a message that does cool stuff (see right-hand image). This is what you want to do, right? You want to control the car. Turning up the radios? Fine. But wrecking into the ditch – even finer. Charlie Miller: … Speaking of wrecking into the ditch. This picture is funny (see right-hand image). I noticed when putting this slide deck that the brakes aren’t working in this picture, that’s why he’s going into the ditch. But the brake lights are on.
Chris Valasek: So there’s probably a physical switch that’s the lights, and the rest is that.
Charlie Miller: Anyway, a little about the vehicle.Chris Valasek: If you don’t know yet, 2014 Jeep Cherokee (see right-hand image). I think that’s been out there. It’s a great car, I like it!
Charlie Miller: I highly recommend it!Chris Valasek: Yeah, I would drive it. You are welcome, Fiat Chrysler! It has a Uconnect unit (see left-hand image). That’s the infotainment system, the thing that does communications to the outside world, made by Harman. They do all kinds of audio and video stuff, but they are also heavily used in automobiles.
Charlie Miller: Yeah, so the head unit is, basically, this thing in the middle that looks kind of like a computer screen, it’s a touch screen, and then maybe some of the stuff around it.Chris Valasek: Exactly, that’s what most people think of as a ‘car computer’. And if you take these guys apart, you can see there’s a screen that you touch; it used a Sierra Wireless chipset to do cellular and wireless communications; and then the other daughterboard piece was Renesas V850 (see right-hand image). Legally, there was an air gap, because it’s two daughterboards, but in reality we are going to show you how it wasn’t truly an air gap, and this stuff ran QNX. Charlie Miller: So, the main chip on there ran QNX, and it was an ARM processor (see right-hand image). QNX is kind of Linux-like, and so you could get a shell at some point and run commands. And so, it was nice for us, at least me, because I was sort of familiar with that, although half the commands you would expect to work don’t work.