With willing journalist Andy Greenburg at the wheel, they treated him to blasting cold air, the local hip hop radio station at full volume, windshield wipers, wiper fluid, and a photo of themselves on the Jeep’s digital display, all from 10 km away.
Greenburg was driving at 70 miles per hour on the freeway “when they cut the transmission,” Greenburg wrote in his Wired article. “Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.”
Miller and Valasek faced widespread criticism for questionable ethical behaviour. Conducting a penetration test on a vehicle with permission of the owner is one thing, but conducting live exploits with a subject on a public highway is dangerous.
Automobile manufacturers are taking action on cybersecurity issues. But there are challenges. The automotive ecosystem is complex, price sensitive, and works on release cycles many times longer than software products. However, there is good news; cars bring a new dimension to the cybersecurity field, but most of the security issues have been seen before.
Miller and Valasek’s 91 page paper Remote Exploitation of an Unaltered Passenger Vehicle provides a lot of detail. Their attack was sophisticated, but ultimately relied on three key vulnerabilities.
The first vulnerability was an open TCP port with a service that required no authentication. While the protocol was intended for interprocess communications, connection to the port was allowed from the Uconnect infotainment system’s WiFi and cellular network connections. There was no reason for this port be accessible from either network; it should have been firewalled or configured to listen only on the loopback interface. Authentication should probably have also been required.
The second vulnerability involved command execution. It was possible to run arbitrary shell commands via the open, unauthenticated TCP service by specifying a filename containing a shell metacharacter. However, exploiting that vulnerability wasn’t required because the service also inadvisably provided an execute method designed to run arbitrary shell commands.
This combination of vulnerabilities made it possible to to execute arbitrary shell commands on the underlying QNX operating system via the cellular network. Even a moderately skilled hacker could have “owned” the Uconnect system. But taking over the entire car was more complicated.
Modern automobiles have two or more data buses through which their various components communicate in real-time. Turning on the windshield wipers, or shifting from park to drive, results in messages being sent between components. Devices on the data buses do not authenticate each other; if an attacker can inject messages onto the bus it is possible to impersonate components.
The exploited Uconnect system contains a microcontroller and software that allows it to communicate with other electronic modules on both of the vehicle’s data buses (CAN-IHS and CAN-C). The main Uconnect system not only has the ability to update the microcontroller’s software, but it even includes a command-line utility to do it. Code signing is also not implemented.
This third vulnerability is critical; once an attacker has compromised the Uconnect system, he or she can upload replacement software and re-flash the microcontroller, allowing unrestricted communication with both data buses. This allowed Miller and Valasek lateral movement and control of vehicle systems.
The overall security architecture was flawed. The system with the largest attack surface was able to update a more sensitive internal component. A prudent security model would assume that the Uconnect system could be compromised and include controls to protect the CAN buses.
Automotive cybersecurity is a new area, but most of the vulnerabilities discovered so far are not. Experienced, ethical security professionals understand how to architect more secure systems, detect vulnerabilities, and mitigate risk. They work to help their clients, not embarrass them. Qualified help is available; automotive manufacturers need to steer toward security.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…