"Even though they were driving slowly, my heart was pounding. I had no control." This is Andy Greenberg's description (who wrote the superb Wired article on the Jeep hack) of that now iconic picture of the Jeep Cherokee being driven into a ditch by its hackers, Charlie Miller (Twitter) and Chris Valasek (IOactive), with Andy aboard. Both did this research in their spare time, though Chris was able to count some of it as work time, as it was related to his job.
In a highly entertaining and comedic presentation this week, Chris and Charlie detailed the results of their project that has been ongoing for at least two years. Last year at DefCon/Black Hat, they described how one might communicate between the entertainment system and the CAN (Controller Area Network) Bus, the bus that melds together all of the car control systems.
The image above shows Charlie's Jeep after he remotely steered it into a ditch, with Andy Greenberg unable to brake. He pressed the brakes to the floor, the brake lights were on, but the car rolled forward anyway (idle speed).
The entertainment system connects to the CAN Bus, but doesn't normally allow commands to be sent. Charlie and Chris rewrote the V850 firmware.
They had several false starts. They jailbroke the Uconnect system (entertainment), but that wasn't required for remote exploitation. They hacked the wireless system -- the Jeep had a wireless hotspot, which has now been disabled with the latest firmware update -- but that also wasn't required. The wireless system had several shortcuts that allowed them to guess the password.
Both hacks let them become familiar with the car systems and served as an invaluable source for interprocess communications.
The final remote step occurred over cellular communications, which were on even with no opt-in. They had to obtain the particular car's IP as well; this took a few weeks for them to figure out. The hardest part was rewriting the firmware of the V850 chip to allow them to send arbitrary commands to the CAN Bus to do their bidding. That was possible because updates are not authenticated. The firmware software they used was not entirely disclosed. The communication over the cellular network used port 6667, and that was necessary to find the Jeep's IP; Sprint has now blocked that as well. Port 6667 is not normally used for other important functions on that Sprint network, though it could be used for an IRC relay.
1) Remote compromise over the cellular network (no longer possible) 2) Lateralization - moving from Uconnect to DBus; 3) CAN message analysis (mostly done last year) 4) CAN message injection, by reprogramming the firmware 5) Verify and fine tune command
Description of this hack will be published in a detailed paper on Monday. There were approximately 1.4 million vehicles potentially susceptible to this hack. After the Wired disclosure, Sprint blocked the port that allowed Charlie and Chris to take vehicle control within two weeks. At least two venues of attack, probably more, were fixed. Defense in depth. Charlie felt that this was unprecedented, and that as hackers, he and Chris were able to make a difference: the quickness (in car terms, anyway) of the Chrysler recall, several senators calling for legislation mandating security, and finally, car manufacturers paying attention to security.