Search Results for: valasek

Car Hacking Looks like This

Screenshots from the Black Hat presentation about the first remote hack of a passenger vehicle – a 2015 Jeep Cherokee (more here.)

It was these guys – Charlier Miller and Chris Valasek.

2 Biggest Takeaways for the Average Driver

1 – the attack they released no longer works

As of publishing of this post, the attack stopped working because Sprint closed the port they were using to enter the car (nice Sprint.)

If you own a Chrysler and were part of the 1.4 million recall, breathe a bit easier.

2 – update your car

This Jeep thing is a wakeup call – if your automaker issues an update, make it a priority. The industry is still in its infancy, the update will probably be inconvenient “pick up a USB from the dealership” DO IT.

Be mindful about how you connect your car to the internet (please never pair your car to public WiFi.)

From Black Hat 2015.

 

 

First Time a Vehicle is Remotely Hacked

WIRED magazine published a story yesterday about the world’s first documented wireless attack of a vehicle. A pair of security researchers put a journalist behind the wheel of a Jeep Cherokee and took control of it while he was driving miles away.

Read my synopsis on Autonet, here’s the original WIRED story by Andy Greenberg, and below are the key things to know.

This security update does NOT affect Canadian vehicles

I contacted Chrysler, and got this quote for Autonet:

“An FCA representative in Canada tells Autonet, “Due to market access to cellular connectivity in the Canadian marketplace, FCA Canada vehicles are not affected by this condition and therefore do not require a system upgrade.”

It does however, affect American vehicles, specifically American mid-2013 to 2015 Fiat-Chrysler vehicles that are equipped with the Uconnect infotainment system.

WIRED estimates about 417,000 are affected. Download the security update from FCA here, or take it to a dealership mechanic.

What happened to the car?

Radio, A/C and wipers were all turned on high, and Andy spun the control dials with zero affect. They altered the dashboard screen image.

They cut the transmission, and an 18-wheeler came barrelling up behind him, then they disengaged the brakes and sent Andy into a ditch.

They turned the SUV into a surveillance tool, tracking its GPS coordinates and tracing it on a map.

How was the car attacked?

The pair gain wireless control of the Cherokee via the vehicle’s Uconnect infotainment system which is connected to the Sprint network.

They enter the car through its cellular connection, then move to an adjacent chip in the head unit and rewrite the chip’s firmware to include their malicious code. Now they’re able to send commands through the car’s computer network – CAN bus – and control physical components like the brakes and transmission.

What’s next?

The pair will present their findings at the upcoming Black Hat online security conference in Vegas, as well as share their code. A key vulnerability will be omitted, but the code to do the dashboard tricks will hit the internet.

Why? They say 2 reasons: for peer review, and it “sends a message: automakers need to be held accountable for their vehicles’ digital security.”

Overall Takeaway

What Charlie said:

“We shut down your engine—a big rig was honking up on you because of something we did on our couch,” Miller says, as if I needed the reminder. “This is what everyone who thinks about car security has worried about for years. This is a reality.”

Related Blog Links

– I’d like to know if they can access the driver’s contacts? I don’t pair my phone to a car

– you’ve met this pair of security researchers – Charlier Miller briefly at Sector, and Chris Valasek for my column, and a press piece for Sector 2014

– sign I Am the Cavalry’s petition to the automakers, I did

about the OBDII port

– there are over 100 computers in your car

– one of which is the black box – an EDR

blog tag = auto security  – newspaper tag = auto security

– I was recently in Utah with Jeep, off-roading a Cherokee, Trailhawk trim.

They hacked a fun SUV.

 

 

Dispelling Fears about Car Hacking

Real brief: the problem is cars operate on the CAN bus network, which was designed in the 1980s, when the internet didn’t exist. Learn about CAN here.

Speaking with Chris Valasek, physical access is still required to hack the car. For now. (I’d try coming in via Bluetooth.)

Read it online at Autonet.

Favourite line:

That’s how car hacking works: the system doesn’t ask where the message came from or who sent it, it just accepts and executes it.

Plus the ending, because it’s true.

To attack, it’d be more efficient to roll that newspaper into a baton, than go after the target’s car.

***

Back to ‘Keri on Driving’ – Index

Blog tag = auto security

 

 

Join an Industry with a 100% Employment Rate

Online security.

There’s 1 day left of SecTor, Canada’s premiere security conference.

That blog title is not dramatic, it’s like 98%. Makes sense, look how fast we adopted the internet of everything, that’s currently pretty vulnerable and held together with popsicle sticks, a nightmare is coming, one day you’ll tell your grandchildren of a time when people’s password was password, tada! You have a job for life.

I went straight for the car hacking stuff.

What to do while there

Check out the Keynote while eating lunch, and making friends.

Sit in on a talk, which looks like this.

That’s Christopher Pogue of Nuix, talking about cybercrime and forensics. He made a good point: if the 3rd parties and vendors connecting to your network aren’t secure, neither are you.

Or if you feel shy, go to the lock picking village and grab a seat; I find people into locking picking are generally welcoming and fun.

Take the requisite conference-bathroom-selfie.

Don’t be shy to ask questions! And don’t let the nature of the information put you off, it’s a friendly crowd.

Too bad you missed the annual party, though. Finally after 1,000 emails got meet Sabrina, who runs communications & media, and edited my article about the car hacking keynote by Chris Valasek.

Whom I also met IRL, read that piece here.

Tickets and location information here, and whomever’s running their Twitter is funny @SecTorCa #SecTorCA

One day I’d like to give a talk, maybe another year of quiet study first.

I have 3 possible topics, but they’re not yet strong enough to type here.

Blog tag = SecTor

 

 

A Rare Chance to Hear a Car Hacking Expert

Chris Valasek is the Keynote speaker on October 21, 12pm at SecTor Security Conference.

While hacking a car almost always requires physical access,
it won’t be long before it doesn’t.

Consider this scenario: a virus is accidentally downloaded onto a driver’s phone, who unknowingly pairs it to his car, now the infection is inside the vehicle, where the Bluetooth and brakes run on the same network… what’s the defence?

How do you mass-update the software in tens of thousands of cars? It can costs millions just for an automaker to mail a “come in and get updated” letter to its customers.

As vehicles become more computers-on-wheels than cars, the act of securing them should be a priority for automakers, yet there’s an absence of information on this topic.

Here’s a rare opportunity to hear from a bleeding-edge expert at this year’s SecTor, Canada’s premier IT security conference.

Christopher Valasek is a pioneer in automotive security. He serves as Director of Vehicle Security Research at IOActive, one of the first companies to specialize in automotive security.

He’s not just a theory guy, Chris is an actual practitioner. Remember last year when the headlines screamed “a Prius and Ford have been hacked!’ – that was him. If you’ve read anything in the news about car hacking, it probably contains a quote or citation to his work.

He’s not out to do bad and hack your product, or show up individual OEMs, this is a rare chance to hear from one of the good guys, plus – the added advantage of having a mind like this assessing your product, for free.

On October 21 at noon, Chris’ keynote presentation, ‘The Connected Car: Security Throwback’ , will demonstrate how present-day automotive security is like a hard shell with a gooey inner layer – protect the outside, but once inside, it’s a field day.

(photo via Forbes)

He’ll draw comparisons between today’s auto landscape and the early 2000s of the internet, when protection mechanisms were an afterthought. He feels automotive security is stuck in a hole in time, and that the same solutions used to secure the networks of 10 years ago, can be applied to today’s automotive security issues.

Because the more computers and code that go in to cars, the greater the odds of a mistake being made and someone like Chris finding it. Moreover, with the automotive production cycle being so long (2018 model years are now being finalized), a problem found today is going to be prevalent for some time.

Automotive industry types – is your product resistant against a cyber-attack? If you’re not securing the vehicles you’re producing, then they can be weaponized, and yes that sentence is intended to give you chills.

His keynote will include the opportunity to ask questions. Catch it at SecTor on Tuesday, October 21 at 12:00 – 1:10pm. Ticket information here

Blog tag = auto security

Meet me in this post