Good to Meet You Black Hat, I’m Keri

We’ve maybe met before, this is my 4th Black Hat as media. Media.

Because to be clear: compared to you guys I’m a baby, a script kiddie at best. I’m okay at OSCINT and SE, it ends there.

I’m an auto journalist with Sun Media, a Canadian newspaper chain. I write the news, car reviews and a weekly column – Keri on Driving – 400 words about whatever I want. For a sample, read my 150th Anniversary column.

Been starting to specialize in auto security, which is why I’m here.

Blog tag = Auto Security (34), and I run the security section of the newspaper here.

About my blog’s security section

I doubt this section would much interest you, I write for the end user. It’s more for like, a housewife in Iowa.

Like my Blackberry security video:

Please don’t hack me! Really, it’d be like picking on the kid at recess wearing a helmet.

I’ll leave you something
only this crowd will appreciate

Despite everyone rolling their eyes when I tell them, it’s maybe the thing about my blog I’m most proud of, more than it making through bank filters

…. my blog and I have been flown around North America, gained access to some amazing places and tested almost $10 million in cars…. ready….

… all without an About Page! Nor a LinkedIn! And I kept my last name offline for 5 years.

Tada!

Find me fastest on Twitter @KeriBlog, if you see me say hi, and have a great conference!

Keri

Blog tag = Black Hat

 

 

I’m Not Blogging This Week

I’m leaving for Vegas to be media at Black Hat – the premier international security conference. AKA the most hostile network in the world.

Best way to go online is to not.  I’ll be walking around with my phone OFF.

I don’t stand a chance against this crowd.

These are screenshots from a media email I received.

Here’s what I’m walking into:

1 – blog tag = social engineering 

2 – remember when this happened to me at the LA Auto Show? The USB -> EGO attack

3 – Blog tags – NFC and RFID

1never leave a laptop unattended

2 – see that, “by far…”  While I’m taking my laptop in case of an emergency at the newspaper, I have zero intention of opening it

3 – friendly reminder to change your passwords, because when was the last time you did?

***

TTY on Twitter @KeriBlog, and here when I’m back later this week.

 

 

First Time a Vehicle is Remotely Hacked

WIRED magazine published a story yesterday about the world’s first documented wireless attack of a vehicle. A pair of security researchers put a journalist behind the wheel of a Jeep Cherokee and took control of it while he was driving miles away.

Read my synopsis on Autonet, here’s the original WIRED story by Andy Greenberg, and below are the key things to know.

This security update does NOT affect Canadian vehicles

I contacted Chrysler, and got this quote for Autonet:

“An FCA representative in Canada tells Autonet, “Due to market access to cellular connectivity in the Canadian marketplace, FCA Canada vehicles are not affected by this condition and therefore do not require a system upgrade.”

It does however, affect American vehicles, specifically American mid-2013 to 2015 Fiat-Chrysler vehicles that are equipped with the Uconnect infotainment system.

WIRED estimates about 417,000 are affected. Download the security update from FCA here, or take it to a dealership mechanic.

What happened to the car?

Radio, A/C and wipers were all turned on high, and Andy spun the control dials with zero affect. They altered the dashboard screen image.

They cut the transmission, and an 18-wheeler came barrelling up behind him, then they disengaged the brakes and sent Andy into a ditch.

They turned the SUV into a surveillance tool, tracking its GPS coordinates and tracing it on a map.

How was the car attacked?

The pair gain wireless control of the Cherokee via the vehicle’s Uconnect infotainment system which is connected to the Sprint network.

They enter the car through its cellular connection, then move to an adjacent chip in the head unit and rewrite the chip’s firmware to include their malicious code. Now they’re able to send commands through the car’s computer network – CAN bus – and control physical components like the brakes and transmission.

What’s next?

The pair will present their findings at the upcoming Black Hat online security conference in Vegas, as well as share their code. A key vulnerability will be omitted, but the code to do the dashboard tricks will hit the internet.

Why? They say 2 reasons: for peer review, and it “sends a message: automakers need to be held accountable for their vehicles’ digital security.”

Overall Takeaway

What Charlie said:

“We shut down your engine—a big rig was honking up on you because of something we did on our couch,” Miller says, as if I needed the reminder. “This is what everyone who thinks about car security has worried about for years. This is a reality.”

Related Blog Links

– I’d like to know if they can access the driver’s contacts? I don’t pair my phone to a car

– you’ve met this pair of security researchers – Charlier Miller briefly at Sector, and Chris Valasek for my column, and a press piece for Sector 2014

– sign I Am the Cavalry’s petition to the automakers, I did

about the OBDII port

– there are over 100 computers in your car

– one of which is the black box – an EDR

blog tag = auto security  – newspaper tag = auto security

– I was recently in Utah with Jeep, off-roading a Cherokee, Trailhawk trim. They hacked a fun SUV.