Cybersecurity attacks can be life-changing, but they’re not usually life-threatening.
Of course, most cybersecurity attacks don’t involve your car’s brakes failing at highway speeds.
Six years ago, two white hat hackers made waves when they pulled off a remote hack of a car on the highway, turning on the wipers, blasting the radio, and finally, killing the engine to bring the vehicle to a complete stop.
The two hackers, Charlie Miller and Chris Valasek, had discovered and exploited a replicable security vulnerability. If left unchecked, the vulnerability would allow any would-be attacker to remotely access any one of the 1.4 million affected vehicles and gain physical control, including steering and braking.
The 2015 Jeep hack was the culmination of multiple years of research by the duo, who had first successfully hacked and controlled a 2010 Ford Escape and a 2010 Toyota Prius with a wired connection. Automakers were unconcerned, since hacks requiring physical connections to the car do not present a large threat to drivers.
However, the 2010s saw a rapid increase in automotive connectivity, infotainment, and advanced automation systems like automatic emergency braking and lane-keeping assist. This trend is likely to continue and increase both the size and number of attack surfaces and the amount of control a hacker stands to have over the vehicle. After all, if more functions are performed by a computer then more functions are susceptible to remote control.
Miller and Valasek purchased a new 2014 Jeep Cherokee since, at the time, it featured this combination of features and was an ideal target for experimentation.
The Remote 2015 Jeep Hack, Simply Put.
There are a number of steps to get from “I want to hack this Jeep,” to having complete control of the vehicle. Miller and Valasek detailed the attack chain in their 91-page paper they published covering their research.
1. Identify Target
The hackers established a few ways to identify a target, and the IP address was needed for the hack to work. If an attacker had the VIN and knew the general location of the vehicle they may be able to sniff it out. The easier (but more random) method involved the Sprint network. All the affected vehicles were connected to the Sprint network, and any Sprint user could potentially have setup scans to get lists of connected vehicles that could be hacked.
The scan functionality could even be automated and incorporated into the payload as a computer worm, but for cars.
“Since a vehicle can scan for other vulnerable vehicles and the exploit doesn’t require any user interaction, it would be possible to write a worm. This worm would scan for vulnerable vehicles, exploit them with their payload which would scan for other vulnerable vehicles, etc. This is really interesting and scary,” states the paper. “Please don’t do this. Please.”
Whether connected by Wi-Fi or by cellular, this is the start of the attack.
2. Exploit the OMAP chip of the head unit.
With a few exceptions, these touchscreen infotainment head units are supplied by various auto parts manufacturers and then given automaker-specific branding. The 2014 Jeep Cherokee used the Fiat Chrysler Automotive UConnect system, manufactured by Harman Kardon.
At their core, these types of units are just specialized touchscreen computers. They execute code to help run the car’s functions and can be told to run code they shouldn’t be if they are exploited.
3. Control the UConnect System
At this point, the attackers have access to the vehicle and can control most or all of the features normally controlled through the UConnect System. They can change the radio station and blast the volume or use the HVAC to blast the driver with hot/cold air (and they can’t turn it off). The effects of hacking at this level can be scary, distracting, and even somewhat dangerous to unexpecting drivers – but it pales in comparison to what can be done with physical control of the car.
4. Flash the V850 chip with modified firmware
While the head unit can control many parts of the car, a separate chip is used to interface with the modules that actually control the physical parts of the car like braking and steering. In the 2014 Jeep Cherokee, this chip is a Renesas V850.
Under normal operation, there isn’t a way for an attacker to jump from the head unit to this chip to gain more control. However, Miller and Valasek developed a custom firmware that could be remotely installed by a hacker through the exploits mentioned above.
5. Perform Cyber Physical Action
This is the final, and scariest, level. At this point, the hackers could successfully tell the car to physically act up. They were able to demonstrate steering, braking, turning brakes off, windshield wipers, turning the vehicle off, changing the reading on the speedometer, and more.
In a moving car, these kinds of actions could have been used to seriously injure or kill people.
Miller and Valasek gave a presentation at DEFCON in 2015, the whole thing is viewable on YouTube.
The Aftermath of the 2015 Jeep Hack
Thankfully, Miller and Valasek are white hat hackers who performed this research with the intention of getting security holes filled. They disclosed their findings to Chrysler, the manufacturer of the vehicle, in advance of going public with the information.
After WIRED published an article and video about the vulnerability in 2015, Sprint blocked the port used by the hackers to connect to the vehicles on its cellular network, effectively containing the remote-access vulnerability. On the same day, Fiat Chrysler Automotive announced a recall of 1.4 million affected vehicles so a security update could be installed. At the time, it was the first physical product recall caused by a cybersecurity vulnerability.
In 2016, the National Highway Traffic Safety Association (NHTSA) published Cybersecurity Best Practices for Modern Vehicles, a brief 22-page guide offering non-binding guidance on cybersecurity for the auto industry.
The NHTSA’s Response – Moving to Improve Automotive Cybersecurity
As of writing, there is no mandated cybersecurity standard for the automotive industry, and the NHTSA doesn’t pen test new vehicles to assign them a “cybersecurity safety rating” in stars. (Though maybe they should?) However, the NHTSA still has serious influence in this world and this document aims to make that clear.
“Vehicles are cyber-physical systems and cybersecurity vulnerabilities could impact safety of life. Therefore, NHTSA’s authority would be able to cover vehicle cybersecurity, even though it is not covered by an existing Federal Motor Vehicle Safety Standard at this time. Nevertheless, motor vehicle and motor vehicle equipment manufacturers are required by the National Traffic and Motor Vehicle Safety Act, as amended, to ensure that systems are designed free of unreasonable risks to motor vehicle safety, including those that may result due to existence [sic] of potential cybersecurity vulnerabilities.”
Introduction, Cybersecurity Practices for Modern Vehicles
Automakers are required to build safe cars. Cybersecurity flaws in cars don’t just threaten the victim’s wallet – they threaten human life – and the NHTSA can and will enforce the law to protect human life. They have strong legal and moral grounds to enact recalls on vehicles with cybersecurity flaws when those flaws are a safety concern.
This document also makes it clear that the NHTSA is taking cybersecurity in the automotive industry seriously. It is chock-full of excellent cybersecurity advice, it recommends development with a cybersecurity focus, and if followed would generally reduce the cybersecurity risk of automakers themselves. Some highlights include:
5.1 Layered Approach
A layered approach to vehicle cybersecurity reduces the probability of an attack’s success and mitigates the ramifications of a potential unauthorized access. …
This approach should:
- Be built upon risk-based prioritized identification and protection of safety-critical vehicle control systems and personally identifiable information
- Provide for timely detection and rapid response to potential vehicle cybersecurity incidents in the field
- Design-in methods and measures to facilitate rapid recovery from incidents when they occur
- Institutionalize methods for accelerated adoption of lessons learned across the industry through effective information sharing, such as through participation in the Auto ISAC.
This approach is mapped to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework of incident response with five key stages: “Identify, Protect, Detect, Respond, Recover.” This sort of structure is extremely useful for creating cybersecurity incident response plans.
6.1 Vehicle Development Process With Explicit Cybersecurity Considerations
Companies should make cybersecurity a priority by using a systematic and ongoing process to evaluate risks. This process should give explicit considerations to privacy and cybersecurity risks through the entire life-cycle of the vehicle. The life-cycle of a vehicle includes conception, design, manufacture, sale, use, maintenance, resale, and decommissioning. Safety of vehicle occupants and other road users should be of primary consideration when assessing risks.
The number one point the NHTSA makes about vehicle-specific cybersecurity is to integrate risk assessments into product development. Risk assessments are an integral part of any cybersecurity plan and they ought to be a part of the development of every connected product, app, or service on the market. Without an understanding of the risks, it’s hard to make informed decisions about cybersecurity.
6.2 Leadership Priority on Product Cybersecurity
It is essential for the automotive industry to create corporate priorities and foster a culture that is prepared and able to handle increasing cybersecurity challenges. …
- Allocating dedicated resources within the organization focused on researching, investigating, implementing, testing, and validating product cybersecurity measures and vulnerabilities
- Facilitating seamless and direct communication channels through organizational ranks related to product cybersecurity matters
- Enabling an independent voice for vehicle cybersecurity related considerations within the vehicle safety design process.
Engaged leadership is the single most important element of a successful cybersecurity program so it is excellent to see this emphasized by the NHTSA. An emphasis on cybersecurity from leaders at the organization reinforces its importance for all employees.
This approach has been successfully implemented at Tesla, who’s very-online cars pose a greater cybersecurity risk. Elon Musk takes cybersecurity seriously, the company offers bug rewards and has run promotions like “Pwn2Own” to incentivize white hat hackers to find bugs before the bad guys do. It really works.
What’s next for Automotive Cybersecurity?
The remote 2015 Jeep hack may have been the highest profile car hacking to-date, but the field hasn’t slowed down. Cars are constantly becoming more complex and more connected – increasing the cybersecurity risk. Even as companies take care to protect their cars, it is very possible another remotely-accessible exploit will be found.
Additionally, it’s likely that our vehicles will begin to collect GPS data about where and how we travel. Smart technology could allow users to link payment cards to their vehicles to purchase fuel or food. This is already the only way to pay for Tesla’s Superchargers. When this happens, our cars will become another attack surface for the more mundane cybersecurity threats of stolen credit cards and other personal data.
Automotive cybersecurity is a rapidly developing field, and it’s one that we should all have our eyes on.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click. You won’t get any phishing emails from us, we promise!