So, where, exactly, did hackers find a crack in the firewall of a 2014 Jeep Cherokee? How did they infiltrate it and who’s at fault for failing to foresee the breach?
The failure apparently occurred in not one, but multiple places in the connected car’s system architecture. Blame, according to multiple automotive industry analysts, could also extend to parties beyond Fiat Chrysler Automobiles (FCA). They include Sprint — a system integrator — with whom Chrysler contracted for secure vehicle network access via the telematics control unit, and Harman Kardon, who designed an in-vehicle infotainment system.
Since two hackers revealed a week ago their handiwork of wirelessly hacking into a 2014 Jeep Cherokee, first reported by Wired, the issue of cyber security in vehicles has come into sharp focus. Until this incident, the conventional wisdom among engineers was that it’s “not possible” to hack into a car without a physical access.
The revelation by the hacker team, Charlie Miller and Chris Valasek, set in motion a sweeping recall, on July 24th, of 1.4 million vehicles by Fiat Chrysler. U.S. Senators Ed Markey and Richard Blumenthal also introduced last week legislation to require U.S.-sold cars to meet certain standards of protection against digital attacks.
However, Roger Lanctot, associate director, global automotive practice at Strategy Analytics, is the first analyst to publicly implicate Sprint. He wrote in his latest blog:
FCA’s Chrysler division is taking the fall for Sprint’s failure to properly secure its network and the Jeep in question – which was subjected to some comical and terrifying remote control in real-time on the highway thanks to an IP address vulnerability.
Breakdown of security vulnerability
Asked to break down the security vulnerability of the hacked car, Lanctot said: “Step one is control of braking, acceleration and steering accessible on the vehicle CAN bus.
“Step two is remote wireless connectivity to the car via cellular.
“Step three is providing for remote access to the CAN bus via the telematics control unit interface. Clearly, the FCA systems were configured in such a way as to allow for CAN bus access via the telematics control unit.”
Lanctot added, “There is nothing wrong with that as long as you provide for appropriate security.”
Lanctot, however, pointed out, “It appears that the IP address was too easily identified” by the system used by Jeep Cherokee and “the telematics control unit lacked basic software upgrading capability.”
Lanctot isn’t alone in fingering the IP address issue. Egil Juliussen, director research & principal analyst at IHS Automotive Technology, also told us that the hackers appear to have found “a simple way to get the IP address of a car.” Juliussen explained that once the hackers located the car, they sent code to the infotainment system — built by Harman Kardon –via the ill-gotten IP address.
Juliussen theorized that the hackers then wrote additional code and sent it via CAN bus to the core auto ECU networks to disable mission-critical functions such as engine and brakes.
What about isolation?
Wait. Isn’t the infotainment system supposed to be isolated from mission-critical functions? The “strong isolation” of the two systems is a mantra we hear often when we ask automakers about security in connected cars.
Thr trouble is that a vehicle’s on-board diagnostics (OBD)-II is connected not just to core ECU networks but also to the infotainment system, explained Juliussen, so that automakers can monitor the infotainment equipment. “Chances are that there are CAN bus bridges between the two separate systems.”
Juliussen made it clear that the hacking Miller and Valasek pulled off in the Jeep Cherokee is not exactly child’s play.
Nonetheless, it’s clear that there have been flaws in network security traceable to Sprint, and in the way Harman Kardon’s infotainment system was set up in a vehicle Chrysler’s engineers designed, according to Juliussen.
Juliussen previously told EE Times, “Cyber-security is one of the biggest problems the auto industry faces” and warned that “we’re kind of late [on that].” He sees a silver lining. Now every carmaker building connected cars is going back and reviewing all its connected security.
Each party – from Chrysler to Harman Kardon and Sprint – must have checked that each system they were responsible for designing was functioning correctly. That’s a given. But in order to check the system’s security, designers are now being asked to “break something,” explained Juliussen, to see if any out-of-spec operations (outside of normal arrangement of operations) can be exploited by hackers.
Juliussen said that when the Jeep Cherokee was developed four years ago, cyber security wasn’t nearly the industry’s top priority. It took many years “for the PC industry learn the security issues, the smartphone vendors are learning it now. And it’s time for automakers to catch up.”
Lanctot also noted, “This is early days, so maybe the lack of an intrusion detection system can be forgiven.” But he stressed that the basic elements of security are to “have a dynamically changing IP address along with some kind of firewall,” in addition to “intrusion detection on the vehicle network.”
In his view, Sprint not only failed to dynamically change IP, but also offered no ability to update/upgrade the telematics control unit for bug fixes, content updates, or to update network connectivity firmware.
Indeed, although FCA made software updates for the infotainment system, in response to the hackers’ ravages, the patch is not easily implemented. Car owners will have to perform a manual update via a USB stick or visit to a dealer’s service center.
Just two years ago, when Sprint announced its Velocity system as “a New and Existing Telematics and In-Vehicle Communications Systems,” the company wrote on its website
“With years of mobile customer experience and telecommunications knowledge, Sprint is a solutions provider you can depend on to address today’s technology and prepare your business for tomorrow’s innovation.”
[Charlie Miller] and [Chris Valasek] Have just released all their research including (but not limited to) how they hacked a Jeep Cherokee after the newest firmware updates which were rolled out in response to their Hacking of a Cherokee in 2015.
FCA, the Corp that owns Jeep had to recall 1.5 million Cherokee’s to deal with the 2015 hack, issuing them all a patch. However the patch wasn’t all that great it actually gave [Charlie] and [Chris] even more control of the car than they had in the first place once exploited. The papers they have released are a goldmine for anyone interesting in hacking or even just messing around with cars via the CAN bus.
We anticipate seeing an increasing number of security related releases and buzz as summer approaches. It is, after all, Network Security Theatre season.
General Motors hired two security researchers that hacked into a Jeep Cherokee over the internet in 2014, cutting its transmission and disabling the brakes in an experiment that still reverberates in the automotive industry.
Chris Valasek and Charlie Miller were both hired by Cruise Automation, the autonomous driving unit that GM formed in 2016.
General Motors hired two security researchers that hacked into a Jeep Cherokee over the internet in 2014, cutting its transmission and disabling the brakes in an experiment that still reverberates in the automotive industry.
Chris Valasek and Charlie Miller were both hired by Cruise Automation, the autonomous driving unit that GM formed in 2016. Previously, Valasek worked on Uber’s self-driving cars and Miller was a security researcher at Chinese ride-sharing firm Didi Chuxing. The hires were confirmed by Cruise’s chief executive Kyle Vogt on Twitter last week
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
5 Comments
Tomi Engdahl says:
Hacked Jeep: Whom to Blame?
http://www.eetimes.com/document.asp?doc_id=1327266&
So, where, exactly, did hackers find a crack in the firewall of a 2014 Jeep Cherokee? How did they infiltrate it and who’s at fault for failing to foresee the breach?
The failure apparently occurred in not one, but multiple places in the connected car’s system architecture. Blame, according to multiple automotive industry analysts, could also extend to parties beyond Fiat Chrysler Automobiles (FCA). They include Sprint — a system integrator — with whom Chrysler contracted for secure vehicle network access via the telematics control unit, and Harman Kardon, who designed an in-vehicle infotainment system.
Since two hackers revealed a week ago their handiwork of wirelessly hacking into a 2014 Jeep Cherokee, first reported by Wired, the issue of cyber security in vehicles has come into sharp focus. Until this incident, the conventional wisdom among engineers was that it’s “not possible” to hack into a car without a physical access.
The revelation by the hacker team, Charlie Miller and Chris Valasek, set in motion a sweeping recall, on July 24th, of 1.4 million vehicles by Fiat Chrysler. U.S. Senators Ed Markey and Richard Blumenthal also introduced last week legislation to require U.S.-sold cars to meet certain standards of protection against digital attacks.
However, Roger Lanctot, associate director, global automotive practice at Strategy Analytics, is the first analyst to publicly implicate Sprint. He wrote in his latest blog:
FCA’s Chrysler division is taking the fall for Sprint’s failure to properly secure its network and the Jeep in question – which was subjected to some comical and terrifying remote control in real-time on the highway thanks to an IP address vulnerability.
Breakdown of security vulnerability
Asked to break down the security vulnerability of the hacked car, Lanctot said: “Step one is control of braking, acceleration and steering accessible on the vehicle CAN bus.
“Step two is remote wireless connectivity to the car via cellular.
“Step three is providing for remote access to the CAN bus via the telematics control unit interface. Clearly, the FCA systems were configured in such a way as to allow for CAN bus access via the telematics control unit.”
Lanctot added, “There is nothing wrong with that as long as you provide for appropriate security.”
Lanctot, however, pointed out, “It appears that the IP address was too easily identified” by the system used by Jeep Cherokee and “the telematics control unit lacked basic software upgrading capability.”
Lanctot isn’t alone in fingering the IP address issue. Egil Juliussen, director research & principal analyst at IHS Automotive Technology, also told us that the hackers appear to have found “a simple way to get the IP address of a car.” Juliussen explained that once the hackers located the car, they sent code to the infotainment system — built by Harman Kardon –via the ill-gotten IP address.
Juliussen theorized that the hackers then wrote additional code and sent it via CAN bus to the core auto ECU networks to disable mission-critical functions such as engine and brakes.
What about isolation?
Wait. Isn’t the infotainment system supposed to be isolated from mission-critical functions? The “strong isolation” of the two systems is a mantra we hear often when we ask automakers about security in connected cars.
Thr trouble is that a vehicle’s on-board diagnostics (OBD)-II is connected not just to core ECU networks but also to the infotainment system, explained Juliussen, so that automakers can monitor the infotainment equipment. “Chances are that there are CAN bus bridges between the two separate systems.”
Juliussen made it clear that the hacking Miller and Valasek pulled off in the Jeep Cherokee is not exactly child’s play.
Nonetheless, it’s clear that there have been flaws in network security traceable to Sprint, and in the way Harman Kardon’s infotainment system was set up in a vehicle Chrysler’s engineers designed, according to Juliussen.
Juliussen previously told EE Times, “Cyber-security is one of the biggest problems the auto industry faces” and warned that “we’re kind of late [on that].” He sees a silver lining. Now every carmaker building connected cars is going back and reviewing all its connected security.
Each party – from Chrysler to Harman Kardon and Sprint – must have checked that each system they were responsible for designing was functioning correctly. That’s a given. But in order to check the system’s security, designers are now being asked to “break something,” explained Juliussen, to see if any out-of-spec operations (outside of normal arrangement of operations) can be exploited by hackers.
Juliussen said that when the Jeep Cherokee was developed four years ago, cyber security wasn’t nearly the industry’s top priority. It took many years “for the PC industry learn the security issues, the smartphone vendors are learning it now. And it’s time for automakers to catch up.”
Lanctot also noted, “This is early days, so maybe the lack of an intrusion detection system can be forgiven.” But he stressed that the basic elements of security are to “have a dynamically changing IP address along with some kind of firewall,” in addition to “intrusion detection on the vehicle network.”
In his view, Sprint not only failed to dynamically change IP, but also offered no ability to update/upgrade the telematics control unit for bug fixes, content updates, or to update network connectivity firmware.
Indeed, although FCA made software updates for the infotainment system, in response to the hackers’ ravages, the patch is not easily implemented. Car owners will have to perform a manual update via a USB stick or visit to a dealer’s service center.
Just two years ago, when Sprint announced its Velocity system as “a New and Existing Telematics and In-Vehicle Communications Systems,” the company wrote on its website
“With years of mobile customer experience and telecommunications knowledge, Sprint is a solutions provider you can depend on to address today’s technology and prepare your business for tomorrow’s innovation.”
Tomi Engdahl says:
The Story Behind Hacking the Jeep
http://www.designnews.com/author.asp?section_id=1386&doc_id=281960&cid=nl.x.dn14.edt.aud.dn.20161031.tst004c
Tomi Engdahl says:
Car Security Experts Dump All Their Research and Vulnerabilities Online
http://hackaday.com/2017/05/14/car-security-experts-dump-all-their-research-and-vulnerabilities-online/
[Charlie Miller] and [Chris Valasek] Have just released all their research including (but not limited to) how they hacked a Jeep Cherokee after the newest firmware updates which were rolled out in response to their Hacking of a Cherokee in 2015.
FCA, the Corp that owns Jeep had to recall 1.5 million Cherokee’s to deal with the 2015 hack, issuing them all a patch. However the patch wasn’t all that great it actually gave [Charlie] and [Chris] even more control of the car than they had in the first place once exploited. The papers they have released are a goldmine for anyone interesting in hacking or even just messing around with cars via the CAN bus.
We anticipate seeing an increasing number of security related releases and buzz as summer approaches. It is, after all, Network Security Theatre season.
http://illmatics.com/carhacking.html
Tomi Engdahl says:
General Motors Hires Security Team That Remotely Hacked Jeep
http://www.electronicdesign.com/automotive/general-motors-hires-security-team-remotely-hacked-jeep?PK=UM_Classics04218&utm_rid=CPG05000002750211&utm_campaign=16685&utm_medium=email&elq2=00beb49dcfe040ebb4f541d2bea6e19a
General Motors hired two security researchers that hacked into a Jeep Cherokee over the internet in 2014, cutting its transmission and disabling the brakes in an experiment that still reverberates in the automotive industry.
Chris Valasek and Charlie Miller were both hired by Cruise Automation, the autonomous driving unit that GM formed in 2016.
Tomi Engdahl says:
General Motors Hires Security Team That Remotely Hacked Jeep
https://www.electronicdesign.com/automotive/general-motors-hires-security-team-remotely-hacked-jeep?PK=UM_Classics03219&utm_rid=CPG05000002750211&utm_campaign=24231&utm_medium=email&elq2=ea6ac3ba06a44686a21ef5af7c73516a
General Motors hired two security researchers that hacked into a Jeep Cherokee over the internet in 2014, cutting its transmission and disabling the brakes in an experiment that still reverberates in the automotive industry.
Chris Valasek and Charlie Miller were both hired by Cruise Automation, the autonomous driving unit that GM formed in 2016. Previously, Valasek worked on Uber’s self-driving cars and Miller was a security researcher at Chinese ride-sharing firm Didi Chuxing. The hires were confirmed by Cruise’s chief executive Kyle Vogt on Twitter last week