Charlie Miller and Chris Valasek originally hacked a Jeep Cherokee in 2015, physically controlling it – and a nervous journalist occupying it – on the highway. FCA, the company that makes the Cherokee, recalled 1.4m of them and issued a patch. In response, the pair hacked that one, too, and gained more control, rather than less. Earlier this year, they put all their notes online, which most of us missed until Valasek tweeted it.
Anyone who wants to drop 1MM+ USD for car hacking research should save their money and hit up: https://t.co/9ChVoJ4DZH.
— Chris Valasek (@nudehaberdasher) April 23, 2017
The whole thing represents a change of tune for Charlie Miller, who in 2009 launched a campaign called No More Free Bugs. “I never give up free bugs,” he said at the time. “Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there’s value to this work. No more free bugs.”
Back then, he was talking about specific zero-day vulnerabilities along with proof of concept code, which have a high market value for criminals and national security operatives alike. The material that the duo released isn’t a ShadowBroker-style treasure chest of zero-days so much as a collection of research notes. These are still highly useful, though, and offer a detailed account of how they hacked the Jeep, among other vehicles. There is also a zip file containing some useful tools, including their Python-based hacking files.
Can we hack it? Yes we CAN
Of note in the research are the complete notes on the architecture of network packets on the Controller Area Network (CAN). This is the car’s internal communication system, which carries information between the various electronic control units (ECUs) in a vehicle to its central controller. ECUs handle things like adaptive cruise control, electronic brakes, parking assist and control of the steering column, so if you can interfere with these systems, you can at the very least monitor what the car is doing, if not control it.
A document in the collection highlighting their original research details what is in those packets, along with the ISO-TP standard for sending them along its messaging bus. The document investigates diagnostic packets and service IDs that hackers can use to understand and interfere with data sent around the vehicle. This is in effect CAN 101, and a good high-to low-level introduction to the topic.
Then, the document shows how to use this information to interfere with two vehicles. This information is quite old, though, focusing on a 2010 Ford Escape and the 2010 Toyota Prius. Of more recent interest is a document on CAN message injection from last June which again goes into the basics of the CAN bus, this time including information about the 2014 Jeep Cherokee hack.
Inside the 2014 Jeep Cherokee
The document reveals some interesting facts about that vehicle, including the ability to control its speed. ECUs don’t just send one message when they want to do something; they send messages at regular intervals to update their status. If an attacker injects a fake message on to the CAN bus, and it conflicts with one of these other messages, many cars will choose which one to ignore and will disable non-critical systems such as the locks or speedometer until everything settles down.
The Jeep did this on every non-critical ECU apart from the adaptive cruise control. The pair could control the speed of the Jeep by repeatedly sending fake messages from that ECU (although the driver could stab the speed increase and decrease buttons themselves to correct the speed, of course).
What about the steering? The pair wanted to fake control messages from the Parking Assist Module (PAM) to the Power Steering Control Module (PSCM) to make it turn the wheel. The problem was that the PSCM only accepts those messages when travelling at the very low speeds you’d expect when trying to back gingerly into a postage stamp-sized London parking spot.
They solved that problem with a trick that makes the car ignore messages from its own ECUs. The hack fakes messages from them that fails a woefully inadequate internal verification test. This trick enables the duo to send fake messages that put the PAM into a diagnostic mode. From there, they were able to put it into a bootrom mode and effectively kill it, so that it wouldn’t send any messages at all.
Then, they sent fake speed messages to the PSCM to convince it that the vehicle was travelling below 7mph, even while barrelling down the motorway. All that then remained was to send fake messages from the PAM to the PSCM asking it to turn the steering wheel – at any speed you like. “This is a frightening and dangerous attack,” they pointed out, helpfully.
They were able to do other things using the same trick, such as replacing messages from the electronic parking brake on the jeep with their own, at high speeds. It’s also worth pointing out that forcing an ECU into bootrom mode can effectively brick it, turning your shiny new vehicle into a very large, oily paperweight. A bootrommed parking brake stays parked, for example.
Other automotive hacking tools
The pair aren’t the first to give their automotive hackery to the world. There are several open source software tools and hardware designs that support car hacking. Eric Evenchick has released his own open source automotive toolset called CANtact, while Travis Goodspeed released the GoodThopter, an open-source board with a built-in CAN interface, and EVTV has the open source EVTV Due CAN sniffer.
Caring Caribou is another open-source tool for sniffing information from the CAN bus, as is the CAN of Fingers CAN fingerprinting tool. Octane can both sniff and inject CAN packets, and UDSim even comes with a graphical user interface.
All this research, combined with the tools, can’t be making car vendors feel very happy. When Miller and Valasek promised to publish their tools online, the Jeep’s manufacturer Fiat Chrysler Automobiles (FCA) spun its wheels, saying:
Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.
The information is out there now, though, and carmakers are going to have to get far better at securing their vehicles. This illustrates the importance of security by design. It’s far easier to put military-grade security on a vehicle when it’s still in the lab than it is to recall more than a million of them for a post-release patch.
What’s interesting is that it took ridesharing firm Uber to hire the dynamic hacking duo after all this blew up. We would have thought that an FCA, Ford or Chevy would have snapped them up immediately, given how much the manufacturers have to lose through poor vehicle security.
Ivy Iverson
I question the wisdom of making this information public, except to let people know that it CAN be done, not to encourage copycats, but to let people know that it’s possible, and that there may be / have been incidents where vehicles have been hacked, caused accidents, possibly involving deaths.
Jim
Did FCA refuse to pay (in 2009 and later)? These guys used to be white-hatters, only fee-based. What changed?
Jim
Also, why aren’t the wireless devices using encrypted traffic? Or, does access to the ECU mean you also have access to the encryption keys?
James
My 2015 Cherokee was hacked 4 weeks ago through a phone call I recieved. Kicked the car out of drive and started shifting gears at random. I was on interstate 5 doing 60 when this happened