Hacking Late-Model

Vehicles
The dangers hackers pose to modern car owners
Presented by Terry Mixon

Overview
During this presentation, well go over a number of cases involving the
hacking of late model vehicles. Well then go over the incident with an
eye towards seeing how these attacks fit into what weve already
learned.
These cases cover a wide variety of attack methodology and varying
degrees of penetration into the vehicles. By no means do these
represent all of the types of attacks happening today. This is only a
sampling of what is occurring in the last several years.
Once we review each case, well discuss the hack in more detail. There
are a few short videos, if we have time to view them.

Case One: Mystery Device that

Unlocks Vehicles
There has been a growing number of incidents where thieves
use a handheld device to gain entry to late model vehicles via
the keyless entry system. Theres no indication that they can
use these devices to start the vehicle. Yet.
These devices use electronic scanner boxes to mimic the key
fob and unlock the door. This works by amplifying the fobs
signal and making it seem to only be a few feet away from the
car. So, the door unlocks when the thief pulls on the door handle.
(video) http://abc7news.com/news/7oys-investigates-high-techcar-burglaries/54042/

Case One: Mystery Device that

Unlocks Vehicles
How does this vulnerability fit within what weve learned
about network security?
What kind of attack is this?
How could this vulnerability be mitigated?

Case Two: Unlocking Your Car With

RollJam
Samy Kamkar, a hacker with an interest in automotive
security, created this device to highlight an ongoing security
issue in modern vehicles. He says the device can be built for
about $32.
He says this vulnerability has been around for quite some
time and could be easily remedied if the manufacturers
incorporated a change in how the codes used to open the
doors and deactivate the alarm works. Well address that fix
when we discuss possible solutions to the hack in question.

Case Two: Unlocking Your Car With

RollJam

Case Two: Unlocking Your Car With

RollJam
Car security systems rely on the use of a rolling sequence
of codes in which the fob changes codes with every use.
When one is used, it is no longer valid. Any previous codes
that were, for any reason, not received are also invalidated.
RollJam is planted on or very near a vehicle where it waits
for a signal on the frequencies used. When one is detected,
it records the code and quickly jams the receivers on the
vehicle. To the driver, nothing happens when the fob is
used, but the device has recorded a valid code.

Case Two: Unlocking Your Car With

RollJam
The irked driver then presses the button again. RollJam collects
the second code in exactly the same manner that it did the first
time. Only now, it sends the first code with a stronger transmitter
than the fob, bypassing the jamming. The car unlocks and the
driver is happy.
RollJam has that second code, however. Once the device is
retrieved, it can send that perfectly valid code to unlock the
vehicle. It continues to jam and record as long as it is in place,
keeping a rolling list of codes as needed and providing the most
recent to the thief upon demand. Its battery is good for a day or
so of use.

Case Two: Unlocking Your Car With

RollJam
How does this vulnerability fit within what weve learned
about network security?
What kind of attack is this?
How could this vulnerability be mitigated?

Case Two: Unlocking Your Car With

RollJam
The fix that Kamkar recommends is to have the codes
expire in much the same way that RSAs SecureID does.
Codes increment over a period of seconds (in RSAs case,
60 seconds). With the vehicle on the same rotation, that
would keep thieves at bay by rendering their codes
invalid.
http://www.wired.com/2015/08/hackers-tiny-deviceunlocks-cars-opens-garages/

Case Three: Take Possession With

OwnStar
Once again, we find the fiendishly clever Samy Kamkar has found
a way to bypass the security of your vehicle. This time, hes using
OnStar as a gateway to seizing control through iOS apps.
Specifically, BMWs Remote, Mercedes-Benz mbrace, Chrysler
Uconnect, and the alarm system Vipers Smartstart. All at the low,
low price of about $100.
Kamkar says, If youre using any of these four apps, I can
automatically get all of your log-in information and then
indefinitely authenticate as you. These apps give me different
levels of control of your car. But they all give me some amount of
control.

Case Three: Take Possession With

OwnStar
When an OwnStar device is planted on or near a vehicle,
it waits for a phone with one of these apps to come into
range and impersonates a familiar Wi-Fi to trick it into
connecting. If the user launches one of the iOS apps,
OwnStar exploits the vulnerability and sends the
credentials to the hacker over a 2G cellular connection.
The RemoteLink app is installed on at least a million
Android devices, according to the count in the Google
Play store.

Case Three: Take Possession With

OwnStar
According to the Wired article, With the users
RemoteLink login credentials, Kamkar says a hacker
could patiently track a car, retrieve his or her hacking
device, and unlock the cars doors to steal anything
inside. From across the Internet, they can start the
vehicles ignition, or use its horn and alarm to create
mayhem. The hacker can also access the users name,
email, home address, and last four digits of a credit card
and expiration date, all of which are accessible through
an OnStar account.

Case Three: Take Possession With

OwnStar
Kamkar says, Although the app does use SSL encryption, it
doesnt properly check the certificate that ensures the users
phone is communicating only with the OnStar server.
GM has said theyve updated their servers and app to fix this
specific issue. According to Kamkar, Mercedes Benz and BMW
vehicles are also vulnerable. BMW received the details in April of
2015. As of August, their vehicles are still vulnerable.
(video) http://www.wired.com/2015/07/gadget-hacks-gm-carslocate-unlock-start/

Case Three: Take Possession With

OwnStar
How does this vulnerability fit within what weve learned
about network security?
What kind of attack is this?
How could this vulnerability be mitigated?

Case Four: Volkswagen Sues To Bury

Research
In 2013, Volkswaggen sued three researchers to stop them
from revealing a flaw in the RFID Megamos Crypto
transponder used in Volkswagen-owned luxury brands
including Audi, Porsche, Bentley and Lamborghini, as well as
Fiats, Hondas, Volvos and some Maserati models. It is also
used by Audi, Fiat, Honda, and Volvo vehicles.
Although the code has been freely available since 2009, the
UK High Court imposed an injunction that prevented the
researchers, their institutions, and anyone else who might
help them publish from publishing the research.

Case Four: Volkswagen Sues To Bury

Research

Case Four: Volkswagen Sues To Bury

Research

Case Four: Volkswagen Sues To Bury

Research
The judge said, I recognize the high value of academic free speech,
but there is another high value, the security of millions of Volkswagen
cars.
Two years later, with the problem still unfixed and after continuous
negotiation with Volkswagen, the researchers were able to publish their
findings after redacting one sentence. One sentence.
In the same period of time, over 6,000 vehicles were stolen in London
without the owners keys. Thats 42% of all vehicle thefts. While the
article doesnt claim these are all from the same keyless system, this
does make clear how at risk vehicles are to this kind of attack.

Case Four: Volkswagen Sues To Bury

Research
This system is meant to prevent an engine from starting without the
transponder being close to the vehicle. The researchers were able to start
a keyless car in half an hour after they accessed the 96 bit secret key.
They found that the chips used outdated encryption and that after
listening twice, they were able to make a copy of the chip and key.
Researcher Flavio Garcia said, You would expect that expensive cars used
the better alternative. It's a bit like if your password was 'password.
http://www.computerworld.com/article/2971826/cybercrime-hacking/hackto-steal-cars-with-keyless-ignition-volkswagen-spent-2-years-hidingflaw.html

Case Four: Volkswagen Sues To Bury

Research
How does this vulnerability fit within what weve learned
about network security?
What kind of attack is this?
How could this vulnerability be mitigated?

Case Five: Tesla Does It Right

To show that some automakers take security vulnerabilities
seriously, its time to look at Tesla. They recently announced
that a group of security researchers were able to control
some aspects of a Tesla S sedan. They concurrently
announced that theyd already patched the vulnerability.
In this case, the researchers gained physical access to the
vehicle and used an Ethernet port. They were then able to
remotely change the speedometer display to the wrong
speed, control the windows and locks.

Case Five: Tesla Does It Right

They were also able to turn the car on or off at low speed from
inside the vehicle. At 5 mph, they turned the vehicle off. The screens
went black and the hand brake activated, jerking them to a halt.
Tesla had been proactive in these kinds of situations, sending
updates to their vehicles in a timely manner using an over-the-air
mechanism that doesnt require any effort from owners. They also
offer a $10,000 reward for any reported security flaws, partnering
with ethical hackers to make their vehicle security more robust.
http://resources.infosecinstitute.com/the-nightmare-of-car-hacking/

Case Five: Tesla Does It Right

How does this vulnerability fit within what weve learned
about network security?
What kind of attack is this?
How could this vulnerability be mitigated?

Case Six: Dongle Hacking

The next case deals with devices plugged into vehicles to
monitor their behavior for insurance companies.
Research suggests that these internet-enabled gadgets
are insecure.
These 2-inch-square gadgets are used by insurance
companies and trucking companies to monitor a vehicles
location, speed, and efficiency. Theyre plugged right into
a vehicles dashboard.

Case Six: Dongle Hacking

Researchers at the University of California at San Diego
revealed that they could wirelessly access thousands of
these devices, and the vehicles they are attached to.
By sending carefully designed SMS messages to these
dongles, they were able to control a Corvettes wipers
and brakes. And to disable them as well. They did so my
getting the dongle to pass the commands on to the
vehicles CAN bus, the internal network that controls the
vehicles physical driving components.

Case Six: Dongle Hacking

Case Six: Dongle Hacking

Stefan Savage, the University of California at San Diego computer
security professor who led the project said, We acquired some of
these things, reverse engineered them, and along the way found
that they had a whole bunch of security deficiencies. The result,
he says, is that the dongles provide multiple ways to remotely
control just about anything on the vehicle they were connected
to.
They notified the manufacturer about the defect and were told
that the latest version of the dongle was not vulnerable to that
kind of attack. The researchers were still able to locate thousands
of vehicles with vulnerable dongles, mostly in Spain.

Case Six: Dongle Hacking

While that exploit mostly affects vehicles outside the US,
Progressive insurance uses a similar dongle called the
Snapshot. Some two million of these devices are in use.
Corey Thuen has extracted the firmware of the dongle and
had the following to say. The firmware running on the dongle
is minimal and insecure. It does no validation or signing of
firmware updates, no secure boot, no cellular authentication,
no secure communications or encryption, no data execution
prevention or attack mitigation technologies basically it
uses no security technologies whatsoever.

Case Six: Dongle Hacking

He declined weaponize his findings and said this, Controlling it
wasnt the focus, finding out if it was possible was the focus.
For a remote attack to be successful, the u-blox modem which handles
communication before Progressives servers and the dongle would also
need to be compromised. Other researchers have been able to so this.
In closing, Thuen added, A skilled attacker could almost certainly
compromise such dongles to gain remote control of a vehicle, or even
an entire fleet of vehicles. Once compromised, the consequences
range from privacy data loss to life and limb.

Case Six: Dongle Hacking

Another aspect of the security on these dongles is that
Progressive does nothing to encrypt the data sent to the
company. It may be possible to intercept the data and gain
a vehicles location, speed, and other performance data.
(video) http://www.wired.com/2015/08/hackers-cutcorvettes-brakes-via-common-car-gadget/
http://www.forbes.com/sites/thomasbrewster/2015/01/15/res
earcher-says-progressive-insurance-dongle-totally-insecure/

Case Six: Dongle Hacking

How does this vulnerability fit within what weve learned
about network security?
What kind of attack is this?
How could this vulnerability be mitigated?

Case Seven: Owning A Jeep

In what certainly looks like one of the most comprehensive hacks of a
vehicle to date, Charlie Miller and Chris Valasek recently demonstrated
how completely they owned a Jeep being driven at 70 mph in St. Louis.
They did this from ten miles away, over Sprints cellular network. They
could have been on the other side of the country. Perhaps the world.
They turned the AC onto maximum, turned on the radio at full volume to a
channel of their choice, activated the windshield wipers and sprayed fluid
onto the windshield. They then put a picture of themselves onto the Jeeps
digital display. Then they cut the transmission. The driver had to coast to a
stop and turn the ignition off and back on to reengage the transmission.

Case Seven: Owning A Jeep

According to the article, Miller and Valaseks full arsenal
includes functions that at lower speeds fully kill the engine,
abruptly engage the brakes, or disable them altogether. The
most disturbing maneuver came when they cut the Jeeps
brakes, leaving me frantically pumping the pedal as the 2ton SUV slid uncontrollably into a ditch. The researchers say
theyre working on perfecting their steering controlfor now
they can only hijack the wheel when the Jeep is in reverse.
Their hack enables surveillance too: They can track a
targeted Jeeps GPS coordinates, measure its speed, and
even drop pins on a map to trace its route.

Case Seven: Owning A Jeep

Case Seven: Owning A Jeep

Though this exploit was only used on the Jeep, it should work on
any Chrysler vehicle with a Uconnect made between late 2013 and
early 2015. Uconnect is an Internet-connected computer that
manages the vehicles entertainment and navigation, lets you
make phone calls, and has an option to make the vehicle a Wi-Fi
hot spot.
If a hacker can determine a vehicles IP address, it leaves the
vehicle open to attack from anywhere in the country. Once they
have access, the hackers overwrite an adjacent chips firmware,
granting them the ability to send commands over the vehicles
CAN bus to the physical components.

Case Seven: Owning A Jeep

Chrysler posted a notice to owners on its website of a patch on
July 16th, 2015. The notice gave no details of what the patch was
meant to fix. Unfortunately, the only way to update these vehicles
is by manually loading the patch via USB or to take it to a
dealership. That means that many, if not most, vulnerable vehicles
will remain unpatched.
Frighteningly, the hackers used a laptop and a burner phone as a
Wi-Fi hotspot to scan the Sprint network for targets. They dont
need an IP to see vehicles pop up. In fact, when a vehicle does
appear, it provides the IP address to them. All they need to do at
that point is to start the hack.

Case Seven: Owning A Jeep

According to the article, A set of GPS coordinates, along with a
vehicle identification number, make, model, and IP address,
appears on the laptop screen. Its a Dodge Ram. Miller plugs its
GPS coordinates into Google Maps to reveal that its cruising down
a highway in Texarkana, Texas. He keeps scanning, and the next
vehicle to appear on his screen is a Jeep Cherokee driving around
a highway cloverleaf between San Diego and Anaheim, California.
Then he locates a Dodge Durango, moving along a rural road
somewhere in the Upper Peninsula of Michigan. When I ask him to
keep scanning, he hesitates. Seeing the actual, mapped locations
of these unwitting strangers vehiclesand knowing that each one
is vulnerable to their remote attackunsettles him.

Case Seven: Owning A Jeep

Miller has performed many scans looking for vulnerable vehicles
and recorded their VIN numbers. Using an algorithm sometimes
used for tagging and tracking wildlife, he estimates there are
almost half a million vulnerable vehicles in the wild.
While the random scanning makes finding a specific person
extremely unlikely, a number of phones scanning together could
allow an individual to be targeted. Hackers could also take over
other Uconnect systems to assist in such an endeavor. Basically,
the hack would worm from one system to another, creating a
vehicular botnet numbering in the hundreds of thousands.

Case Seven: Owning A Jeep

Taken to its logical conclusion (Im a writer), this means the
hack could be used to target a specific individual. Knowing
where they were, a well-timed attack could injure or kill
someone. Imagine a tech savvy assassin killing from
thousands of miles away. Untraceably.
Welcome to the Internet of Everything.
(video) http://www.wired.com/2015/07/hackers-remotelykill-jeep-highway/

Conclusion
US Senator Edward John "Ed" Markey sent a letter to 20
automobile makers asking about their security practices. Of
the 16 that responded, virtually all of them confirmed that
virtually every vehicle they sell has some form of wireless
communication, including Bluetooth, Wi-Fi, cellular service,
and radios.
That means vulnerabilities like these will continue to pop up
and can only be slowed by the automakers upping the ante
on protecting the vehicles in an expeditious and proactive
manner. Which doesnt seem to be happening.

Conclusion
One thought I want to leave you with. In an article with Bloomberg
Business, Thilo Koslowski, vice president of the auto practice at
Gartner, predicts that as many as 40% of new vehicles sold
worldwide will let drivers shop from behind the wheel by 2020.
Imagine paying for your fast food by touching an icon on your
cars console. Buying gas with the car? Think it wont happen?
Ford has an app that lets you buy a pizza via your car today. By
2022, 85 million new cars will be connected to the Internet. In the
coming years, the buy now buttons on your phone will begin
appearing in your car.

Conclusion
This problem isnt going away and its only getting worse as
the manufacturers race one another to put features in front
of prospective customers. Identity theft may become as
simple as parking at the fast food restaurant. Or driving
down the highway.
Welcome to the future.
http://www.bloomberg.com/news/articles/2015-08-27/carssaid-ripe-for-identity-theft-as-shopping-comes-to-dashboard