Researchers Demo How They Hacked a Jeep Remotely: Black Hat

Two researchers prove hacking a car remotely is possible and detail how they found and exposed flaws, which led Chrysler to recall 1.4 million vehicles.

car hacking at Black Hat

LAS VEGAS—Every year, there is always one marquee session at the Black Hat USA conference that captures the imagination of the public like no other. At this year's conference here, it was the remote car hacking attack, which led Fiat Chrysler Automobiles (FCA) to recall 1.4 million autos.

In front of an overflowing room, Twitter security researcher Charles Miller and IOactive Director of Vehicle Security Research Chris Valasek took great pleasure in a highly entertaining hour-long session detailing the steps and the outcome of their car hacking research.

"Please stop saying that whatever you have is unhackable; you're going to look silly," Valasek said.

Many security experts had said remote car hacking was not possible, Valasek said. Yet he and Miller proved otherwise.

Still, it wasn't easy, Valasek said.

The two researchers spent a year figuring things out and tried multiple approaches. They first looked at was the optional in-vehicle WiFi, a service for which FCA car owners can pay.

FCA is using WPA2 encryption, which is robust, but the company uses a pseudo-random password-generation sequence, which potentially could be guessed, though it would be highly impractical to attack in practice, Miller said.

"You'd have to drive next to the car you're trying to attack for an hour," Miller quipped.

FCA's Uconnect entertainment system also, however, makes use of cellular connections, which are also typically on by default. This represented a better target for Miller and Valasek.

Running a simple scan using the open-source Nmap port mapping tool, the researchers found that port 6667 was open. Port 6667 on a normal server is used for Internet Relay Chat (IRC), but on a Jeep, it's used for something called D-Bus, an interprocess communications mechanism. "D-bus can require authentication, but the Jeep implementation did not," Miller said.

Miller then used a program called Dfeet to look at services connected to D-bus and discovered that D-bus was running as root, meaning it has full access rights to connected systems. So with just four lines of Python code, a command could potentially be executed on the vehicle to perform operations.

Miller and Valasek had to do additional work to enable the controller area network (CAN) message bus on the vehicle, which is connected to steering, brakes and other activities, to receive and properly execute his D-bus messages.

At multiple points in the research, Miller said he broke the infotainment system and brought the Jeep into his Chrysler dealer.

"I gotta say this, Chrysler stands behind its products," Miller said, as he showed a picture of himself and his Jeep at a dealer garage.

Each time Miller took the Jeep to the dealer and they asked what happened, all he said was "I don't know, the screen just went all black."

While the research was done on Miller's own Jeep, which he was quick to note, he still drives today, the impact is massive because of the remote hacking capability. From a scanning perspective, the two researchers were able to figure out an IP range used by FCA for Uconnect in order to find potentially vulnerable vehicles.

FCA has now patched the cars, and perhaps even more importantly, Sprint, FCA's cellular carrier, is blocking access to port 6667, Valasek said. As a result, it's no longer possible to perform a remote hack on FCA vehicles.

Miller and Valasek both said they were proud of the fact that their work was able to have a real-world impact and that the issue has been patched and is no longer exploitable.
Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.