Security researchers Charlie Miller and Chris Valasek have made a career out of hacking cars. Valasek is the director of vehicle security research at IOactive, and Miller is a security researcher at Twitter.
At 3 p.m. PT on Aug. 5 at the Black Hat USA security conference, the pair are set to provide new details on car hacking in a session titled, “Remote Exploitation of an Unaltered Passenger Vehicle.” As has been their custom in the last three years, Miller and Valasek have provided an early demonstration of their research to a media outlet to stoke the fires of media hysteria about the risks of car hacking.
In 2013, Miller and Valasek first gave a talk at the DEFCON security conference about the risks of car hacking. That talk wasn’t originally considered to be at a level that the Black Hat show organizers wanted, so the research wasn’t presented at Black Hat 2013.
In 2014, Miller and Valsek re-doubled their efforts in a bid to crack the session list for Black Hat. “[In 2013], our talk got rejected at Black Hat, so we wanted to come up with something that would be accepted this year,” Miller said during his Black Hat USA 2014 talk.
The 2014 talk provided guidelines on how to determine how vulnerable a modern vehicle is to hackers. For the most part, all of the attack surfaces Miller and Valasek described in 2014 required an attacker to have some form of physical access to the car.
For the 2015 attack, the new trick is allegedly that the security researchers can attack the car remotely. “In this talk, we will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle,” the Black Hat abstract on the talk states. “Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle’s hardware in order to be able to send messages on the CAN bus to critical electronic control units.”
In the pre-show video demonstration, Valasek notes that he and Miller had to break into the car via the cell network and then were able to move laterally to control different aspects of the vehicles operations. The vehicle in question is a 2014 Jeep and the exploitation occurred due to a software vulnerability in Chrysler’s uconnect infotainment system. The two researchers have stated that they have alerted Chrysler to the flaw and an update is available. To see if your Chrysler vehicle needs the update, check out the uconnect update site.
Hype and hysteria related to car hacking has been a key part of Miller and Valasek’s research for the last three years. After all, who wouldn’t be afraid of having their car hacked?
For the first two iterations of the research, there was always the caveat that physical access was needed and the car was, in some way, tampered with or modified. There was also the catch that in order to manipulate the vehicle, Bluetooth, a close range proximity protocol, was needed. With the new research, the promise of an unaltered vehicle and remote access via a cellular connection changes the game.
It also, in my opinion, should make it easier to fix and defend against, since there is a key lynchpin in the research, the cellular network itself. We don’t know the exact vulnerability yet. The two researchers aren’t going to disclose that until Black Hat, but they have indicated they needed to break into the cellular network.
That would also imply that other risks that are not related to car hacking could be worrisome. Then again, Miller is no stranger to cellular hacking, either; at the Black Hat USA 2009 conference, he demonstrated how he could take over an iPhone with a malicious Short Message Service (SMS) text.
The real risk, as Miller and Valasek have pointed out in their 2014 Black Hat talk, is the interconnected nature of some car systems that can enable lateral movement across a car’s capabilities. It’s the same basic type of risk that other security professionals have been talking about in virtualized and cloud networks. That is, a lack of proper segmentation and isolation that could enable an attacker unrestricted movement across what should be disparate network segments.
While we wait for full details on the latest risks to cars, due to be revealed on Aug. 5, the good news is that security researchers are revealing the details, with patches already available and not in a post-mortem after some catastrophic attack that costs human lives.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.