{"id":12752,"date":"2016-08-10T09:00:12","date_gmt":"2016-08-10T13:00:12","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=12752"},"modified":"2017-09-24T08:04:04","modified_gmt":"2017-09-24T12:04:04","slug":"jeep-hacked-again","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/jeep-hacked-again\/12752\/","title":{"rendered":"How that Jeep was hacked. Again."},"content":{"rendered":"<p>The \u201cJeep hackers,\u201d Charlie Miller and Chris Valasek, got their nickname and achieved fame last year when they <a href=\"https:\/\/www.kaspersky.com\/blog\/blackhat-jeep-cherokee-hack-explained\/9493\/\" target=\"_blank\" rel=\"noopener nofollow\">remotely hijacked a moving Jeep Cherokee<\/a>. It\u2019s a year later now, and the duo has found more dangerous vulnerabilities. Miller and Valasek shared their findings at Black Hat USA 2016, and today we are spreading the word further.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/08\/06021736\/jeep-hacked-again-featured.jpg\"><img decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/08\/06021736\/jeep-hacked-again-featured.jpg\" alt=\"How that Jeep was hacked. Again.\" width=\"1280\" height=\"840\" class=\"aligncenter size-full wp-image-12755\"><\/a><\/p>\n<p>During the past year, research experts were able to perform some of the most dangerous actions (turning the steering wheel, braking, and accelerating), but only at very low speeds \u2014 up to 5 miles per hour. The hack took advantage of vulnerabilities in cars\u2019 smart features, such as automated parking assistance, and the Jeep\u2019s diagnostic mode.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/BlackHat?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#BlackHat<\/a> 2015: The full story of how that Jeep was hacked <a href=\"https:\/\/t.co\/y0d6k8UE4n\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/y0d6k8UE4n<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/bhUSA?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#bhUSA<\/a> <a href=\"http:\/\/t.co\/SWulPz4Et7\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/SWulPz4Et7<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/629651596876644352?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 7, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>These features are typically used at low speed or with the engine off. If you try to exploit them at high speed, the system will register a conflict and the smart feature won\u2019t be activated \u2014 unless you bypass that limitation. And that\u2019s exactly what the \u201cJeep hackers\u201d have achieved this year.<\/p>\n<p>The onboard computer receives speedometer and tachometer readings from messages sent through the CAN bus, which is sort of like a vehicle\u2019s local network. If you want to bypass security restrictions, you have to fake the messages and make the car believe that it is standing still while it\u2019s actually tearing down the highway.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/08\/06021739\/jeep-hacked-again-can-hacks-state.jpg\"><img decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/08\/06021739\/jeep-hacked-again-can-hacks-state.jpg\" alt=\"How that Jeep was hacked. Again.\" width=\"1280\" height=\"760\" class=\"aligncenter size-full wp-image-12753\"><\/a><\/p>\n<p>Miller and Valasek did it \u2014 they infected one of onboard electronic units with the help of a malicious patch. As the result, they were able to use the CAN bus to send fake readings. The method is quite simple. Messages with readings are usually numbered. When an electronic unit receives two messages with the same number, it trusts the first one and rejects the second.<\/p>\n<p>So if hackers assign the right numbers to fake messages and send them before the system sends real messages, the system trusts the fake data and discards the real.<\/p>\n<div id=\"attachment_12754\" style=\"width: 1290px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/08\/06021738\/jeep-hacked-again-counter-buster.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-12754\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/08\/06021738\/jeep-hacked-again-counter-buster.jpg\" alt=\"How that Jeep was hacked. Again.\" width=\"1280\" height=\"760\" class=\"size-full wp-image-12754\"><\/a><p id=\"caption-attachment-12754\" class=\"wp-caption-text\">Fake data are shown in green (speed 0 km\/h), rejected real speed data in red.<\/p><\/div>\n<p>Once researchers solved this problem, they learned to pull off even more dangerous, unprecedented tricks than last year \u2014 and at any speed. For example, they could take control of the steering booster and command it to turn the wheel. Or engage the parking brake, no matter how hard the driver tries to stop them \u2014 the control in the car becomes useless during the attack. They also learned to alter cruise control settings to quickly accelerate.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/ONDSAMfNGP0?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>But don\u2019t think that hackers took full control over the car \u2014 that\u2019s not exactly how it went down. They could not, for example route the car wherever they wanted. And during an attack, the driver can hit the brake pedal to stop the car or try to overcome the power steering (if they are strong and attentive enough). Researchers stressed that drivers needed to be focused on the car\u2019s movement and the road to realize in time that something was going wrong.<\/p>\n<p>We need to add that if such attacks come unexpectedly, they will be even more dangerous. Hackers can raise their chance of success by distracting drivers with environmental changes \u2014 suddenly turning on loud music or blasting the air conditioning, for example \u2014 tricks Miller and Valasek have already pulled off. While the driver focuses on dealing with the \u201cbuggy electronics,\u201d hackers can suddenly turn the wheel, accelerate, or activate the parking brake.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/ue-5hlU5BWA?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>We have good news as well. First, for Fiat Chrysler, developer of the hacked cars: At the end of their report at Black Hat USA 2016, security experts said they would stop hacking the long-suffering Jeep.<\/p>\n<p>Second, for owners of Fiat Chrysler cars: The company didn\u2019t ignore the researchers\u2019 findings. It patched a number of the vulnerabilities Miller and Valasek discovered. For example, the Sprint cellular network, which the cars use to connect to the Internet, now blocks TCP traffic \u2014 that means last year\u2019s remote hack doesn\u2019t work anymore.<\/p>\n<p>Finally, Fiat Chrysler recently <a href=\"https:\/\/threatpost.com\/fiat-chrysler-launches-bug-bounty-with-1-5k-payout-cap\/119255\/\" target=\"_blank\" rel=\"noopener nofollow\">launched<\/a> a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Bug_bounty_program\" target=\"_blank\" rel=\"noopener nofollow\">bug bounty program<\/a>, compensating people who find and report bugs and vulnerabilities. Tesla and General Motors have similar programs. Though Fiat Chrysler\u2019s program is not the best of its kind, and the bounties are rather small by cybersecurity standards, it\u2019s nonetheless a step in the right direction.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Charlie Miller and Chris Valasek learned to hack a car\u2019s steering wheel, brakes, and acceleration. They presented their finding at Black Hat USA 2016.<\/p>\n","protected":false},"author":421,"featured_media":12756,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[770,651,1761,1762,1189,527,1760,732,97],"class_list":{"0":"post-12752","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-black-hat","9":"tag-cars","10":"tag-charlie-miller","11":"tag-chris-valasek","12":"tag-chrysler","13":"tag-hacks","14":"tag-jeep-cherokee","15":"tag-research","16":"tag-security-2"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/jeep-hacked-again\/12752\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/jeep-hacked-again\/7502\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/jeep-hacked-again\/7526\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/jeep-hacked-again\/7486\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/jeep-hacked-again\/8923\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/jeep-hacked-again\/8753\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/jeep-hacked-again\/12733\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/jeep-hacked-again\/2349\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/jeep-hacked-again\/8436\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/jeep-hacked-again\/12260\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/jeep-hacked-again\/12733\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/jeep-hacked-again\/12752\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/jeep-hacked-again\/12752\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/black-hat\/","name":"black hat"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12752","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=12752"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12752\/revisions"}],"predecessor-version":[{"id":19237,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12752\/revisions\/19237"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/12756"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=12752"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=12752"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=12752"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}