Potential Pitfalls: Hacking

• Halting State by Charles Stross

Hacking Existing Cars

• A NOTE OF caution to anyone who works on the security team of a major automobile manufacturer: Don’t plan your summer vacation just yet.
  
  At the Black Hat and Defcon security conferences this August, security researchers Charlie Miller and Chris Valasek have announced they plan to wirelessly hack the digital network of a car or truck. That network, known as the CAN bus, is the connected system of computers that influences everything from the vehicle’s horn and seat belts to its steering and brakes. And their upcoming public demonstrations may be the most definitive proof yet of cars’ vulnerability to remote attacks, the result of more than two years of work since Miller and Valasek first received a DARPA grant to investigate cars’ security in 2013.
  
  “We will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle,” the hackers write in an abstract of their talk that appeared on the Black Hat website last week. “Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle’s hardware in order to be able to send messages on the CAN bus to critical electronic control units. We will conclude by showing several CAN messages that affect physical systems of the vehicle.”
  
  Miller and Valasek won’t yet name the vehicle they’re testing, and declined WIRED’s request to comment further on their research so far ahead of their talk.
  
  Academic researchers at the University of Washington and the University of California at San Diego demonstrated in 2011 that they could wirelessly control a car’s brakes and steering via remote attacks. They exploited the car’s cellular communications, its Wi-Fi network, and even its bluetooth connection to an Android phone. But those researchers only identified their test vehicle as an “unnamed sedan.”
  
  Miller and Valasek, by contrast, haven’t hesitated in the past to identify the exact make and model of their hacking experiments’ multi-ton guinea pigs. Before their presentation at the Defcon hacker conference in 2013, they put me behind the wheel of a Ford Escape and a Toyota Prius, then showed that they could hijack those two vehicles’ driving functions—including disabling and slamming on brakes or jerking the steering wheel—using only laptops plugged into the OBD2 port under the automobiles’ dashboards.
  
  Some critics, including Toyota and Ford, argued at the time that a wired-in attack wasn’t exactly a full-blown hack. But Miller and Valasek have been working since then to prove that the same tricks can be pulled off wirelessly. In a talk at Black Hat last year, they published an analysis of 24 automobiles, rating which presented the most potential vulnerabilities to a hacker based on wireless attack points, network architecture and computerized control of key physical features. In that analysis, the Jeep Cherokee, Infiniti Q50 and Cadillac Escalade were rated as the most hackable vehicles they tested. The overall digital security of a car “depends on the architecture,” Valasek, director of vehicle security research at security firm IOActive told WIRED last year. “If you hack the radio, can you send messages to the brakes or the steering? And if you can, what can you do with them?”
  
  Jeep, after all, received the worst security ratings by some measures in Miller and Valasek’s earlier analysis. It was the only vehicle to get the highest rating for “hackability” in all three categories of their rating system. Jeep-owner Chrysler wrote last year in a statement responding to that research that it would “endeavor to verify these claims and, if warranted, we will remediate them.”
  
  Valasek and Miller’s work has already led to serious pressure on automakers to tighten their vehicles’ security. Congressman Ed Markey cited their research in a strongly-worded letter sent to 20 automakers following their 2013 presentation, demanding more information on their security measures. In the responses to that letter, all of the auto companies said their vehicles did have wireless points of access. Only seven of them said they used third parties auditors to test their vehicles’ security. And only two said they had active measures in place to counteract a potential digital attack on braking and steering systems.
  
  It’s not clear exactly how much control Miller and Valasek have gained over their target automobile’s most sensitive systems. Their abstract hints that “the ambiguous nature of automotive security leads to narratives that are polar opposites: either we’re all going to die or our cars are perfectly safe,” and notes that they’ll “demonstrate the reality and limitations of remote car attacks.”
  
  But in a tweet following the announcement of their upcoming talk last week, Valasek put it more simply: “[Miller] and I will show you how to hack a car for remote control at [Defcon],” he wrote. “No wires. No mods. Straight off the showroom floor.”
  
  (Update 21 July 2015 remote hacking accomplished)
  

All Modern Cars Are Vulnerable

• IF YOU THOUGHT your pricey Benz or Bimmer had escaped the rash of recent hacks affecting Chrysler and GM cars, think again.
  
  When security researcher Samy Kamkar revealed a bug in GM’s OnStar service last month that allowed a hacker to hijack its RemoteLink smartphone app, he warned that GM wouldn’t be the only target in an increasingly internet-connected auto industry rife with security flaws. Now Kamkar’s proven himself correct: He’s found that the internet services of three other carmakers suffer from exactly the same security issue, which could allow hackers to unlock vehicles over the internet, track them in some cases, and even remotely start their ignitions.
  
  Over the last week, Kamkar has analyzed the iOS apps of BMW’s Remote, Mercedes-Benz mbrace, Chrysler Uconnect, and the alarm system Viper’s Smartstart, and found that all of those internet-connected vehicle services are vulnerable to the attack he used to hack GM’s OnStar RemoteLink app. “If you’re using any of these four apps, I can automatically get all of your log-in information and then indefinitely authenticate as you,” says Kamkar. “These apps give me different levels of control of your car. But they all give me some amount of control.”
  
  Kamkar’s attack, which he first revealed to WIRED last month, uses a $100 homemade device he calls OwnStar, in a reference to GM’s OnStar and the hacker slang “to own”—or take control—of a target. Plant the device somewhere under a car’s body, and it can impersonate a familiar Wi-Fi network and trick a driver’s phone into connecting to it. When the driver uses his or her OnStar RemoteLink app within Wi-Fi range, the OwnStar device takes advantage of an authentication flaw in how the RemoteLink app implements SSL encryption, allowing the small box—little more than a Raspberry Pi computer and a collection of radios—to intercept the user’s credentials and send them over a cellular connection to the hacker. From then on, the hacker can do everything a legitimate OnStar customer can do, including locating, unlocking, and remotely starting his or her car.
  
  GM quickly responded to WIRED’s story about OwnStar with a software patch, requiring all its RemoteLink users to update. But Kamkar has now updated his OwnStar device to also intercept the credentials of BMW, Mercedes-Benz, Chrysler, and Viper’s apps. However, unlike his OnStar hack, which he tested on a 2013 Chevy Volt, he hasn’t been able to try any of the stolen credentials from his tests on actual vehicles. He says he’s also holding off on releasing the code for his revamped attack to give the four companies a chance to fix their security problems.
  
  Those four apps each have different capabilities that could allow a hacker using OwnStar to pull some nasty pranks or even break into a compromised vehicle. All four iOS apps allow remote locking and unlocking. The BMW, Mercedes-Benz, and Viper apps all allow the car to be located and tracked, too. And all but the Viper app allow a vehicle’s ignition to be remotely started, though as with GM vehicles, it’s likely the driver’s key would have to be physically present to put the car into gear and drive away.
  
  BMW and Viper didn’t respond to a request for comment, but a Mercedes-Benz spokesperson wrote in an email to WIRED that “we don’t want to engage in speculation about potential hacks (often the result of extreme manipulation) that have very little likelihood of occurring in the real world and create unnecessary concern.” A spokesperson for Chrysler parent company Fiat Chrysler Automobiles wrote that the company takes cybersecurity seriously but that “FCA US opposes irresponsible disclosure of explicit ‘how to’ information that can help criminals gain unauthorized access to vehicles and vehicle systems.” He added that “to our knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle.”
  
  Chrysler actually has seen at least one recent “real-world” hack of its vehicles. Security researchers Charlie Miller and Chris Valasek demonstrated to WIRED last month they could use a different vulnerability in its vehicles’ Uconnect computers to wirelessly hijack a 2014 Jeep Cherokee over the internet. Chrysler responded with a recall of 1.4 million vehicles. Patching that Uconnect flaw requires the vehicles’ owners to manually install a software update via their cars’ and trucks’ USB ports.
  
  Luckily, protecting vehicles from Kamkar’s OwnStar attack is much easier: It only requires the carmakers to update their apps in Apple’s app store. But unlike GM, none of the four other affected automakers have yet committed to doing the same.
  
  Kamkar says that he looked at 11 different automakers with remote unlocking and remote ignition apps, and has now found that five of them were vulnerable to his OwnStar interception trick. Given that those apps lack SSL authentication, which is a basic security measure, Kamkar says his research shows that automakers’ cybersecurity efforts haven’t kept up with their eagerness to connect cars to the internet. “We’re really only scratching the surface of the security of these vehicles,” Kamkar says. “Who knows what will be found when researchers look further.”

Hacks Using Remote Access

• The tire pressure monitors built into modern cars have been shown to be insecure by researchers from Rutgers University and the University of South Carolina. The wireless sensors, compulsory in new automobiles in the US since 2008, can be used to track vehicles or feed bad data to the electronic control units (ECU), causing them to malfunction.
  
  Earlier in the year, researchers from the University of Washington and University of California San Diego showed that the ECUs could be hacked, giving attackers the ability to be both annoying, by enabling wipers or honking the horn, and dangerous, by disabling the brakes or jamming the accelerator.
  
  The new research shows that other systems in the vehicle are similarly insecure. The tire pressure monitors are notable because they're wireless, allowing attacks to be made from adjacent vehicles. The researchers used equipment costing $1,500, including radio sensors and special software, to eavesdrop on, and interfere with, two different tire pressure monitoring systems.
  
  The pressure sensors contain unique IDs, so merely eavesdropping enabled the researchers to identify and track vehicles remotely. Beyond this, they could alter and forge the readings to cause warning lights on the dashboard to turn on, or even crash the ECU completely.
  
  Unlike the work earlier this year, these attacks are more of a nuisance than any real danger; the tire sensors only send a message every 60-90 seconds, giving attackers little opportunity to compromise systems or cause any real damage. Nonetheless, both pieces of research demonstrate that these in-car computers have been designed with ineffective security measures.

Entry

• Volkswagen has lost a two-year battle to suppress research about how hi-tech criminals are able to hack into its cars electronically.
  
  Full details of the hacking investigation, carried out by three universities, showed London as a particular hotbed for hacking, with four out of ten car thefts using the method. Immobilisers prevent the traditional hot-wiring of cars by using a digital signature between the car and key, but organised criminal gangs found weaknesses in the system, particularly in cars where manufacturers had removed the traditional key.
  
  The universities, from the Netherlands and Britain, also found the weaknesses in their 2013 study, but Volkswagen took action in the High Court to stop publication of their findings. It was granted an injunction because a judge said that it would facilitate further exploitation by criminals. After two years of court action, the research has now been released, detailing weaknesses in the Swiss-designed Magamos Crypto system used by 26 car manufacturers, including Audi, Porsche, Honda, Fiat and Volvo as well as VW.
  
  The research shows how criminals can easily eavesdrop on the electronic communication between car and key fob and found a relatively simple encryption method that could be unravelled on just two “listens”. Flavio Garcia, a researcher from the University of Birmingham, said: “It’s a bit like if your password was ‘password’.”
  
  Samy Kamkar, a security researcher and freelance developer, last month revealed how he cracked GM cars’ security systems and could locate, unlock and start them remotely. GM immediately moved to fix the flaw, and said it had done so within days. But the latest revelation could prove more of a headache for car companies, with systems having to be updated or replaced in thousands of vehicles. More recent models have already been updated, the researchers believe.
  
  The French defence group Thales partnered Volkswagen in the legal action, but the final paper was permitted to be published after removal of just one line of text that would have allowed others to replicate the hack easily.
  
  The paper calls on manufacturers to install technology using AES ciphers similar to those used in contactless bank cards.
  
  “The implications of the attacks presented in this paper,” it says, “are especially serious for those vehicles with keyless ignitions. At some point the mechanical key was removed from the vehicle but the cryptographic mechanisms were not strengthened to compensate.
  
  “We want to emphasise that it is important for the automotive industry to migrate from weak proprietary ciphers like this to community-reviewed ciphers such as AES and use it according to the guidelines.”
  
  A spokesman for Volkswagen told The Independent: “Volkswagen has an interest in protecting the security of its products and its customers. We would not make available information that might enable unauthorised individuals to gain access to our cars.
  
  “In all aspects of vehicle security, we go to great lengths to ensure the security and integrity of our products against external malicious attacks.” Last year about 70,000 cars were stolen in the UK, a 70 per cent fall over the past 40 years according to the RAC, which experts warned was concealing an increase in electronic thefts.

24 Models of Car hacked by Simple Radio Amplification

• Read article here

Fords Updated By Microsoft

• Ford Motor Co., seeking to beam down wireless software updates to its next generation of cars, has assigned the task to an old, familiar friend: Microsoft Corp.
  
  Microsoft developed the first two generations of Ford's Sync infotainment system before being replaced by Blackberry's QNX for the third iteration, Sync 3. That system, revealed late last year, will start to appear in production cars in 2015 and will be offered across Ford and Lincoln's U.S. lineups by the end of 2016.
  
  The cloud computing deal, announced today at a conference in Atlanta, shows the evolving nature of Ford's relationship with Microsoft, which is pivoting its business under CEO Satya Nadella to focus on selling cloud-based software.
  
  "We've obviously had a good, long relationship with Microsoft," Don Butler, director of connected vehicles at Ford, said in an interview. "Microsoft understands the automotive environment and the kinds of experiences that we'd like to enable."
  
  A car equipped with Sync 3 will be able to connect to the Internet over a Wi-Fi connection and download new features straight onto its hard drive, just as a smartphone or personal computer can. By partnering with Microsoft for cloud services, Ford will be able to host these software updates on Microsoft's global network of data centers, which Butler said will offer a quicker rollout of new features and more reliable downloads around the world.
  
  A small download might be a few megabytes, the size of a single song from Apple Inc.'s iTunes service. But a larger update, like a fresh package of navigation maps or a new graphical display, might be more than a gigabyte -- large enough that it would take a few minutes to download over a home Wi-Fi connection.
  
  Once an owner gives permission, the car would continually monitor the Microsoft Azure cloud service. Any new software will install itself automatically, and notify the driver the next time they start their car. Butler said the approach was based on customer research that showed customers didn't want to oversee the process.

Can You Hack A Plane?

• Security and aviation experts have rubbished claims that a hacker gained access to a plane’s flight controls through the in-flight entertainment system.
  
  Hacker Chris Roberts claimed he was able to break into the in-flight entertainment system up to 20 times on separate flights and that on one flight he was able to make the plane “climb” and “move sideways” by accessing flight control systems from a laptop in his seat.
  
  The claims were revealed by a search warrant application issued by the US Federal Bureau of Investigation after Roberts was banned from a plane for tweeting about hacking into systems.
  
  Isolated systems
  
  A spokesperson for Boeing, the manufacturer of the plane allegedly hacked, said that the in-flight entertainment system and flight and navigation systems are isolated from each other.
  
  “While these systems receive position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions,” said the Boeing spokesperson.
  
  A senior law enforcement official told Bloomberg that investigators looking into the claims did not believe such attempts to control a plane could be successful.
  
  Peter Lemme, chairman of the Ku and Ka satellite communications standards told industry blog Runway Girl Network: “The claim that the thrust management system mode was changed without a command from the pilot through the mode control panel, or while coupled to the flight management system is inconceivable.”
  
  He added that the links between the entertainment system and flight control systems “are not not capable of changing automatic flight control modes”.
  
  Experts are sceptical that any alteration to flight systems occurred because the pilots and flight crew would have noticed, any adjustments would have been recorded and reported and an investigation into the systems launched.
  
  Roberts now claims that his comments were taken out of context and misinterpreted and is now being represented by the US Electronic Frontier Foundation amid an ongoing investigation by US law enforcement agencies.