Black Hat USA 2015: the full story of the hacking of the very Jeep
Like Charlie Miller and Chris Valasek hacked into the Jeep Cherokee .
At the beginning of their research, Miller and Valasek tried to hack the Jeep multimedia system via Wi-Fi. Car manufacturer, the company Chrysler, offers the possibility of using Wi-Fi by subscription. It turned out that this wireless connection was easily cracked, because the password was automatically generated based on the time when the machine and the multimedia system were turned on for the first time.
')
Theoretically, measuring time with an accuracy of seconds, this method is quite reliable, given the large number of time options. But if you know at least a year of production and guess a month, then the search will be limited to 15 million combinations. If you reduce the time to daytime hours, there are already 7 million combinations left. And this is already a pretty good result - it can be run in an hour.
The problem is that during the whole hour you need to be close to this jeep in order to stay within the reach of Wi-Fi. But researchers have found another way. It turned out that the password for Wi-Fi is created before the date and time are set in the system - that is, the default countdown time plus a few seconds for the on-board computer to boot.
And this time is exactly January 01 2013 00.00.32 GMT.
After connecting to the onboard computer, Miller and Valasek found a way to hack into a multimedia computer running Linux. After trying out several obvious paths of entry, they found one and gained control of the system.
Although the hack’s capabilities are limited, they are still impressive: full control over the player, radio and volume. Imagine what will happen if you drive at a speed of 100 km / h, and suddenly, instead of the radio, the static starts to thunder at maximum volume. \
Another possibility the researchers found is tracking a car through its GPS. Interestingly, you do not need to install additional software, this function is already in the system.
So, if a car owner pays for a Wi-Fi subscription, it can be hacked that way. But not every owner does it. On the other hand, all computers are connected to the Sprint cellular operator, even if their owners did not pay for wireless services. This is the standard for on-board computers.
Miller and Valasek tried to work in this direction. Using a femto cell (a compact cellular base station) bought on eBay, they were able to get into the Sprint network and scan ip addresses while listening to certain calls that they had learned about when they hacked Wi-Fi.
Thus you can find all the Chrysler cars, which have a similar on-board computer. And then you just need to find the one you need. It's funny that just doing this is quite difficult. As one of the researchers said, “it’s easier to hack all jeeps than one specific one.”
However, this can be done thanks to the GPS tracker. After that, you can just have fun with the multimedia system - but that's not all. The next step was to search for access to the CAN bus. This is the internal network of the car, connecting all the components - the engine, transmission, sensors, etc., because almost all parts of the car in our time are controlled by electronics.
The multimedia system is not connected to the CAN-bus. All automakers speak about this as a measure necessary to ensure safety. However, this gap can be bridged. Multimedia has a connection to the V850 controller, which in turn is connected to the CAN bus.
The software for the controller was developed in order to be able to receive data from the CAN bus, but not send it. But it's still a computer - and therefore, it can be reprogrammed.
Researchers have found a way to change the firmware of the V850 controller through its connection to the multimedia system. And such an upgrade is carried out without any checks and authorizations.
And after that, Miller and Valasek were able to send any commands to the CAN-bus, and force any component of the car to do anything. It concerned the steering, engine, transmission, brakes, not to mention the wipers, air conditioning, door locks and so on. And all this wealth could be managed remotely, through the Sprint network.
The good news is that it took them years to research. And the main focus, access to the CAN bus, they did not disclose. Not everyone is able to repeat it. The bad news is that such hacks are possible in principle - and their consequences can not be overestimated.
At the beginning of their research, Miller and Valasek tried to hack the Jeep multimedia system via Wi-Fi. Car manufacturer, the company Chrysler, offers the possibility of using Wi-Fi by subscription. It turned out that this wireless connection was easily cracked, because the password was automatically generated based on the time when the machine and the multimedia system were turned on for the first time.
')
Theoretically, measuring time with an accuracy of seconds, this method is quite reliable, given the large number of time options. But if you know at least a year of production and guess a month, then the search will be limited to 15 million combinations. If you reduce the time to daytime hours, there are already 7 million combinations left. And this is already a pretty good result - it can be run in an hour.
The problem is that during the whole hour you need to be close to this jeep in order to stay within the reach of Wi-Fi. But researchers have found another way. It turned out that the password for Wi-Fi is created before the date and time are set in the system - that is, the default countdown time plus a few seconds for the on-board computer to boot.
And this time is exactly January 01 2013 00.00.32 GMT.
After connecting to the onboard computer, Miller and Valasek found a way to hack into a multimedia computer running Linux. After trying out several obvious paths of entry, they found one and gained control of the system.
Although the hack’s capabilities are limited, they are still impressive: full control over the player, radio and volume. Imagine what will happen if you drive at a speed of 100 km / h, and suddenly, instead of the radio, the static starts to thunder at maximum volume. \
Another possibility the researchers found is tracking a car through its GPS. Interestingly, you do not need to install additional software, this function is already in the system.
So, if a car owner pays for a Wi-Fi subscription, it can be hacked that way. But not every owner does it. On the other hand, all computers are connected to the Sprint cellular operator, even if their owners did not pay for wireless services. This is the standard for on-board computers.
Miller and Valasek tried to work in this direction. Using a femto cell (a compact cellular base station) bought on eBay, they were able to get into the Sprint network and scan ip addresses while listening to certain calls that they had learned about when they hacked Wi-Fi.
Thus you can find all the Chrysler cars, which have a similar on-board computer. And then you just need to find the one you need. It's funny that just doing this is quite difficult. As one of the researchers said, “it’s easier to hack all jeeps than one specific one.”
However, this can be done thanks to the GPS tracker. After that, you can just have fun with the multimedia system - but that's not all. The next step was to search for access to the CAN bus. This is the internal network of the car, connecting all the components - the engine, transmission, sensors, etc., because almost all parts of the car in our time are controlled by electronics.
The multimedia system is not connected to the CAN-bus. All automakers speak about this as a measure necessary to ensure safety. However, this gap can be bridged. Multimedia has a connection to the V850 controller, which in turn is connected to the CAN bus.
The software for the controller was developed in order to be able to receive data from the CAN bus, but not send it. But it's still a computer - and therefore, it can be reprogrammed.
Researchers have found a way to change the firmware of the V850 controller through its connection to the multimedia system. And such an upgrade is carried out without any checks and authorizations.
And after that, Miller and Valasek were able to send any commands to the CAN-bus, and force any component of the car to do anything. It concerned the steering, engine, transmission, brakes, not to mention the wipers, air conditioning, door locks and so on. And all this wealth could be managed remotely, through the Sprint network.
The good news is that it took them years to research. And the main focus, access to the CAN bus, they did not disclose. Not everyone is able to repeat it. The bad news is that such hacks are possible in principle - and their consequences can not be overestimated.
Source: https://habr.com/ru/post/274453/
All Articles