[EDUCATIONAL] Remote Hacking of Jeep Cherokee

The year 2015 has been a very exciting year in terms of automotive cybersecurity. Several hacks were published, including three major wireless hacks (BMW Connected Drive, GM OnStar RemoteLink, Tesla Door Attack).
Although BMW’s Connected Drive and GM OnStar hacks got some attention, it was not until the Jeep
Cherokee hack in July/August 2015 when automotive cybersecurity got mainstream attention. Besides tech portals like Wired, journals like USA Today covered this groundbreaking research activity from Charlie Miller and Chris Valasek. Although it is a multi-layered attack and not all the details will be covered in my first Steemit post, I will try to explain its steps and the results which can be obtained from each step – finally covering the overall result/harm that can be achieved.

A lot of attacks conducted on vehicles only work by having physical access to the car, e.g. by the OBD-II port or wired interfaces of the head unit. Remote or wireless attacks take advantage of wireless interfaces, like Bluetooth, Wi-Fi or cellular connection of the telematics unit. The TPMS would also be a low-range wireless attack vector. The most dangerous vulnerability in a car are security flaws in the cellular connection as the vehicle can be access remotely from anywhere (limited to the coverage of the carrier, usually the entire country). The Jeep hack uses weaknesses of the cellular connection to access the vehicle and inject arbitrary CAN messages to take control of the car. Gaining this access was not easy though as multiple steps had to be undertaken to obtain access to the car over the cellular connection and then eventually the internal CAN bus networks. In the following, each paragraph will elaborate on a step on the way to gaining full remote access to the car.

The point of entry to the car – or the first attack vector taken advantage of – was the head/telematics unit. It is a Harman embedded device called Uconnect with QNX OS running on it. This device includes Wi-Fi hotspot functionality and a Sprint cellular connection. According to the OEM (FCA), there is a certain “air gap” between the head unit and the internal CAN bus, i.e. the head unit is not directly connected to the internal network. This is normally recommended as the CAN network can be used to launch any attack on the car, but we will elaborate on this aspect and vulnerabilities in its implementation later. Miller and Valasek purchased the Wi-Fi hotspot functionality (so not many customers will have this in their cars by default) as a first step. The connection is secured by WPA2. They figured out by disassembling the code that the WPA2 password was a time stamp generated when the head unit was first deployed. As they were using a 2014 model Jeep Cherokee, they limited the amount of possibilities to 15 million combinations (and only 7 million when you assume it was firstly deployed during daytime). This amount could be easily brute-forced within an hour. But after analyzing the relevant piece of code, they realized that this was not really necessary if the head unit could not obtain the time stamp from GPS or cell towers during its first startup. Then, the software would assign the WPA2 password as epoch time 01 Jan 2013 plus the seconds after midnight it would take to start up so the amounts of tries to guess the password would be minimized to some combinations only. As a result, a hacker driving within the range of the victim’s car can access his hotspot within seconds. This does not change the fact though that he has to follow him to stay connected to his Wi-Fi. Now let’s have a look what can be done after gaining wireless access to the car’s head unit.

The first thing to be done after obtaining access to a network is running a port scan. Miller and Valasek did that and found some open ports, including port 6667 for IRC which is not meant for running a chat server, but reserved for inter-process communication using D-Bus service. There are two security flaws which allowed the researchers to easily play with the head unit’s functions: There was no authentication and the D-Bus was running as root. Furthermore, the execute command was available which allowed to run any shell commands (as root). As a result, Miller and Valasek were able to execute any shell code on the head unit with four lines of Python script, even allowing to access it remotely using netcat. They were able to change the volume of the radio and even track the vehicle by GPS. But the scope of their attacks were limited by two factors. First of all, they still did not have access to the CAN bus to mess with ECUs and change the behavior of the car, but were only limited to the head unit. Second, they had to stay within the range of the Wi-Fi hotspot to carry out their shenanigans. In addition, as the Wi-Fi hotspot functionality is very costly, the majority of customers will probably have not it enabled in their vehicles.

In contrast, cellular service by Sprint is enabled by default and the goal is to access the car nationwide from a device in the Sprint network. The same IRC port was also open on the IP addresses which could be used to be reached from any Sprint device. First, the researchers thought they could only access the head unit by using a Femtocell as Sprint would block the access to the vehicles, but apparently it worked out and so Miller and Valasek could access any vehicle with this Uconnect system from the entire United States. The only problem was that with each start of the vehicle, the cellular interface on the head unit would get a new IP address. The hackers realized that Sprint was assigning all vehicles in its network IP addresses in the range 21.0.0.0/8 or 25.0.0.0/8. Scanning on port 6667 in these IP ranges and comparing their VINs with an online database provided shocking results as not only the 2014 models of Jeeps were affected as FCA was previously stating to Miller and Valasek, but also various other brands of that company, including Ram and Dodge from 2013 to 2015. Although they could not access a single vehicle as they could not know the exact IP address of the vehicle they are targeting (it would be easier to theoretically hack all vehicles at once), they showed that it was possible to access vehicles over cellular connection and have access to D-Bus features and thus control the head unit. Later, Jeep made a recall for 1.4 million affected vehicles, so a lot of their products were obviously affected by this security flaw.

Now we have eliminated one of the issues (cellular instead of Wi-Fi), but still there is no access to the CAN bus where safety-critical hacks can be carried out. In a last step, Miller and Valasek had to make the head unit which was – again – according to the OEM, separated from the CAN bus by an air gap, talk to the
internal bus network. For this purpose, we have to analyze the components in the Harman head unit. It consists of an OMAP processor and a Renesas V850 chip which is connected to the CAN bus. The air gap is meant to be between these two units, but actually they are connected over SPI. Until now, all shenanigans using the D-Bus have been carried out on the OMAP processor. Thus, a way to access the V850 unit and send CAN messages over the SPI and V850 to the CAN bus had to be found. They figured out that this was possible by flashing their own modified firmware to this chip by plugging the altered firmware on a USB drive to the head unit (OMAP unit) which was conducting the firmware update for the V850 chip. The firmware is not signed; thus an altered firmware binary would not be detected during the update. As a result, the hackers were able to disassemble it and build a new modified binary which would be flashed to the V850 without any issues (if you do it correctly and do not brick it). Miller and Valasek wanted to send arbitrary messages from the OMAP to the CAN bus, so they overwrote the SPI parser which passes the data bytes on the SPI to a memory region on the V850 which in turn writes these bytes on the CAN bus. As a result, they were able to send any CAN message on the bus and thus manipulate almost everything: door locks, brakes, transmission, steering, wipers, etc.

The problem got a quick solution from FCA, also mainly because of the huge media coverage. FCA recalled 1.4 million vehicles to patch their head units. Furthermore (and most important in my view), they made Sprint block port 6667 so access to affected vehicles over cellular connection was effectively prevented. This could have been a big threat as Miller and Valasek also released all the tools they used and coded for this hack. It will definitely take some time until all affected vehicles will be patched at the dealer and thus the threat continues as the Wi-Fi hotspot vulnerability can still be exploited. To sum it up, FCA’s reaction to this hack was really quick which relied on two reasons. First, Miller and Valasek were in continuous touch with FCA and second, their white paper described all the vulnerabilities in detail so it was easy to respond quickly to them. Nevertheless, it should not be neglected that FCA denied a possible entry to the CAN bus by hacking the head unit and persisted on the “air gap” (which turned out to be nothing else than a wired SPI connection) for a long time.

This hack consists of two main parts: the remote compromise of the head unit and the accessing of internal bus networks by a lack of secure separation from the head unit. Using a secure and random WPA2 password and blocking open ports was a first (and quick) way to address the first part. Using signatures for firmwares would also avoid modified binaries to be flashed. As of now, the second part has a lot of issues which shall be reacted to. A very important way of securing the internal bus network is a separation of CAN busses by introducing a centralized gateway architecture as used by several German OEMs. Compared to the two CAN busses (CAN-C and CAN-IHS) used inside the Jeep Cherokee which – to make matters worse – were both connected to the head unit, vehicles should be separated into functional domains, e.g. a dedicated CAN bus for powertrain, infotainment, body, etc. shall be implemented. All these CAN busses are interconnected by a centralized gateway which separates the busses from each other and blocks access of CAN messages meant for ECUs in a different, prohibited domain. As a result, even if hackers gain access to the infotainment CAN bus, they will not be able to take control of safety critical functions like steering or the brakes as they are located on a different CAN bus. Another approach is the introduction of an authenticated CAN. To the best of my knowledge, no OEM is using this technology in their cars today. It has disadvantages as it bloats up the size of the CAN messages and increases the bus load which is actually the actual reason why a CAN separation and the introduction of the gateway architecture took place. In my humble opinion, a first effective step should be a change in the bus network architecture though as it also can avoid attacks from other interfaces, like the diagnostic OBD-II port.

References
[1] http://illmatics.com/Remote%20Car%20Hacking.pdf
[2] https://blog.kaspersky.com/blackhat-jeep-cherokee-hack-explained/9493/
[3] http://spectrum.ieee.org/cars-that-think/transportation/systems/jeep-hacking-101
[4]