Sponsored

Dangerous control of my Jeep over the internet

Do you want to be able to defeat your Jeep's ability to communicate over the internet?


  • Total voters
    63

SwampNut

Well-Known Member
First Name
Carlos
Joined
Apr 20, 2020
Threads
21
Messages
1,588
Reaction score
1,571
Location
Peoria AZ
Vehicle(s)
2020 Gladiator Launch Edition
Occupation
Geek
Hey, I just figured something out...... AT&T..........hmmmmm
Don't blow that up out of proportion.

Too soon?

While the IPs and server names will change with any of the cloud services, you can usually trace back any given IP to a provider. So if I log into Guardian and see my traffic going to a particular IP, I should be able to see who owns that. Even if it changes next time. I've never had reason to try deep packet inspection on my home network, so no tools preconfigured for it and it could take anywhere from 90 seconds to hours.

Oh yeah, there was some talk about the bomber being against 5G. Wouldn't be the first anti-tech idiot to martyr himself.
Sponsored

 

ShadowsPapa

Well-Known Member
First Name
Bill
Joined
Oct 12, 2019
Threads
247
Messages
40,514
Reaction score
54,043
Location
Runnells, Iowa
Vehicle(s)
'25 JTMX, '23 JLU 4xe, '82 SX4, '73 Javelin
Occupation
Retired auto mechanic, frmr gov't ntwrk security admin
Vehicle Showcase
3
Don't blow that up out of proportion.

Too soon?

While the IPs and server names will change with any of the cloud services, you can usually trace back any given IP to a provider. So if I log into Guardian and see my traffic going to a particular IP, I should be able to see who owns that. Even if it changes next time. I've never had reason to try deep packet inspection on my home network, so no tools preconfigured for it and it could take anywhere from 90 seconds to hours.

Oh yeah, there was some talk about the bomber being against 5G. Wouldn't be the first anti-tech idiot to martyr himself.
I REALLY miss all the tools I had at work, the forensics tools, sniffers, packet inspection tools, etc. Sort of glad I wasn't still there when the thing with SolarWinds came up.
GoDaddy stuff had the dirtiest, most malware-laden servers anywhere. So much of what I tracked down was traced right back to their servers - and they didn't care.
Then I tracked some issues that popped up when an employee was accessing social security information - for work, 100% work related, and it triggered an alert to me - SSA was hosting some of the info on Gannett servers and they had been compromised! I contacted their admin and he said "yeah, we have a lot of trouble with that, it's hard to keep up" and wow, that gave me a really warm/fuzzy feeling. Really? The largest publishing company in the US and you host SS info and you can't keep up with malware? OUCH!
Our agency had the record in our state for going about 8 years (last count) malware/virus free and we passed the central IT inspections every time - and yet a huge company couldn't keep up?
 

SwampNut

Well-Known Member
First Name
Carlos
Joined
Apr 20, 2020
Threads
21
Messages
1,588
Reaction score
1,571
Location
Peoria AZ
Vehicle(s)
2020 Gladiator Launch Edition
Occupation
Geek
The largest publishing company in the US and you host SS info and you can't keep up with malware? OUCH!
During some security research and studying, I managed to unearth a huge Excel file containing several hundred thousand peoples' info including SSN on a web server at one of the largest mortgage companies in the country. Their CSO refused to believe me, and kept asking "who are you and what do you want." I ended up hanging up and finding the CLO on Linkedin and he had a much more thankful demeanor.

Buy one of these for backup transportation.

2001 Honda XR250R bullet proof!
A couple months ago I got rid of a pretty simple 250 adventure and replaced it with a KTM 390, partly because of all the electronic integration, ABS, etc.
 

kdfhuey

Well-Known Member
First Name
Keith
Joined
Mar 15, 2020
Threads
18
Messages
122
Reaction score
128
Location
Viera
Vehicle(s)
2020 Jeep Gladiator Rubicon
Vehicle Showcase
1
Not sure why you’d feel unsafe. Even if you didn’t have an account it doesn’t mean someone couldn’t still hack into your Jeep.
 

Sponsored

Mr._Bill

Well-Known Member
First Name
Bill
Joined
Jul 22, 2019
Threads
38
Messages
6,656
Reaction score
7,771
Location
North Las Vegas, NV
Vehicle(s)
2023 Gladiator High Altitude - 2013 Nissan Leaf SV
Vehicle Showcase
1
Not sure why you’d feel unsafe. Even if you didn’t have an account it doesn’t mean someone couldn’t still hack into your Jeep.
Even if someone hacked into the current system, all they could do is send requests to carry out the pre-programmed remote functions. So far, there has been no Jeep hacking without prior physical access to the vehicle.
 

ShadowsPapa

Well-Known Member
First Name
Bill
Joined
Oct 12, 2019
Threads
247
Messages
40,514
Reaction score
54,043
Location
Runnells, Iowa
Vehicle(s)
'25 JTMX, '23 JLU 4xe, '82 SX4, '73 Javelin
Occupation
Retired auto mechanic, frmr gov't ntwrk security admin
Vehicle Showcase
3
During some security research and studying, I managed to unearth a huge Excel file containing several hundred thousand peoples' info including SSN on a web server at one of the largest mortgage companies in the country. Their CSO refused to believe me, and kept asking "who are you and what do you want." I ended up hanging up and finding the CLO on Linkedin and he had a much more thankful demeanor.



A couple months ago I got rid of a pretty simple 250 adventure and replaced it with a KTM 390, partly because of all the electronic integration, ABS, etc.
I'll never forget the panic that ensued after I did a little demonstration for a state agency.
They had an app for client info tracking that was browser based. I bet you are already ahead of me.
It tracked the client names, addresses, DOB, SSN, phone numbers, client case number in the agency and other stuff. They figured it was all secure because after-all, you had to have a password to get into the app, and you needed a password just to get the PC into windows and onto the network.
Safe and secure. Sure.
Well, I had found evidence that their computers in what they called a "job club" room where clients went in and did job searches, their resumes with help of counselors and so on, had been used to do other things after-hours. Hmmm....... (it was later found out the state trooper who was responsible for security of a couple of the buildings had been hanging out in there using the computers for other things)
So I did a demo where I grabbed a PC off the floor and showed the IT head how I could start the PC, boot it from a Linux disk and attach to the PC's volume, browse to the browser cache and load up files that were tables of the client info - complete.
I told them they needed to set every BIOS to boot from local drive only (no CD, no USB and so on) and password protect every BIOS.
I also said they needed to encrypt each volume.
You should have seen the scramble! He ordered it all done in under a week - at all 35 offices.
But I also showed how if someone gained admin access to the network, they could access the drive and cache remotely and ship out the info - and malware could also do it....... I started a panic.
 
OP
OP

jlrocks

Well-Known Member
Joined
Dec 21, 2017
Threads
6
Messages
46
Reaction score
12
Location
California
Vehicle(s)
CJ6
This won't change anyone's mind but in case it's interesting:

https://www.economist.com/the-world...rderous-cyber-attack-is-only-a-matter-of-time

"There may be simpler means of cyber-homicide. Vehicles—unlike centrifuges or transformers—tend to have highly breakable humans sitting inside them while moving at high speeds, increasingly with a connection to the internet. Such links tend to have weak security standards. Hackers have repeatedly demonstrated the ability to seize control of cars in motion; one such demonstration caused Fiat Chrysler to recall 1.4m vehicles in 2015. ABI, a market-intelligence firm, reckons that 91% of new light vehicles and trucks sold in America in 2020 have internet connectivity. At highway speeds, it would not take a Stuxnet to do some damage. As attackers become more sophisticated and the number of potential targets grows, it is now a question of when, rather than if, a cyber-attack will prove deliberately fatal."
 

ShadowsPapa

Well-Known Member
First Name
Bill
Joined
Oct 12, 2019
Threads
247
Messages
40,514
Reaction score
54,043
Location
Runnells, Iowa
Vehicle(s)
'25 JTMX, '23 JLU 4xe, '82 SX4, '73 Javelin
Occupation
Retired auto mechanic, frmr gov't ntwrk security admin
Vehicle Showcase
3
More likely to be killed by a drunk or sleeping driver - or road rage.
That already exists, is common, and hardly reported.
People are more concerned about a future maybe or what-if than the reality of today. But but but! It will happen!
Maybe I should set my calendar up for a reminder 20 years from now, pointing to these messages, and see if it's happened after 20 years.
My bet - the proof of concept folks will still be keeping ahead of the real bad guys.
The firewall in current Chrysler products doesn't exist because of a death or a villainous hack, but because white hat hackers proved it COULD be done.
 

Sponsored

SwampNut

Well-Known Member
First Name
Carlos
Joined
Apr 20, 2020
Threads
21
Messages
1,588
Reaction score
1,571
Location
Peoria AZ
Vehicle(s)
2020 Gladiator Launch Edition
Occupation
Geek
This won't change anyone's mind but in case it's interesting:

https://www.economist.com/the-world...rderous-cyber-attack-is-only-a-matter-of-time

"There may be simpler means of cyber-homicide. Vehicles—unlike centrifuges or transformers—tend to have highly breakable humans sitting inside them while moving at high speeds, increasingly with a connection to the internet. Such links tend to have weak security standards. Hackers have repeatedly demonstrated the ability to seize control of cars in motion; one such demonstration caused Fiat Chrysler to recall 1.4m vehicles in 2015. ABI, a market-intelligence firm, reckons that 91% of new light vehicles and trucks sold in America in 2020 have internet connectivity. At highway speeds, it would not take a Stuxnet to do some damage. As attackers become more sophisticated and the number of potential targets grows, it is now a question of when, rather than if, a cyber-attack will prove deliberately fatal."
Someone who has zero clue how this works, but feels the need to speak anyway.

Jeep Gladiator Dangerous control of my Jeep over the internet 000ba7af444db111e2748658c7b48d8a
 

ShadowsPapa

Well-Known Member
First Name
Bill
Joined
Oct 12, 2019
Threads
247
Messages
40,514
Reaction score
54,043
Location
Runnells, Iowa
Vehicle(s)
'25 JTMX, '23 JLU 4xe, '82 SX4, '73 Javelin
Occupation
Retired auto mechanic, frmr gov't ntwrk security admin
Vehicle Showcase
3
Uh, they did exactly the same thing in prior decades except it was more manual. Surveys, miles on vehicles traded in, county records, yes, it was all out there. How did these companies like Powers get their info? They knew even before this century how many miles an average vehicle was driven, what the age groups were and more.
They simply get the date faster now. All of that was already totally available. When you trade a vehicle in Iowa, they know the age and miles on said vehicle. When Powers and others do their surveys - they get age group, miles driven a year, annual income range, age of vehicle and more. I've filled out such surveys. So they all have that anyway.They don't need GPS tracking to know any of that. Leases have been around for many decades - and they know what the average person drives and have since the 50s at least.
AAA kept track, as have others.....

Jeep Gladiator Dangerous control of my Jeep over the internet 6a00d8341c4fbe53ef01b8d2d4cbbd970c-800wi
Sponsored

 
 







Top