Dangerous control of my Jeep over the internet

[unsocbl]

Wow, now I am truly impressed (and I am NOT mocking but am genuinely impressed with those security credentials). I never got THAT far (officially - just taught some classes at Symantec in Eugene, OR years ago) so I understand the work that goes into those letters.
I especially like the white hat hacker bit. I always told people who asked how I did it - you have to think like the bad guy, get into their head, their motivation, think like them, to know how to protect against them.
Cool

Cant take all the credit. I came in with the Cissp and cssp and the company I work for footed the expense for the training and certs for the other 2.
I'm trying to change fields a bit and get my Cisco certifications (Network oriented)

Sponsored

 

[LostWoods]

The problem is you are spewing misinformation like the OP. The Uconnect system does not allow outside access to the Jeep computer systems. There is no life safety or dangerous control issues. There are some pre-programmed functions that can be requested, but no direct access that can be exploited. All recorded hacking events, so far, have required prior physical access to the truck to carry out. The updates to the current security were a result of showing what was possible.

The onboard WiFi is a cellular hotspot, which does not have access to the internal systems. As long as the Uconnect modem has access to the cellular network, and you are willing to pay additional for the service, it can provide WiFi for you to use. Many already have this as a feature on their phones and are not willing to pay for it.

What misinformation? Are you not aware of the dudes who presented at Black Hat who literally hacked an unmodified Cherokee via the onboard wifi? It's not a current vector anymore because they revised the SGW but it's arrogant and foolish to claim anything is unhackable.

 

[ShadowsPapa]

Cant take all the credit. I came in with the Cissp and cssp and the company I work for footed the expense for the training and certs for the other 2.
I'm trying to change fields a bit and get my Cisco certifications (Network oriented)

I went through training on Cisco ASAs and did a tiny bit with the Cisco switches but we were moving to Juniper - until the senior guy retired then that halted and we had a mix. Core switches were juniper, ASAs and edge switches were Cisco.

 

[ShadowsPapa]

What misinformation? Are you not aware of the dudes who presented at Black Hat who literally hacked an unmodified Cherokee via the onboard wifi? It's not a current vector anymore because they revised the SGW but it's arrogant and foolish to claim anything is unhackable.

As you even said - that's OLD......- 2015, before added security. Doesn't count as any current threat

 

[LostWoods]

As you even said - that's OLD......- 2015, before added security. Doesn't count as any current threat

I'll re-emphasize:

it's arrogant and foolish to claim anything is unhackable.

Old things get patched, new things get found. Spectre and its variants sat in hiding for over a decade. Just because it isn't currently known doesn't mean it won't be an issue in the future.

Either way I'm done in here. I've said what I need to say and there's no reason to further waste keystrokes.

 

[jebiruph]

That's not technically a hack.
You downloaded compromised software from SolarWinds.
Apparently you weren't running a check on that file to verify the fingerprint of the original file (the file's hash, MD5, SHA-1, and SHA-256, etc.) maybe you allowed automatic updates.

Unreal that government sites don't verify things better. More unreal that SolarWinds wasn't careful - but then I did some tracking of their history.....................

I'm definitely not as knowledgeable as you on security, but I thought the Solarwinds breach involved access to and the changing of source code, would that be caught by MD5, SHA-1, and SHA-256, etc?

 

[ShadowsPapa]

I'm definitely not as knowledgeable as you on security, but I thought the Solarwinds breach involved access to and the changing of source code, would that be caught by MD5, SHA-1, and SHA-256, etc?

If all they did was change the update file(s), yes it should have not matched the hash.
But if they had enough access while in SolarWinds equipment, I suppose the hash file could have been changed so when you compared it would match.

Whoever got in apparently was in for a while and had free reign.
Maybe I was TOO picky and too careful, but really - did those people not run their own software telling them what was touched and when?

We got really careful after we set up automatic updates for our Cisco ASA firmware. We came in one morning to find 1/4 of our offices down and the ASAs unrepairable. A Cisco update literally trashed the ASAs and they were unrecoverable.

 

[jlrocks]

Where the bloody hell do you get "most of us"?
Seriously?

Check the poll, sleuth. Now write me a giant wall of text on why it doesn't count.

 

[5JeepsAz]

What we are saying is be humble before history. This tech is highly suspect. Everybody knows it. Stop with the concept that it is all good. It ain't. We've known this simple fact, that auto tech has an upside and a downside, since 50 years ago when gm introduced the first robot. Read this....


On the 100th Anniversary of ‘Robot,’ They're Finally Taking Over
A century after playwright Karel Čapek coined the word ‘robot,’ we finally have the technology to make the stuff of science fiction a reality—for better and for worse

General Motors installed the world’s first industrial robot, the Unimate, in 1961, with the idea that it could take over repetitive, arduous and hazardous tasks.
PHOTO: THE HENRY FORD

By
Christopher Mims
Jan. 23, 2021 12:00 am ET

On Jan. 25, 1921, Karel Čapek’s play “R.U.R.”—short for “Rossum’s Universal Robots”—premiered in Prague. It was a sensation. Within two years it had been translated into 30 languages, including English, to which it introduced the word “robot.” Čapek’s vision of unwilling slaves of humanity destined to rise up and destroy their makers has shaped our view of both automation and ourselves ever since.
In a century-long dialogue between inventors of fictional and actual robots, engineers have for the most part been forced to play catch-up, either realizing or subverting the vision of robots first expounded in books, movies and television.
Now, the reality of robots is in some areas running ahead of fiction, even ahead of what those who study robots for a living are able to keep track of.

 

[Mr._Bill]

Check the poll, sleuth. Now write me a giant wall of text on why it doesn't count.

45 votes, out of how many thousand members, compared to how many Gladiators sold? You're trying to claim 'most of us' with a 51/49 split on the votes received? And then there is the issue of the Poll Question being something that the Jeep doesn't actually do.

 

[SwampNut]

but the fact it has a potentially critical impact that threatens life

Except for the fact that it doesn't.

 

[eaglerugby04]

Cant take all the credit. I came in with the Cissp and cssp and the company I work for footed the expense for the training and certs for the other 2.
I'm trying to change fields a bit and get my Cisco certifications (Network oriented)

If you are going cisco avoid Firepower at all costs! That product is terrible and I celebrated the day we replaced that with Palo. I took a similar path, lots of security certs and then ended up jumping into network security architecture/engineering a few years ago.

 

[eaglerugby04]

The one vector is the onboard wifi which may or may not disable if there's no LTE... it can be toggled and clearly the wifi can't access the internet without cellular, but who knows how it will operate in a retired state. Though I'm not sure LTE is going away even in 10 years.

But either way, I think people are missing my point here... I'm not arguing it's a common vulnerability, quite the opposite. It's a very low risk (and even future vulnerabilities will likely be low risk), but the fact it has a potentially critical impact that threatens life means to me that you should be able to fully disable the system beyond just the onboard hotspot setting. It's a trivial thing to code.

This is what really scares me. With the rollout of Uconnect 5 this system is already earmarked to be left in the dust to a degree. Risk is low here but still possible.

What is more likely is the Uconnect 4 is calling into some legacy infrastructure somebody forgot about that ends up being vulnerable in the future with thousand of cars still checking in waiting for commands. There are more functions than the mopar app offers, will it allow remote driving, no. But could somebody shutoff your car while you are going 80 on the interstate, more than likely yes.

 

[SwampNut]

What is more likely is the Uconnect 4 is calling into some legacy infrastructure somebody forgot about that ends up being vulnerable in the future with thousand of cars still checking in waiting for commands. There are more functions than the mopar app offers, will it allow remote driving, no. But could somebody shutoff your car while you are going 80 on the interstate, more than likely yes.

Not even remotely likely, and no, there's no functionality to allow this system to shut down the vehicle.

 

[eaglerugby04]

Not even remotely likely, and no, there's no functionality to allow this system to shut down the vehicle.

I wouldn't believe it until I saw a full listing of what the unit will accept. The fact that it does have access to start the vehicle in those equiped leaves the it open for stop, unless FCA put some very tight controls on there. Which is possible, but I also see them being intentionally left in for things like vehicle recover, etc but only an approved agent or some BS can use them.

Sponsored