When Wired ran the story about Charlie Miller and Chris Valasek hacking a Jeep and running it off the road last year, it was not some snappy lark. The process took several months of painstaking effort to learn the vehicle’s information system and crack the code. In the end, the two scientists (Miller has a PhD in mathematics and Valasek has a degree in computer science) figured out they had to enter the Jeep’s CAN Bus brains to reach the steering and the brakes.
Charlie Miller speaking at the 2016 ARM TechCon conference.
At a keynote talk at the ARM TechCon conference this week, Miller offered the details of the hacking and warned that vehicles will not be cyber-safe anytime soon. He started off explaining that car hacking is very recent, since hackers didn’t realize cars were vulnerable until just the last few years. “Hacking cars started in 2010. Until then, people didn’t realize there are computers in their cars. They didn’t realize that if you plug into a car, you can cut the brake lines,” said Miller, who works as an engineer at Uber. “I read the papers about the first hackings and decided this was something I wanted to do.”
Miller noted that the first car hackers entered through OnStar. “OnStar is a service that allows you to call for help. They dialed into OnStar and took over the car,” he said. “They did it in a testing track. They could lock up individual brakes, and they were able to stop the car. They didn’t release any details, so I didn't have anything to go on. They didn’t even reveal what type of car they used.”
For their first hacking, Miller and Valasek used a Ford Escape and a Toyota Prius. “We went to a car dealer and bought the cars. We hacked in and found we could control the keys and the locks,” said Miller. “We were able to control the steering. It was inconsistent, but we could do it sometimes. It would take 30 minutes.”
The Vulnerabilities Are in the Features
Through the process of hacking, Miller and Valasek learned how the data systems in cars are put together. They discovered the importance of the CAN Bus. “Cars have changed. As you add more and more features, you have all this wire in the car. That’s weight and cost, so car companies decided to create a CAN Bus so you don’t have as many wires,” said Miller. “They also moved to wireless communication such as wireless tire pressure sensors. Now you have outside signals coming into the car, and those signals have vulnerabilities that can lead to compromises from the outside world.”
The communication systems of cars became more complex with the addition of steering and braking features. “They added non-collision safety features, and that gets you close to the brakes. Parallel parking technology means a computer can control your steering, and it’s all connected together,” said Miller. “That means there is a computer attached to your brakes and steering. Once you get in, you can talk to other areas of the car.”
Miller and Valasek then moved on to Miller’s Jeep. “We were able to hack into the Jeep. We found we didn’t need to be near the car,” said Miller. “We told Chrysler we could do it and they ignored us. When Wired published the article about our hacking, they fixed the problem in like two weeks.”
To enter the Jeep, Miller and Valasek needed to dig into the chips at the center of the vehicle’s information system. “We found there were two chips in the CAN Bus, and there was a connection between the chips. I could reach the one that controls the car, but I couldn’t control the chip,” said Miller. “But we discovered that the other chip could reprogram the chip that controls the car. Once we learned that, we could go anywhere.”
Through the process of learning how to manipulate the chips, Miller and Valasek kept goofing up the chips. They had to keep getting the chip repaired at the Jeep dealer. “Reprogramming the chip was really bad. I kept having to go back to the dealer to get the chip fixed -- on warrantee. I kept saying, ‘This must be a lemon,’” said Miller.
Getting into the chips allowed the hackers to begin to manipulate the Jeep, but it took more time to learn how to grab complete control of the vehicle. “We could get the brakes to not work, but only if the car was moving very slowly. The system prevented us from cutting out the brakes if the vehicle was going fast,” said Miller. “We found ways to bypass that and crash the Jeep. We didn’t really want to crash it, but it was kinda cool when it happened.”
Car Hackability Is Just Beginning
Miller noted that cars continue to have a number of vulnerabilities that challenge the auto industry. “There are now 40 or 50 computers on your car, all talking to each other. There is one central computer, and it’s not made by the car company,” said Miller. “My car has WiFi. I found a vulnerability in how it processes information from the outside world. I figured it would take months to exploit the car, but it only took about five minutes. There was an interface that faced the outside world. And that’s a feature not a bug.”
As new features show up on cars, new vulnerabilities will appear. “Cars actually have web browsers now. BMWs have web browsers,” said Miller. “Can we all agree you can’t make a web browser secure?”
After all his experience, Miller concludes that the vulnerabilities are inherent in a car’s connectivity. “The lesson is that cars were always insecure but it didn’t matter because they weren’t connected. That has changed,” he said. “We don’t want to wait until cars can get hacked and crash, so we’re trying to get car makers to become aware of the problem.”
Rob Spiegel has covered automation and control for 15 years, 12 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine Chile Pepper.