The reported wireless hacking of a Jeep Chrysler has prompted not only new vehicle security and privacy legislation and a manufacturer's recall, but also the need for an exemption to the Digital Millennium Copyright Act (DMCA).
In a Wired article published Tuesday, writer Andy Greenberg described driving down Interstate 64 in St. Louis when the air conditioner started blasting, the radio station changed, the windshield wipers turned on and, ultimately, the car's accelerator stopped working.
While the news of car hacking is not new -- Miller and Valasek performed a similar hack on Greenberg in 2013 -- this was their first publicized wireless car hack. In the prior attack, Miller and Valasek were wired into the car's onboard diagnostic port.
Miller and Valasek claimed they could wirelessly kill the engine, engage the brakes and even disable the brakes altogether. They're also working on controlling steering -- something they are only able to now do if the car is in reverse. The duo said they can track GPS coordinates and measure car speeds, as well.
The vulnerability lies in the a software component Chrysler calls Uconnect -- an in-vehicle connectivity system that controls the car's navigation and entertainment, enables phone calls and even creates a Wi-Fi hotspot. The researchers pointed out that anyone who knows the car's IP address can gain access to this system from anywhere in the country.
"From an attacker's perspective, it's a super-nice vulnerability," Miller said.
Miller and Valasek, who will not disclose the vulnerable entry point of Uconnect until their scheduled appearance at Black Hat next month, said once their code was written onto the car's entertainment system hardware chip, they could send commands through the car's internal network to physical components. The hack reportedly works on all Chrysler vehicles with Uconnect, including late 2013, all 2014 and early 2015 models. The researchers have not tried the hack on other makes or models, but believe that with some tweaks, the hacks would likely be successful.
The pair said they will not disclose the part of their attack that rewrites the chip's firmware; hackers will have to figure that out for themselves -- a process that took Miller and Valasek months.
The researchers have been in contact with Chrysler for almost nine months, according to the Wired article. Late last week, Chrysler's parent company, FCA US LLC, released a bulletin for a software update, but made no mention of Miller and Valasek's work. Miller commented on Twitter that the patch met his standards:
Checked patch, looks good. Well done Chrysler! Now, back to a vulnerable version for more testing! pic.twitter.com/RdBOyrRPuc— Charlie Miller (@0xcharlie) July 20, 2015
Miller and Valasek estimated as many as 471,000 vulnerable vehicles are on the road, and it's time to take the threat seriously.
"If consumers don't realize this is an issue, they should. And they should start complaining to carmakers," Miller said. "This might be the kind of software bug most likely to kill someone."
On Friday, FCA US released a voluntary recall to update software in approximately 1.4 million U.S. vehicles with certain touchscreen radios. The fix will "insulate" connected vehicles from remote manipulation and block remote access.
The company maintained it is "unaware of any injuries related to software exploitation, nor is it aware of any related complaints, warranty claims or accidents -- independent of the media demonstration."
Affected vehicles include Dodge, Jeep and Chrysler models. The update -- which customers can download or receive via USB -- will contain additional security features beyond the network-level measures that prevent remote access, according to FCA US's press release.
Looks like I can't get to @0xcharlie's Jeep from my house via my phone. Good job FCA/Sprint!— Chris Valasek (@nudehaberdasher) July 24, 2015
Congress takes notice: The SPY Car Act
If consumers haven't noticed, congress surely has.
On Tuesday, Senators Edward Markey, D-Mass., and Richard Blumenthal, D-Conn., introduced legislation that would require the National Highway Traffic Safety Administration and Federal Trade Commission to establish federal standards to secure automobiles and protect drivers' privacy.
The Security and Privacy in Your Car (SPY Car) Act, would establish cybersecurity standards to protect Internet-connected vehicles from hacking, as well as standards to improve the transparency of how driver data is gathered, transmitted, stored and used. The legislation also calls for the prevention of driving data from being used for advertising or marketing, unless a user agrees to it.
The SPY Car Act also aims to establish a "cyber dashboard" -- a rating system that would inform consumers and display the vehicle's security and privacy protections.
Markey first took note of Miller and Valasek's work in 2013 and started pushing for vehicle security legislation then. He released a report earlier this year. In Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, Markey detailed the security and privacy practices -- or lack thereof -- of 16 major automobile manufacturers. The U.S. House of Representatives' Energy and Commerce Committee published its own detailed analysis in May, which came to similar conclusions.
Using vehicle security case to create a DMCA exemption
The Electronic Frontier Foundation's Kit Walsh took the news of the hack as an opportunity to highlight the issues with the controversial Section 1201 of the Digital Millennium Copyright Act, often referred to as the DMCA anti-circumvention provisions.
The EFF filed for an exemption to Section 1201 to "protect security and safety research on vehicle software from DMCA liability." According to Walsh, the automakers "showed up in force" and argued there was no reason for independent security research. Miller, Valasek and other researchers, Walsh wrote, have "amply shown the need for independent vehicle security research."
The EFF asked for a second exemption that would allow alternative software providers from the original manufacturer to secure vehicle software and perform repairs and customization.
The U.S. Librarian of Congress will issue a final ruling in the fall.
The automakers, however, have separately announced measures to prove they can take care of vehicle security matters internally. Last week, the Alliance of Automobile Manufacturers published plans to create a new initiative to add a layer of cybersecurity protections with the creation of an auto information sharing and analysis center (ISAC).
The July 14 press release said the ISAC will "serve as a central hub for intelligence and analysis, providing timely sharing of cyber threat information and potential vulnerabilities in motor vehicle electronics or associated in-vehicle networks."
In other news
- In a statement released Wednesday by Hacking Team, the company wrote that while the media was making it out to be the bad guy, Hacking Team was the real victim of the criminal breach. News about the hack of the Milan-based security firm came to light earlier this month when hackers released a 400 GB torrent file of its internal documents, source code and email communications. The data dump resulted in a slew of security updates over the past week. Amid discussion that the company has "100% compliance with laws and regulations," the company also said in its statement that it did not have backdoor access to its clients' Remote Control Systems installments. However, researcher Joe Greenwood of 4Armed Ltd. published research Monday contradicting the company's stance. Through source code analysis, Greenwood determined Hacking Team was remotely able to disable clients' RCS software.
- Last week, Trend Micro Inc. researchers discovered a fake news app in the Hacking Team data dump that appeared to be designed to circumvent filtering in Google Play. The "BeNews" app's source code was discovered in the leak, as well as a document about how to use it. "We believe that the Hacking Team provided the app to customers to be used as a lure to download RCSAndroid malware on a target's Android device," Trend Micro's Wish Wu wrote in a blog post. The app was downloaded up to 50 times before it was removed from Google Play on July 7. Researchers believe the app was able to circumvent Google Play restrictions using dynamic loading technology.
- Two companies have advocated the use of their free tools to help users find out if they are victims of the Hacking Team breach. Windows users can employ the free Milano utility from Rook Security Inc. to scan for the presence of files associated with the Hacking Team breach; OS X users can employ the osquery tool from Facebook Inc. to identify if the Hacking Team backdoor is present.
- In additional Hacking Team news, six former employees are being investigated by Milan prosecutors in connection with the attacks, according to Reuters. The investigation was launched after Hacking Team Chief Executive David Vincenzetti filed a complaint in May, accusing the employees of revealing part of the company's source code. So far, no charges have been filed.
- Bloomberg reported Monday that 29 U.S. Department of Homeland Security (DHS) officials had been accessing private Web-based email from official work computers for more than a year. While the DHS banned private email on official system in April 2014 after an Office of Personnel Management breach, certain staff members -- including Secretary Jeh Johnson, Deputy Secretary Alejandro Mayorkas, Chief of Staff Christian Marrone and General Counsel Stevan Bunnell -- were granted official wavers. DHS Press Secretary Marsha Catron confirmed the exemption, but told Bloomberg that "going forward, all access to personal webmail accounts has been suspended" and future exemptions will only be granted by the chief of staff. While it is currently unknown whether the officials conducted business through personal email, a DHS spokesperson maintained the use of personal email for official purposes was and is strictly prohibited. At a Politico event Tuesday, Johnson said, "To be perfectly honest, this is something that I had for a while. And when I read the story, I said, 'Whoops, this is not a good practice, so I should discontinue it.' I probably should have done it sooner. I want to see others on that list do the same thing." Kevin Foisy, chief software architect and co-founder of STEALTHbits Technologies Inc. said, "It's not unusual for senior people in an organization to be exempted from normal IT security practices. But in the case of DHS and access to external email, this is a bit surprising. Email is one of the leading exploited entry points into organizations: the phishing attack. By DHS allowing unguarded access to external email systems, a gaping hole is potentially opened for hackers -- it's a big wide-open backdoor." In March, former U.S. Secretary of State, Senator and First Lady Hillary Rodham Clinton came under fire for using a personal email server rather than a government-issued email account during her four-year Secretary of State tenure.
- A study published Wednesday by HP found 100% of the smartwatches tested were vulnerable to significant security issues. Researchers used HP Fortify on Demand to analyze 10 smartwatches, as well as their Android and iOS cloud and mobile application components. After analysis, researchers concluded 30% of the devices were vulnerable to account harvesting and 70% transmitted firmware updates without encryption. Three of the ten devices used cloud-based Web interfaces, and in a separate test, 30% exhibited account enumeration. While all the watches used SSL/TLS, 40% of the cloud connections were vulnerable due to the POODLE attack, the use of weak cyphers or SSL v2. Additionally, only half of the smartwatches offered screen lock capabilities. Researchers concluded that because of these vulnerabilities -- and the fact that smartwatches all collect some sort of personal data -- a "new and open frontier" has been created for cyberattackers. "Smartwatches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities," said Jason Schmitt, general manager, HP Security, Fortify. "As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks." HP researchers recommend users enable passcode, screen lock, encryption and two-factor authentication where possible and never approve unknown pairing requests to the device. Enterprises should ensure TLS implementations are configured and implemented properly, user accounts and data are protected with strong passwords, controls are in place to prevent man-in-the-middle attacks, and mobile apps are built into the device.
Learn 10 crucial lessons about ethical hacking