Real World Attack-Chrysler Jeep
This well-known attack occurred in the summer 2015 (Mearian, 2016). The effect of this was far-reaching and is still being felt in the industry. From this issue the FCA fka Chrysler had the opportunity to recall 1.4 million Jeep, Dodge, Chrysler, and Ram vehicles (Mearian, 2016; Finkle & Woodall, 2015). This recall was operationalized in two manners. The affected clients could bring their vehicle to the dealership and have the dealership download the patch or could use a mailed USB and plug this into their vehicle (Greenberg, 2016). At this point, the USB would auto download the patch and update to the vehicle.
The specific affected vehicles had the 8.4 inch Uconnect touchscreen installed (Stone, 2015). Specifically, these were the 2013-2015 Dodge Viper specialty vehicle, 2013-2015 Ram pick-ups (1500, 2500, and 3500), 2013-2015 Ram chassis cabs (3500, 4500, and 5500), 2014-2015 Jeep Grand Cherokee and Cherokee SUVs, 2015-2015 Dodge Durango SUV, 2015 Chrysler (200 and 300), 2015 Dodge Charger sedans, and 2015 Dodge Challenger sports coupe. Although this did affect a limited number of model years, there were many models involved.
As noted, the issue was with the Uconnect operating system (Perkins, 2015). The vast vulnerability was exploitable due to one communication method the Uconnect system used which required the vehicle’s IP address (Walters, 2015). Once this data was acquired, the attacker could connect remotely from anywhere to the infotainment system designed by Harmon (Crosse, 2016). This vulnerability allowed the attacker access to the vehicle’s controller network (CAN). They also attacked the OBD-II port via an attached dongle (Gibbs, 2015).
The attack was recorded and placed on YouTube, among other social media venues. The two attackers disengaged the 2014 Jeep Cherokee’s transmission while it was on a St. Louis freeway and manipulated other attack points (Greenberg, 2016; Greenberg, 2015; Kudialis, 2015), including the radio volume, speed, climate control, and disengaged the brakes.
This vulnerability was remediated by FCA partially by Sprint closing port 6667 (Kudialis, 2015; McAllister, 2015). For others, it is advisable to block any unused ports that are accessible via Wi Fi (Robertson, Moritz, and Khariff, 2015).
Crosse, J. (2016, April 14). Car hacking: How cyber security is stepping up. Retrieved from http://www.autocar.co.uk/car-news/industry/car-hacking-how-cyber-security-stepping
Finkle, J. & Woodall, B. (2015, July 30). Researcher says can hack GM’s OnStar app, open vehicle, start engine. Retrieved from http://www.reuters.com/article/us-gm-hacking-idUSKCN0Q42FI20150730
Gibbs, S. (2015, August 12). Security researchers hack a car and apply the brakes via text: Vulnerability revealed in diagnostic dongles used for vehicle hacking and insurance that lets them take control using just an SMS. Retrieved from http://www.theguardian.com/technology/2015/aug/12/hack-a-brakes-sms-text
Greenberg, A. (2015, July 21). Hackers remotely kill a jeep on the highway-With me in it. Retrieved from http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
Greenberg, A. (2016, March 17). The fbi warns that car hacking is a real risk. Retrieved from http://www.wired.com/2016/03/fbi-warns-car-hacking-real-risk/
Kudialis, C. (2015, August 5). Security experts detail jeep hacking at Black Hat conference. Retrieved from http://www.reviewjournal.com/life/technology/security-experts-detail-jeep-hacking-black-hat-conference
McAllister, N. (2015, August 11). Blackberry can’t catch a break: Now it’s fending off jeep hacking claims. Retrieved from http://www.theregister.co.uk/2015/08/11/blackberry_denies_blame_in_jeep_hack/
Mearian, L. (2016, March 23). Should you worry that your car will be hacked? Retrieved from http://www.computerworld.com/article/3047193/security/should-you-be-worried-your-car-will-be-hacked.html
Perkins, C. (2015, July 31). Hacker discovers a major vulnerability in GM cars, hijacks vehicle functions. Retrieved from http://mashable.com/2015/07/31/gm-onstar-hack-#TXV0RdSrScqr
Robertson, J., Moritz, S., and Khariff, O. (2015, July 31). Hacked jeep Cherokee exposes weak underbelly of high-tech cars. Retrieved from http://www.bloomberg.com/news/articles/2015-07-31/hacked-jeep-cherokee-exposes-weak-underbelly-of-high-tech-cars
Walters, G. (2015, July 22). Could your car be the next to come under attack? Retrieved from http://www.dailymail.co.uk/sciencetech/article-31752/could-car-come-attack-GUY-WALTERS-explains-computer-hackers…
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Mr. Parker has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.