When Charlie Miller and Chris Valasek demonstrated a year ago how they can remotely exploit vulnerabilities in Chrysler’s 2014 Jeep Cherokee, and fiddle with its wipers, radio, motor and brakes (at low speeds), it forced the company to confront and address the issues.
But their research into automotive security didn’t end there, and the pair is scheduled to present new techniques for injecting CAN messages onto the vehicle’s network at Black Hat USA 2016 on Thursday.
Again they targeted the same Jeep Cherokee, and this time the potential consequences of a successful attack are even more scary, as they have managed to bypass protections and can “tell” the car to brake or turn the steering wheel at any speed.
As Chrysler has fixed the flaw that previously allowed them remote access to the car’s systems, these latest attacks can be performed only when the attacker’s laptop is connected to the car’s CAN network via a onboard diagnostic (OBD) port located under its dashboard.
But the researchers say it’s only a matter of time until another flaw is found that will allow remote access and attacks, and that’s why the automotive industry has to test, attack and audit their products for flaw constantly.
I don’t know whether Chrysler is ultimately happy or not about the attention its cars get from Miller and Valasek, but they have faced reality and have launched a public bug bounty program in July.
Other researchers have turned to testing the security of large industrial vehicles, and have been successful at controlling the acceleration and braking of a bus and a tractor.
As their attack is based on the exploitation of the SAE J1939 standard used across all US heavy vehicle industries, it will likely work on other heavy vehicles as well.
To execute it, the attacker has to, once again, be physically plugged into the vehicle’s OBD port, but the researchers echo Miller’s and Valasek’s conviction that remote, over-the-Internet attacks are just a flaw discovery away.
The group is set to present its research at the Usenix Workshop on Offensive Technologies conference next week.