Developers Club geek daily blog

1 year, 4 months ago
As Charlie Miller and Chris Valasek cracked Jeep Cherokee.

image

At the beginning of the research Miller and Valasek tried to crack the multimedia Jeep system through Wi-Fi. The vendor of the car, the Chrysler company, offers an opportunity of use of Wi-fi on a subscription. It turned out that this wireless communication to crack rather easily because the password on it was generated automatically on the basis of time when the machine and multimedia system turned on for the first time.

Theoretically, measuring time to within seconds, this method is quite reliable, considering a large number of options of time. But if you know at least year of production and will guess month, then search will be limited by 15 million combinations. If to reduce time to a day time, there will be already 7 million combinations. And it is already rather quite good result – it can be probrutforsit for an hour.



The problem is that during the whole hour it is necessary to be near this jeep to remain within reach of Wi-Fi. But researchers found other way. It turned out that the password for Wi-Fi is created before in system are set date and time – that is, default time of counting plus several seconds for that the on-board computer was loaded.

And this time makes exactly January 01 2013 00.00.32 GMT.

image

After connection with the on-board computer Miller and Valasek found a method to crack the multimedia computer working under control of Linux. Having tried several obvious ways of penetration, they found one and received control over system.

Haque's possibilities though are limited, but all the same impress: complete control over a player, radio and volume. Provide that will occur if you go to speed of 100 km/h, and suddenly instead of radio the statics on the maximum gromkosti.\begins to rattle

One more opportunity found researchers – tracking of the car through its GPS. What is interesting, for this purpose it is not necessary to set additional software, this function already is in system.

image

So if the owner of the machine pays for a subscription to Wi-Fi, it is possible to crack it quite so. But it is done not by each owner. On the other hand, all computers are connected to Sprint mobile network operator even if their owners did not pay wireless services. It is already the standard for on-board computers.

Miller and Valasek tried to work also in this direction. Using "femtosota" (a compact base station of a cellular network) purchased on eBay they could snare Sprint and scan IP addresses, listening to certain challenges about which existence they learned during cracking of Wi-fi.



Thus it is possible to find all machines Chrysler in which there is a similar on-board computer. And then it is only necessary to find that that to you it is necessary. It is amusing that just to make it quite difficult. As one of researchers told, "it is simpler to hack all jeeps, than one specific".

However and it is possible to make it thanks to a GPS tracker. After that it is possible to have a good time in the same way with multimedia system – but there is more to come. Search of a possibility of access to the CAN bus was the following step. It is the internal network of the car connecting all components – the engine, transmission, sensors, etc. as almost all parts of the car are controlled by electronics presently.

The multimedia system is not connected to the CAN bus. About it all car makers, as speak about a measure, necessary for safety. However and it is possible to overcome this gap. The multimedia has connection with the V850 controller which in turn, is connected to the CAN bus.

By software for the controller it was developed to have an opportunity to obtain data from the CAN bus, but not to send them. But it is after all the computer – so, it can be reprogrammed.

Researchers found a method to change a V850 controller firmware through its connection with multimedia system. And such upgrade is performed without any checks and authorizations.

And after it Miller and Valasek could send any commands for the CAN bus and force any component of the car to do anything. It concerned a wheel, the engine, transmission, brakes, not to mention janitors, the conditioner, locks of doors and other. And all this wealth could be managed far off, through the Sprint network.

Good news is that on research at them years left. And the main focus, access to the CAN bus, they did not begin to disclose. Not everyone is capable to repeat it. Bad news is that such cracking is possible in principle – and it is difficult to revaluate their effects.

This article is a translation of the original post at habrahabr.ru/post/274453/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: sysmagazine.com@gmail.com.

We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus