'13+ jeep Cherokee/ Chrysler UConnect hacked

Started by hizzo3, July 21, 2015, 10:35:18 AM

Previous topic - Next topic

hizzo3

This seemed pertinent since they are doing this through its IoT connected suite. Commands include total brake control, engine shut off, reverse steering control, GPS tracking among other things.

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

So glad I don't even have Bluetooth or OnStar right now


Edit: article from Wired to patch your stuff, please and quietly per Chrysler.

"The car maker posted a notice to its website informing its customers about a 'software update to improve vehicle electronic security.'"
www.wired.com/2015/07/patch-chrysler-vehicle-now-wireless-hacking-technique/

LynK

i have a '15 wrangler with uconnect. any work around?
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

hizzo3

#2
Work around: Walk/bike/drive a non-IoT car

Patch:
Call the dealer and see if there is a patch yet, RA3 and RA4 radio/nav systems. Requires physical access to the vehicle to patch it.
Edit: a patch exists to download.
www.driveuconnect.com/software-update

Currently only the Cherokee has been confirmed, but since it is the Uconnect module, an update to the commands in theory could control other vehicles. I'm only aware of the Jeeps getting a patch.

routerdork

I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

deanwebb

Just read that...

Security should be viewed as an immune system. When a body is overworked, its immune system suffers, even though it may enjoy some short-term productivity improvements. Same thing with computerized systems. Get them to be 100% productive and easy to use, and they will catch something, or fall prey to opportunistic infections endemic to the system.

FUN FACT: your autoimmune system is keeping you from getting a really nasty brain infection from bacteria that have been in you SINCE BIRTH. Would you like to have a productivity boost from diverting the resources dedicated to fighting that brain infection so that you could run faster or jump higher?

I want to make the same arguments at my company. Always the obsession with that marvelous user experience... and then, when we're penetrated they're all surprised and like

:kiwf:

And I'm all

:yuno:

Y U NO DO SECURITY IN FIRST PLACE?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

hizzo3

Quote from: routerdork on July 21, 2015, 11:42:34 AM
I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.
"Were sorry, all representatives are busy taking other's money. Please call back later, your money is important to us."

routerdork

Quote from: hizzo3 on July 21, 2015, 12:53:00 PM
Quote from: routerdork on July 21, 2015, 11:42:34 AM
I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.
"Were sorry, all representatives are busy taking other's money. Please call back later, your money is important to us."
That's what it feels like.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

hizzo3

BTW, just glanced over the SPY act. It doesn't even require encryption and authentication.

"In general-all entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks"
It does go on to say that critical software must be kept isolated from non critical... No details given.

That said... What is reasonable. In theory, WEP is reasonable.. 8 bit encryption? Hold on, I have a TI-84 calculator somewhere to crack that. What about maybe using a flawed openSSL?
And critical SOFTWARE isolation? OK throw it in a hypervisor on the car... Because that is always secure right? This bill is laughable in terms of security... Updates not less than 3 years to the bill... Only if hackers played fair, right?

hizzo3


icecream-guy

Quote from: routerdork on July 21, 2015, 01:07:42 PM
Quote from: hizzo3 on July 21, 2015, 12:53:00 PM
Quote from: routerdork on July 21, 2015, 11:42:34 AM
I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.
"Were sorry, all representatives are busy taking other's money. Please call back later, your money is important to us."
That's what it feels like.

wait, what, you called/emailed the guy's who performed the hack????
:professorcat:

My Moral Fibers have been cut.

hizzo3

Quote from: ristau5741 on July 22, 2015, 09:15:19 AM
Quote from: routerdork on July 21, 2015, 01:07:42 PM
Quote from: hizzo3 on July 21, 2015, 12:53:00 PM
Quote from: routerdork on July 21, 2015, 11:42:34 AM
I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.
"Were sorry, all representatives are busy taking other's money. Please call back later, your money is important to us."
That's what it feels like.

wait, what, you called/emailed the guy's who performed the hack????
I'm sure that would be a funny conversation.
Routerdork:"Please stop"
Hacker:"No"
Routerdork:"Why?"
Hacker:"They didn't use a Belkin" *click*

deanwebb

Time to call the hunter... the hunter of hackers!
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

routerdork

Haha officer I swear I wasn't speeding, I was hacked.  C:-)

I actually emailed the UConnect guys. I'm actually very unimpressed with the service. It's got a Sprint 3G connection. I spent over 50 hours on the road a few weeks ago and it barely ever had service to do anything.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

hizzo3

Well a half assed  kudos is in order. FCA is starting a recall. Now that said, I wonder how long they can keep patching like this.

icecream-guy

Quote from: hizzo3 on July 24, 2015, 11:00:34 AM
Well a half assed  kudos is in order. FCA is starting a recall. Now that said, I wonder how long they can keep patching like this.

Dealers will love this, Monthly patching cycle, with free inspection, and a $1500 list of service items that you need to take care of
:professorcat:

My Moral Fibers have been cut.