'13+ jeep Cherokee/ Chrysler UConnect hacked

Started by hizzo3, July 21, 2015, 10:35:18 AM

Previous topic - Next topic

deanwebb

It's like the "If Microsoft Made a Car" joke from 1995... spooooooooky.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

routerdork

I had to send my VIN, Year, Make, Model, etc. Finally they matched it up and said oh yeah you are vulnerable and need to have your truck serviced for this recall.
But they still had to forward my info to another department because I can register for the service and they will gladly take my money, but when I want to look it up I'm just not important enough to be listed in the database. I did see mention on the UConnect website about the issues now though.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

deanwebb

You're surprised that they took your money and then forgot about you?

:haha1:

Sorry, couldn't resist.

But, yes, you're the most important person in the world until you give them what they want most. Corporations are like the worst boyfriends/girlfriends, ever.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

routerdork

Of course what was I thinking. Customer Service is hanging out with Chivalry, Bruce Jenner, and Tupac on a deserted island somewhere...
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

deanwebb

Quote from: routerdork on July 27, 2015, 11:02:40 AM
Of course what was I thinking. Customer Service is hanging out with Chivalry, Bruce Jenner, and Tupac on a deserted island somewhere...

Good news it was just your car that was affected. Hax can also allow someone to p0wn your house:

https://threatpost.com/pair-of-bugs-open-honeywell-home-controllers-up-to-easy-hacks/113965

:shock: <- guy who had a Honeywell controller that got hacked
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

hizzo3

Wow... Easy hack too on the Honeywell. Might as well just write code:
If pwd='12345' then
Access.grant
Else
Access.deny
End if
In the JavaScript on the web page.

icecream-guy

Quote from: hizzo3 on July 27, 2015, 05:21:56 PM
Wow... Easy hack too on the Honeywell. Might as well just write code:
If pwd='12345' then
Access.grant
Else
Access.deny
End if
In the JavaScript on the web page.

If people are too stoopid to not put their devices behind a firewall, and simply leave devices connected to the open internet, then they deserve to be hacked.  If they are too naive about the internet then they should hire someone knowledgeable enough that can install the product securely.
:professorcat:

My Moral Fibers have been cut.

deanwebb

Quote from: ristau5741 on July 28, 2015, 06:59:59 AM
If people are too stoopid to not put their devices behind a firewall, and simply leave devices connected to the open internet, then they deserve to be hacked.  If they are too naive about the internet then they should hire someone knowledgeable enough that can install the product securely.


"We have a firewall, but we're only blocking the bad traffic. What's wrong with that?"

:haha4:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

deanwebb

Oh for hell's sake...

https://threatpost.com/gone-in-less-than-a-second/114154

While this is a directed, instead of general, attack, it's still something that has to be considered, especially if you've been selected as a random target of a vehicle theft. Keep your valuables with you... or always examine the undercarriage of your car before entering.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Reggle


hizzo3

Quote from: deanwebb on August 06, 2015, 11:44:25 AM
Oh for hell's sake...

https://threatpost.com/gone-in-less-than-a-second/114154

While this is a directed, instead of general, attack, it's still something that has to be considered, especially if you've been selected as a random target of a vehicle theft. Keep your valuables with you... or always examine the undercarriage of your car before entering.
Or you do as I do... Use the effing key. You know that 2,000 year old technology?

wintermute000

The car companies just don't get it. Security doesn't work as an afterthought, has to be baked into the design. No points for guessing when security came into the picture for all the software and standards under the hood.

http://arstechnica.com/security/2015/08/highway-to-hack-why-were-just-at-the-beginning-of-the-auto-hacking-era/

The problem is compounded by the fact that they're dealing with stuff that literally cannot fail without dangerous consequences (who cares if your browser occasionally crashes, for example), and that bricking or even soft bricking your car is a lot bigger deal than messing up your windows install and a lot harder to fix.

Otanx

Quote from: wintermute000 on August 24, 2015, 03:39:01 AM
The problem is compounded by the fact that they're dealing with stuff that literally cannot fail without dangerous consequences (who cares if your browser occasionally crashes, for example), and that bricking or even soft bricking your car is a lot bigger deal than messing up your windows install and a lot harder to fix.

Which is why what Tesla is doing is very cool, and very scary at the same time. The guys who did the uConnect hack notified Tesla of an issue as well. Tesla fixed it, and pushed the update out to all their cars. I guess the Tesla is a SDC? Software Defined Car? As long as it works, and the testing is there that is awesome. However, the second an update accidentally causes the brake to accelerate the car it becomes very scary.

-Otanx

deanwebb

Excellent article, Wintermute. I do not ever want to have a connected car. Terrifying stuff can result from that decision.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Reggle

It depends. What I hate most about the IoT, the home security systems, connected cars, smartphones, ... Is the fact that they're closed systems. I want low-level control and I want to be able to customize it and/or patch it myself, because the closed systems are obviously not doing it for us.