Dr Charlie Miller has been tagged as one of the world's best hackers after compromising a Jeep Cherokee from 10km with his colleague Chris Valasek. He has won the Pwn2Own competition four times and now works with Uber. The pair gave the closing keynote at this year's AISA Annual Conference.
Valasek started by running through the main way people are hacked - email. He also noted that system vulnerabilities are used. Miller said his preferred way of attacking systems is to find vulnerabilities as this is more challenging. He says vulnerabilities exist because finding them is hard to do and expensive.
And resolving them, during development, is not a good return on the investment as fixing them doesn't offer a competitive advantage. In most cases, it's easier to fix problems after releases.
And while this approach may work for web browsers, it's less effective with IoT devices - devices "we put internet on" said Valasek. But often the addition of connectivity is done without really considering the consequences. And this means hackers have moved to these targets as they are easier to attack than older systems, such as mail and file servers, and applications like web browsers which have become more secure.
"This is how security goes. You used to suck at it and then you get better," said Valasek.
Miller said the IoT will be much harder to secure. In the past, the number of major software vendors was limited. And not fixing the problems could impact their bottom line. But IoT is often a sideline for some companies. As a result, they don't have the same incentives to secure their hardware.
And, the number of applications and operating systems used by most people is a relatively small number. But the IoT is far wider with a very diverse set of vendors. It covers appliances, toothbrushes, insulin pumps, sex toys and more said Miller.
IoT devices also rely on a far more complex chain of components. As well as the end-point device, there are cloud services and various applications and APIs that make things come together. And, most major applications are designed with a secure update capability whereas IoT devices are either hard to update or can't be updated at all, said Miller.
Miller and Valasek then moved onto discussing the hacking of the Jeep. Automation in cars started with the establishment of the CAN-BUS standard in the 1970s. This allowed car components to communicate and be controlled through a computer. But, today, we offer WiFi, Bluetooth and cellular communications as well software like web browsers.
They noted Chinese hackers attacked a Tesla through a web browser.
The problem is that the older systems in cars were designed in the era before connectivity; they aren't made to be secured for external access.
The hack they exploited began in a third-party component; a Harman Kardon Unconnect head unit. They budgeted about six months to find a vulnerability and hack it.
It took three weeks to find the vulnerability and an hour to write the exploit.
Miller and Valasek sent information to Chrysler Jeep but received little feedback. So, they created a scanner to find all the potentially affected cars. From one Jeep, they discovered over a dozen different models were affected. They were able to control any function that the head unit had access to and track where drivers were and their movement.
Then, they were able to reprogram a controller that allowed them to then access physical systems such as the brakes and steering. This next stage took them nine months. But it led to them being able to control critical systems.
Some of the programming they exploited, such as braking system management were programs that were included in order to make some tasks easier for mechanics. This highlights how seemingly simple functions can impact security.
Once Fiat Chrysler were informed about the hack, the company recalled 1.4 million vehicles.
The number of issues they discovered were substantial. Form being able to communicate with the device over the same cellular network, a lack of code signing and no auto-update functions all contributed to the ability for Muller and Valasek to attack the vehicle.
And new devices, such as WiFi-enabled ODB2 adapters, can introduce vulnerabilities. And features such as data flowing from infrastructure into the vehicle offer new attack vectors. And while driverless vehicles will most likely make the roads safer, there are new risks to consider.
This far, only three teams, including Valasek and Miller, have successfully attacked a vehicle. So, this is not a widespread or commoditised exploit or threat vector - yet.
- Can the Combination of a Default Password and an Unpatched Asset Get You Military Secrets? Yup
- As rapid-fire builds threaten app quality, bespoke protection helps developers be both Agile and secure
- The week in security: CSO50 winners doing security right where so many others still aren’t
- GCHQ: change your passwords now even if Uber says it contained the breach