There’s a fundamental difference between criminal hackers and white hat vulnerability researchers.
When a white hat finds a vulnerability they may explore it, and write an interesting presentation about what can be achieved through the flaw, but once they’ve described the security weakness to the appropriate party and the hole is closed – that’s it.
When a criminal crowbars open a security vulnerability, however, they don’t go running to the vendor to tell them about it. Instead, they use it as a bridgehead to to see what else they can do, knowing that they potentially have an unlimited amount of time to explore deeper and compromise systems further – potentially taking a serious flaw and turning it into something critical.
And what could be a more critical attack than causing someone to be killed?
That’s something worth bearing in mind when you consider the continuing investigations into car hacking where – if exploitable security vulnerabilities present themselves – opportunities exist to cause automobile accidents, potentially causing the death of the vehicle’s occupants and other road users.
At BlackHat USA this week, famed security researchers Charlie Miller and Chris Valasek arescheduled to present their latest findings in the world of car hacking.
Miller and Valasek have already made names for themselves with the dramatic hacking of Jeep Cherokee, a interfering with its entertainment system, engine and brakes, while it was being driven down a busy highway at 70mph.
The researchers had exploited zero-day vulnerabilities in the vehicle’s vulnerable Uconnect head unit. Within days of the hack becoming front page news, Fiat Chrysler announced a safety recall of 1.4 million vehicles.
What was most alarming about the hack was that it had been done remotely, miles away from the Jeep they had hijacked. The only silver lining is that the worst meddling they could do with the car’s functions was only possible when the vehicle was travelling at low speeds.
However, as Wired reports, at BlackHat the car hackers will reveal that they now know how to do much more dangerous things, regardless of the vehicle’s speed:
“By sending carefully crafted messages on the vehicle’s internal network known as a CAN bus, they’re now able to pull off even more dangerous, unprecedented tricks like causing unintended acceleration and slamming on the car’s brakes or turning the vehicle’s steering wheel at any speed.”
The following YouTube video demonstrates just what the researchers were able to achieved by taking control of a moving vehicle’s steering:
Because of Miller and Valasek’s previous responsible disclosure to Chrysler, the dangerous attacks can no longer be accomplished remotely and require physical access to the targeted vehicle.
However, just imagine if it hadn’t been white hat hackers who had uncovered the original flaws, that the security vulnerability had never been patched, and that malicious attackers were now able to crash cars and cause automobile accidents remotely?
What Miller and Valasek have discovered is worrying enough. But it sends a shudder down the spine to even contemplate how much worse things could be. And who knows what other vehicles might be on the roads that have similar flaws, as yet undiscovered?
by Graham Cluley, ESET We Live Security