New Jeep hack proves cars still exposed: Page 2 of 4

August 04, 2016 //By Junko Yoshida
When automotive security researchers Charlie Miller and Chris Valasek take the stage Thursday morning (August 4) at the Black Hat conference in Las Vegas, they will outline new methods of CAN message injection. The two researchers who now work for Uber’s Advanced Technology Center will demonstrate how to physically seize control of the braking, steering, and acceleration systems in a vehicle.

Whether Miller and Valasek’s car attack was done wirelessly or via OBD-II port is beside the point. Although Chrysler created a patch for the Jeep last year, it did not by any means close all avenues to wireless car attacks.

When EE Times inquired Wednesday (August 3) David Uze, CEO of Trillium in Tokyo about this, he said, “What the second Jeep attack proved this year is that there are a large number of vehicles out there still unprotected.”

Chrysler’s patch is a firewall for the Jeep’s infotainment system, the attack surface Miller and Valasek exploited.

But “it’s absolutely wrong” for carmakers to think there won’t other ways to penetrate that firewall, Uze explained.

“For example, when you bring your car to a repair shop and leave it for a little while, there is always a chance that an independent access could be made to your vehicle, with someone leaving a hard-to-spot, small device attached to the OBD-II port.”

Uze cited, as an example, a hack performed by a 14-year-old who built an electronic remote auto communications device  with $15 worth of Radio Shack parts.

This took place at the Battelle CyberAuto Challenge in the summer of 2014.

The teenager ’s wireless device created an ad hoc wireless connection which, through a wireless SIM card, served as a backdoor to CAN networks inside a vehicle, Uze explained.