Introduction

This chapter collects public research on car hacking. A few general papers are discussed here; the rest of the research is split up by target or entrypoint.

The 2015 Jeep Cherokee hack reached mainstream news and triggered a 1.4 million vehicle recall. The four earlier papers laid the technical groundwork that made it possible.

Experimental Security Analysis of a Modern Automobile

Koscher et al., IEEE S&P 2010 [1]

Koscher et al. connected a laptop running CARSHARK to the OBD-II port of two identical late-model sedans and mapped what an attacker with network access could do. It was the first systematic empirical security evaluation of a complete production automobile. Because the CAN bus carries no source addresses and no authentication, any node can send any frame to any other.

Injecting the right messages could disengage brakes while moving, lock individual wheels, kill the engine, spoof the speedometer, and block the car from restarting. The car's telematics unit was connected to both the low-speed and high-speed CAN subnets; after reprogramming it from the low-speed side, the researchers used it as a bridge onto the high-speed bus, bypassing the BCM gateway. All attacks required prior access via the OBD-II port or a compromised ECU, a constraint the 2011 follow-on paper addressed directly.

The CARSHARK tool developed by Koscher et al. for sniffing and injecting CAN packets. The left panel lists ECU nodes on both CAN subnets; recently updated values are highlighted. Figure from Koscher et al., 2010 (Experimental Security Analysis of a Modern Automobile).The CARSHARK tool developed by Koscher et al. for sniffing and injecting CAN packets. The left panel lists ECU nodes on both CAN subnets; recently updated values are highlighted. Figure from Koscher et al., 2010 (Experimental Security Analysis of a Modern Automobile).

Comprehensive Experimental Analyses of Automotive Attack Surfaces

Checkoway, McCoy, Kantor, Anderson, Shacham, Savage, Koscher, Czeskis, Roesner, Kohno, USENIX Security 2011 [2]

The 2010 work assumed the attacker was already on the car's network. This USENIX Security paper took on the prior question of how they get there in the first place. The same joint UW and UCSD team catalogued the external communication channels on a modern sedan, investigated representative examples in each access category, and achieved remote compromise through mechanics' tooling, the media player, Bluetooth, and the cellular modem.

The attack vectors fell into three groups. Indirect physical access covered the OBD-II port via compromised dealer tooling, the CD player via a WMA parser buffer overflow, and the dealership Wi-Fi programmer with weak credentials. Short-range wireless covered a Bluetooth hands-free stack overflow and the TPMS receiver. Long-range wireless covered the cellular telematics unit, which held a modem-layer overflow that bypassed higher-level authentication and accepted audio-encoded commands over a voice call. Once compromised, the telematics unit could act as an IRC command-and-control node over 3G; in a live demo, two vehicles over a thousand miles apart responded to the same IRC command. Structurally, automotive software carried the same memory-safety bugs as desktop software but had no update infrastructure, no per-component privilege isolation, and no bus-level authentication.

Attack surface taxonomy for a modern automobile, showing external I/O channels and which ECUs they reach. Colors group ECUs by function. Figure from Checkoway et al., 2011 (Comprehensive Experimental Analyses of Automotive Attack Surfaces).Attack surface taxonomy for a modern automobile, showing external I/O channels and which ECUs they reach. Colors group ECUs by function. Figure from Checkoway et al., 2011 (Comprehensive Experimental Analyses of Automotive Attack Surfaces).

Adventures in Automotive Networks and Control Units

Miller, Valasek, DEF CON 21, 2013 [3]

Miller and Valasek worked on a 2010 Toyota Prius and a 2010 Ford Escape for this DEF CON 21 whitepaper. Where earlier work had withheld vehicle specifics, they published full CAN ID tables, packet formats, source code, and hardware instructions so other researchers could reproduce the results.

The paper covered CAN bus structure, ISO-TP framing, and the key UDS diagnostic services, along with complete ECU topology maps for both vehicles. On the Prius, normal-mode CAN injection let them manipulate the speedometer, steering, and braking. Diagnostic-mode messages could engage brakes, kill the engine, and reflash the Ford Escape's Parking Assist Module with firmware extracted and disassembled from the HC12 microcontroller. A short section proposed anomaly detection based on the strict periodicity of healthy CAN traffic, an idea later IDPS research would take up.

CAN v1 bus wiring diagram for the 2010 Toyota Prius, showing ECU nodes and their physical connections. Figure from Miller and Valasek, 2013 (Adventures in Automotive Networks and Control Units).CAN v1 bus wiring diagram for the 2010 Toyota Prius, showing ECU nodes and their physical connections. Figure from Miller and Valasek, 2013 (Adventures in Automotive Networks and Control Units).

A Survey of Remote Automotive Attack Surfaces

Miller, Valasek, Black Hat USA 2014 [4]

For their Black Hat survey, Miller and Valasek went from two test vehicles to twenty-four production cars spanning model years 2006 to 2015. They rated each one on the breadth of its remote attack surface, its internal network topology, and the set of cyber-physical features that let software actuate physical systems.

For each vehicle the authors mapped every ECU with a wireless interface against the safety-critical ECUs it could reach. Forty-two percent of 2014 model-year vehicles had no segmentation between at least one cyber-physical ECU and one with a remote attack surface. The 2014 Jeep Cherokee ranked highest. Its Uconnect radio handled Bluetooth, cellular, Wi-Fi, FM RDS, and app connectivity while sitting directly on CAN-C alongside the ABS, electric power steering, and adaptive cruise ECUs, a complete three-stage attack chain. Miller and Valasek found the software bugs they needed the following year, covered in the next section. As of July 2014, the paper noted, manufacturer patching still largely depended on dealer visits rather than automated OTA updates.

Network architecture of the 2014 Jeep Cherokee, showing the Uconnect radio (with Bluetooth, cellular, and internet connectivity) directly bridging onto CAN-C alongside safety-critical ECUs including ABS and power steering. Figure from Miller and Valasek, 2014 (A Survey of Remote Automotive Attack Surfaces).Network architecture of the 2014 Jeep Cherokee, showing the Uconnect radio (with Bluetooth, cellular, and internet connectivity) directly bridging onto CAN-C alongside safety-critical ECUs including ABS and power steering. Figure from Miller and Valasek, 2014 (A Survey of Remote Automotive Attack Surfaces).

Remote Exploitation of an Unaltered Passenger Vehicle

Miller, Valasek, IOActive 2015 [5]

In August 2015 Miller and Valasek published the first complete end-to-end remote exploit against a production vehicle, with no prior physical access and no vehicle modifications required. The target was a 2014 Jeep Cherokee running the Harman Uconnect 8.4AN head unit on QNX 6.5.0. Its Uconnect system held an IP address reachable from other Sprint devices, though not from the public internet, and an unauthenticated D-Bus service accepted arbitrary shell commands from any caller. Scanning Chrysler's allocated cellular IP ranges from a Sprint-connected host, they could connect to vulnerable vehicles anywhere in the United States and get a QNX shell from a laptop miles away.

Gaining shell access to the head unit was only the first stage. The Uconnect OMAP SoC communicated with a NEC V850 microcontroller over SPI; the V850 bridged both the CAN-IHS and CAN-C buses and relayed messages to every ECU in the vehicle. The authors reversed the SPI protocol, discovered an undocumented debug command, and reflashed the V850 with modified firmware that forwarded arbitrary CAN frames from the OMAP. Because V850 firmware updates were accepted without any code-signing verification, this step required no additional vulnerability. With the bridge active, the researchers could disable the transmission, spoof gauges, control body functions, and, at low speeds where diagnostic sessions were accepted, affect brakes and steering through the relevant ECUs.

Disclosure ran from the D-Bus finding in October 2014 to FCA's patch on July 16, 2015, followed five days later by a voluntary recall of 1.4 million vehicles. Sprint independently blocked port 6667 traffic on its network. The impact reached past FCA too. Tesla adopted OTA firmware code signing not long after, a move often credited in part to the attention this research drew.

Uconnect touchscreen displaying a firmware update prompt, used in the USB-based jailbreak that established the initial code execution path. Figure from Miller and Valasek, 2015 (Remote Exploitation of an Unaltered Passenger Vehicle).Uconnect touchscreen displaying a firmware update prompt, used in the USB-based jailbreak that established the initial code execution path. Figure from Miller and Valasek, 2015 (Remote Exploitation of an Unaltered Passenger Vehicle).

CAN Message Injection - OG Dynamite Edition

Miller, Valasek, IOActive 2016 [6]

In June 2016 Miller and Valasek returned to a question their 2015 Jeep paper had left open: given arbitrary CAN message injection, how much physical control is actually achievable, and why do naive injection attempts often fail?

The core problem is confliction. Every legitimate ECU broadcasts its messages continuously at a fixed interval. When an attacker injects an adversarial message with the same CAN ID, the receiving ECU sees two conflicting streams. Safety-critical ECUs in the Jeep resolved confliction by disabling the contested feature rather than acting on either message, which meant flooding the ABS module disabled braking rather than applying it. The paper described three approaches to overcome this: placing the transmitting ECU into a diagnostic session to halt its normal messages, forcing it into Bootrom mode, or fully reflashing it to eliminate the conflicting sender. A fourth technique analysed how the receiving ECU processes incoming data and exploited edge cases in that logic; they used it against the Power Steering Control Module. Combining these methods, the authors achieved braking, acceleration via cruise control emulation, and steering on both the Jeep Cherokee and a Toyota Prius. The paper also proposed several defensive countermeasures, including message authentication and anomaly detection on CAN timing.

References

[1]Koscher, Czeskis, Roesner, Patel, Kohno, Checkoway, McCoy, Kantor, Anderson, Shacham, Savage. Experimental Security Analysis of a Modern Automobile. 2010 IEEE Symposium on Security and Privacy (IEEE S&P), 2010.
[2]Checkoway, McCoy, Kantor, Anderson, Shacham, Savage, Koscher, Czeskis, Roesner, Kohno. Comprehensive Experimental Analyses of Automotive Attack Surfaces. USENIX Security 2011, 2011.
[3]Miller, Valasek. Adventures in Automotive Networks and Control Units. IOActive / DEF CON 21, 2013.
[4]Miller, Valasek. A Survey of Remote Automotive Attack Surfaces. Black Hat USA 2014, 2014.
[5]Miller, Valasek. Remote Exploitation of an Unaltered Passenger Vehicle. IOActive, August 2015, 2015.
[6]Miller, Valasek. CAN Message Injection — OG Dynamite Edition. IOActive, June 2016, 2016.