Black Hat USA 2015: The full story of how that Jeep was hacked | Kaspersky Lab Official Blog
Black Hat USA 2015: The full story of how that Jeep was hacked | Kaspersky Lab Official Blog
(blog.kaspersky.com)
... it turned out, the Wi-Fi password for Chrysler’s cars is generated before the actual time and date is set and is based on default system time plus a few seconds during which the head unit boots up.
The multimedia system is not connected to CAN bus directly. This is the thing that all the manufacturers always refer back to when it comes to IT-security of cyber-physical systems: there is an isolation they say, the air gap between connected and physical parts of these systems. As it turned out, this air gap is not that thick, at least in Chrysler’s cars. Despite the fact that multimedia system’s controller itself can’t communicate directly with CAN bus, it actually can communicate with another component which is connected to CAN bus, the V850 controller. He knows a guy, who knows a guy situation, simply put. Researchers discovered an opportunity to change firmware of the V850 controller for their maliciously crafted version through the connection to multimedia system’s controller. This firmware ‘upgrade’ can be done without any checks or authorizations. Even if there was authorization, researchers have found a couple of vulnerabilities that make possible taking control over this V850 controller. And that was it: after this move Miller and Valasek were able to send commands through the CAN bus and make every — every! — component of the car to do whatever they wanted. They were able to control steering wheel, engine, transmission, braking system, not to mention dull things like windscreen wiper, air conditioner, door locks and so on. Moreover, they were able to control all this things completely remotely, over the Sprint cellular network.
[...] The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.
The wild weird world of carbon fiber | Ars Technica
The wild weird world of carbon fiber | Ars Technica
(arstechnica.com)
The Great Bank Robbery: the Carbanak APT - Securelist
The Great Bank Robbery: the Carbanak APT - Securelist
(securelist.com)