Flaws exposed in DEF CON security vehicles this year

Flaws exposed in DEF CON security vehicles this year -

Security researchers presented their findings on attacks that could occur for connected cars that could lead to improvements to protect consumers DEF CON this year. Chris Valasek and Charlie Miller, two security research who participated in the conference and to discover known security flaw in Jeep Cherokee, published their findings which revolved around Uconnect infotainment system of the car that is distributed by Harman.

Normally, the pirates will try to hack the display system that then if they are successful in piracy, they will continue to have access to the largest and secure. In this case, hackers find an open port and the process in the infotainment system is designed to execute code, they just need to inject a few lines of Python to give them root privileges. After they have access to the root, they are pretty much able to do anything to the firmware such as sending malicious instructions on the system that includes the transmission and brakes. However, eventhough the hackers can not access the firmware, they are still able to use the API to control the infotainment radio, wipers, and the monitoring of the car by GPS and worse, they can do all remotely.

accordingly, 1.4 million vehicles manufactured within three years of Fiat Chrysler (FCA) online, including from 2013 to 2014 in 2014 Durango line Ram pickups are recalled, traffic on port 6667 was blocked, and the legislation was introduced by US Senator Edward Markey. Harman system announced that it affects only vehicles FCA as it uses older infotainment system. However, all this can only happen if they have physical access to the first car ports.

Another security researcher team, Marc Rogers and Kevin Mahaffey focused on Tesla S because they saw it as the coolest car currently producing. They tried to hack into the infotainment system as a start. To their surprise, the infotainment Tesla system is more secure than they thought it would be. While they were able to get root access to it, they are able to perform actions such as lawfully present in the API that includes changing speeds, unlocking and locking doors, windows d opening as well as lowering and elevation of the suspension. They also discovered that the security token was a plain text.

Jeep Cherokee and Tesla handled the matter differently. Jeep Cherokee recalled car models affected shortly before the conference eventhough vulnerabilities were discovered a few months ago. Tesla on the other hand, sent representatives to the DEFCON and answered the question right after Rogers and Mahaffey done with their presentation. Tesla announced a bug bounty program Bug crowd for people to report bugs to the model and get awarded him up to $ 10,000.


Samy Kamkar, another speaker at DEF CON, vulnerabilities demonstrated with few cars and a garage with RF system device named Rolljam. The device will block the signal from reaching the car so the owner is asked to send another signal. Rolljam then records the second signal and the reading of the first signal to unlock the car. The second signal is read at a later date when the owner does not know and it can be done remotely. However, this vulnerability was fixed some years ago so there should not be any reason why car owners to worry about.

Josh Corman, a political strategist who gives recommendation for the safety of consumer goods observed that it took Microsoft 15 years to change his behavior to prosecute pirates to work together with them to expose their product then that the auto industry does not have much time. The automotive industry has only maximum 3 to 5 years. In addition, it was also observed that safety always comes after the design of the car while security should be part of the initial design of the car.

connected cars seems to be not only a problem in the United States, but it is to be an international issue. As the vehicle that we'll have in the future is therefore connected security is very important. As connected cars also have their advantages, however, they have vulnerabilities that are harder to solve because they are new. The best way is to enable the fix for the bug to OTA (Over the Air), because it is simple, convenient and low cost and it should come as a free service for car owners.

Next Post »
0 Komentar