Jeep Renegade Forum banner
1 - 12 of 12 Posts

·
Registered
Joined
·
31 Posts
Discussion Starter · #1 · (Edited)
I'm sure we've all heard about the hack by now but speaking for myself, I wasn't aware of the extent of the threat posed...I am now after I read this article.
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ <- this isn't just alarmist ranting.
We're all very excited about our new Renegades but HOLY %$!#@!. Forewarned is forearmed and I thought everyone should be as aware as possible.
I really wonder if the main exploit lies with the vehicle's WIFI ability and if disabling it would solve the issue. I for one really don't need or find I wouldn't use it as I use my cell phone in the vehicle...but I wonder if I would still be vulnerable if that phone is connected via Bluetooth to the car?
Anyone know if there is a way to disable WiFi in the vehicle or if that even lowers the security risk?

If you have not done so, here is the link to the latest unconnect update http://www.driveuconnect.com/software-update/
I know there's another post about the update but I figure it can't hurt to post it here as I'm not sure people are getting the gravity of this system's vulnerability....I didn't.
Here's the brief follow up article the did urging the patch: http://www.wired.com/2015/07/patch-chrysler-vehicle-now-wireless-hacking-technique/


One more article from Jolopnic saying the threat's there...but not to soil yourself just yet: http://jalopnik.com/chryslers-uconnect-vulnerable-to-remote-hacking-but-do-1719269327
Either way...get yourself patched, all.
 

·
Registered
2015 Trailhawk
Joined
·
404 Posts
I've heard it said that the threat revolved around the WiFi hotspot, which I will never use anyway.

I was also under the impression that you pay for WiFi separately, so you would't have it if you didn't pay for it.

Good info, though, for those who might have some use for that feature.
 
  • Like
Reactions: Chase

·
Super Moderator
Joined
·
3,600 Posts
The demo was conducted at a roughly 10 mile range. That's not wifi, that's the 3g cellular. No 3g radio, no exposure. Given that the 5.0RA2 has no option to pay them for 3g service, it shouldn't have such a vulnerability. The 6.5AN has a 3g radio, and the whole unit is on the CAN BUS. Pretty much every car is vulnerable if connected to the car's internal network (i.e. CAN BUS). The deal with the TH compromise demo is that it is the first vehicle they have demonstrated a means of gaining remote access to the can-bus.

Everyone is pointing at jeep right now, they will NOT be the only ones by any means.
 

·
Registered
Joined
·
499 Posts
Just saw another article today where the target was a Tesla. Same result.

Also, a jeep tech posted earlier and explained that this particular exploit required the hacking team to have physical access to the ECU presumably to install a back door of their own that exploited some invulnerability.

Take it with a grain of salt, of course. I haven't seen the technical details.
 

·
Registered
Joined
·
610 Posts
Just saw another article today where the target was a Tesla. Same result.

Also, a jeep tech posted earlier and explained that this particular exploit required the hacking team to have physical access to the ECU presumably to install a back door of their own that exploited some invulnerability.

Take it with a grain of salt, of course. I haven't seen the technical details.

Big difference with Tesla. The white hat hackers had to get physical access to a Model S first, then they tinkered with a wire hidden behind a panel before they tricked Tesla into giving them access to the system.

With UConnect, the hackers did not need physical access to hack into the system.

Tesla's system is much more secure. And just as quickly as the exploit was announced, Tesla released an over-the-air update to close the vulnerability. You won't see FCA, OnStar or Google reacting that quickly.
 

·
Registered
Joined
·
499 Posts
With UConnect, the hackers did not need physical access to hack into the system.

Not true according to a Post on here by a Jeep tech. He claims they had to side load an update of their own before they could remotely access the vehicle.

Again, take it with a grain of salt. I'm just repeating what was posted. I have no technical details of the exploit as I don't believe it was published in great detail. Please direct me to the details if I'm mistaken.

What they don't tell you is they took over a year with that jeep to develop the "hack" They were also running their own software on the radio from an sdk. They'd have to have physical access to the jeep in order to install their cracked software onto the radio. That also means they'd need the key. The Cherokee has four different radio versions, all with at least five different OS versions, so there's that they'd have to overcome, too. Then the hackers need to become familiar with machine language and CAN bus messages in order to know how to break out of the radio's "sandbox" and get meaningful data messages onto the vehicle's bus. This is a ton of work that almost nobody but a vehicle engineer would be able to pull off.

Bottom line is nobody is going to get hAx0R3d and die. Other than a clever PR stunt, there's no gain for the work involved.
 

·
Registered
Joined
·
1,624 Posts
I'm not worried about anyone hacking my car. My Renegade has the 5.0 w/o cellular, but my Challenger has the 8.4 radio with cellular. I did upload the patch to the Challenger, but I wasn't worried before and won't be worried in the future.

I think that hackers have little to gain breaking into a cars' system since there isn't any bounty there. After all, how many of our cars have databases with bank account #'s, addresses, or SS numbers?
 

·
Super Moderator
Joined
·
3,600 Posts
I've heard it said that the threat revolved around the WiFi hotspot, which I will never use anyway.

I was also under the impression that you pay for WiFi separately, so you would't have it if you didn't pay for it.

Good info, though, for those who might have some use for that feature.
Here's an actual article with an explanation of how it works.

https://blog.kaspersky.com/blackhat-jeep-cherokee-hack-explained/9493

The site is slow as heck to load, so I'll give the cliffs notes version.

1) The head unit is networked via sprint and via wi-fi if you have one capable of that.

2) the head unit is air gapped from the sytem except the v850 controller.

3) the v850 controller in stock form only allows you to listen to the can-bus.

4) they figured out how to force a firmware update on the v850 chip and also figured out how to hack the firmware image to enable two way communication on the can-bus. This last bit is apparently the REALLY hard part and what they have not publicly disclosed. At fault here, you have whoever designed the V850 chip/firmware for it, and whoever architected it's position in the vehicle networking. An air gap that can read the network isn't an air gap. It's a n air gap simulation that only remains so if you don't alter the software.

So that's how they perform the control, it is in all likelihood massively irrelevant to Any renegade owner as the 5.0RA2 is built on windows embedded automotive and not QNX where this was done. I'm not sure about the nature of the 6.5 OS and architecture. The really scary thing security wise is how they get network access to the network, because that's where the stupid comes in on FCA's part, and is how the remote execution of the exploit would happen on any given system. Now I switch to letters.

A) The wifi network is protected with an automatically generated password that is generated by the car.

B) This password is generated when turning on the car for the first time, and is generated by an algorithm that uses the date and time down to second resolution. Theoretically the search space for a particular car to get the right password for THAT car is in the millions.

C) TRIGGER WARNING: There's lots and lots of stupid right about here, quit now if your blood pressure is high or stupid deeply offends you.


Ok ready?

Well, that algorithm for generating the password is full of stupid because it executes when the car is first turned on. It takes a few seconds to complete.
It doesn't take into consideration AT ALL, that when any brand new vehicle comes off the line and gets powered up for the first time, they all come off the line with the date and time value set to the EXACT SAME date and time. Once you interact with one head unit to determine that date and time, the search space for the administrative password is now a search space of something less than 60 possibilities. Not checking your salt value is an epic level of stupid for something out in the wild on a public network that has as one of it's tasks the act of not killing people. There was effectively zero entropy introduced to the salting process.


D) This now means that if you have the ability to do what they did to the v850 chip, you can do it to any jeep vehicle on the network.

E) That network includes both the wi-fi network, and the sprint network.

F) Scary big brother bit here: Even if you do not pay for the service, your car is still connected to the sprint network ALL THE TIME if you have the LTE modem in your car. (I'm guessing this is for E911 coverage)

G) Using a femotcell (a device you can buy from a carrier to use your household network connection to compensate for spotty wireless coverage in your home) for the sprint network, they were able to basically scan all the connections on the sprint network and look for ones that responded to certain commands over the network in a manner that they knew the cherokee's system did. This gets them a list of systems they can access. Generating this list would likely be time prohibitive if the password search space were not so cripplingly limited due to the badness in step C.

H) More big brother scary: You have a giant list of vulnerable head units, how do you find the one you want? That always on LTE connection allows you to get the GPS coordinates of the vehicle. If you know where the vehicle is, get the coordinates form all of them, and pick the ip address associated with that gives back those coordinates, or closest to them.

I) Now you have the IP address a network connection, and access to the head unit of the vehicle you want, and you engage in steps 1-4 from earlier with that vehicle.


So what does this mean in terms of end users.

- Turning off your wi-fi does jack for you in terms of total vulnerability as the vulnerability is accessible via either the wi-fi network, or the sprint network.
- the uconnect software update for the 6.5AN, if it gets you anything related to this, probably changes the LTE modem/router's administrative password. I would hope it also fixes the originating source of the problem from C.
- The renegade has been listed as not vulnerable. From reading this, in all likelihood we are definitely vulnerable to the vector if not the exact method. This may be because we all have windows embedded automotive as the OS, or because we all lack a V850 chip. However, I suspect the networking issues as a vector are there for pretty much any car with these kinds of services.
-sprint also took some unspecified action. I suspect they took some measure that limits the ability of someone attached to the network to scan everyone connected to the network, or more limited, locked down some port the scans occurred on. Maybe partitioned the bulk inactive subscription people somehow. Regardless they did something. The renegade people are likely a beneficiary of this action, but it protects you not at all form exposure over wi-fi if you have that turned on.
 

·
Registered
Joined
·
12 Posts
3) the v850 controller in stock form only allows you to listen to the can-bus.
I'm not so certain that is true since the dash is able to display information from the radio. I have also been under the impression the fancier Uconnect radio is able to perform firmware updates on all the vehicles systems. If the latter is true, then that means the fancier Uconnect radio has access to all three CAN bus connections I've found in the vehicle, either directly or there's a ECU performing gateway functions somewhere. I can confirm the more generic Uconnect radio has only the Interior CAN bus that runs at 125kbps (pins 3 & 11 on the OBDII port).
 

·
Registered
Joined
·
162 Posts
raz-O The part you are missing, is that QNX is derivative of Minix a cousin of Linux. The files you download to update your Renegades head unit are not encrypted. That doesn't mean there aren't integrity checks in place, BUT it does mean that you can run files through a Hex editor before you install them in your Jeep. Just something to think about...
 

·
Registered
Joined
·
1 Posts
We have a 2016 Jeep Renegade and on April 15, 2019 the car lost it's power steering without warning while driving 75 mph on the interstate. My daughter slowed down to about 45 mph while making our way to the nearest exit, the car came to an abrupt stop, from 45 to 0. The car would not turn back on, it took about two minutes before the car would start again. The car started, she got it to a Jeep dealer about five miles away. They hooked the car up, it had 40+ warnings come up in the computer. Bottom line, they updated some of the computer modules, test drove it and sent it home with her. She drove it 3 1/2 hours home and did not have any issues. The next morning she drove it 20 miles and she abruptly lost her power steering again while driving 60 mph, the dash lit up with warning lights, etc. She brought it right to the dealer again, they hooked it up to the computer, found tons of warnings again, cleared them and tried repeating the problem. After they had it for two weeks we picked it up. She drove to town the next day and again lost her power steering, this time driving only 20 mph. She drove it to me with no power steering, dash lights were black with nothing but tons of warning lights, the temperature turned to cold and the fan switched to high, the car would not shut off and she had to manually lock her car. We left the car for a bit and returned later, having to insert the key to unlock the door, it did shut off now and later powered on with everything back to normal. So it is now currently sitting back at the dealer and they called after having it for one week and stated they can not find anything wrong or duplicate the problem.
Anyone have issues like this? I am concerned something has been hacked...she got a new (refurbished) Apple phone exactly one month prior to the first incident.
My plan is to pick it up from the dealer and drive it myself to test this theory. Car dealership seems to be oblivious to any type of hacking possibility.
Appreciate any suggestions.
 
1 - 12 of 12 Posts
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top