I've heard it said that the threat revolved around the WiFi hotspot, which I will never use anyway.
I was also under the impression that you pay for WiFi separately, so you would't have it if you didn't pay for it.
Good info, though, for those who might have some use for that feature.
Here's an actual article with an explanation of how it works.
https://blog.kaspersky.com/blackhat-jeep-cherokee-hack-explained/9493
The site is slow as heck to load, so I'll give the cliffs notes version.
1) The head unit is networked via sprint and via wi-fi if you have one capable of that.
2) the head unit is air gapped from the sytem except the v850 controller.
3) the v850 controller in stock form only allows you to listen to the can-bus.
4) they figured out how to force a firmware update on the v850 chip and also figured out how to hack the firmware image to enable two way communication on the can-bus. This last bit is apparently the REALLY hard part and what they have not publicly disclosed. At fault here, you have whoever designed the V850 chip/firmware for it, and whoever architected it's position in the vehicle networking. An air gap that can read the network isn't an air gap. It's a n air gap simulation that only remains so if you don't alter the software.
So that's how they perform the control, it is in all likelihood massively irrelevant to Any renegade owner as the 5.0RA2 is built on windows embedded automotive and not QNX where this was done. I'm not sure about the nature of the 6.5 OS and architecture. The really scary thing security wise is how they get network access to the network, because that's where the stupid comes in on FCA's part, and is how the remote execution of the exploit would happen on any given system. Now I switch to letters.
A) The wifi network is protected with an automatically generated password that is generated by the car.
B) This password is generated when turning on the car for the first time, and is generated by an algorithm that uses the date and time down to second resolution. Theoretically the search space for a particular car to get the right password for THAT car is in the millions.
C) TRIGGER WARNING: There's lots and lots of stupid right about here, quit now if your blood pressure is high or stupid deeply offends you.
Ok ready?
Well, that algorithm for generating the password is full of stupid because it executes when the car is first turned on. It takes a few seconds to complete.
It doesn't take into consideration AT ALL, that when any brand new vehicle comes off the line and gets powered up for the first time, they all come off the line with the date and time value set to the EXACT SAME date and time. Once you interact with one head unit to determine that date and time, the search space for the administrative password is now a search space of something less than 60 possibilities. Not checking your salt value is an epic level of stupid for something out in the wild on a public network that has as one of it's tasks the act of not killing people. There was effectively zero entropy introduced to the salting process.
D) This now means that if you have the ability to do what they did to the v850 chip, you can do it to any jeep vehicle on the network.
E) That network includes both the wi-fi network, and the sprint network.
F) Scary big brother bit here: Even if you do not pay for the service, your car is still connected to the sprint network ALL THE TIME if you have the LTE modem in your car. (I'm guessing this is for E911 coverage)
G) Using a femotcell (a device you can buy from a carrier to use your household network connection to compensate for spotty wireless coverage in your home) for the sprint network, they were able to basically scan all the connections on the sprint network and look for ones that responded to certain commands over the network in a manner that they knew the cherokee's system did. This gets them a list of systems they can access. Generating this list would likely be time prohibitive if the password search space were not so cripplingly limited due to the badness in step C.
H) More big brother scary: You have a giant list of vulnerable head units, how do you find the one you want? That always on LTE connection allows you to get the GPS coordinates of the vehicle. If you know where the vehicle is, get the coordinates form all of them, and pick the ip address associated with that gives back those coordinates, or closest to them.
I) Now you have the IP address a network connection, and access to the head unit of the vehicle you want, and you engage in steps 1-4 from earlier with that vehicle.
So what does this mean in terms of end users.
- Turning off your wi-fi does jack for you in terms of total vulnerability as the vulnerability is accessible via either the wi-fi network, or the sprint network.
- the uconnect software update for the 6.5AN, if it gets you anything related to this, probably changes the LTE modem/router's administrative password. I would hope it also fixes the originating source of the problem from C.
- The renegade has been listed as not vulnerable. From reading this, in all likelihood we are definitely vulnerable to the vector if not the exact method. This may be because we all have windows embedded automotive as the OS, or because we all lack a V850 chip. However, I suspect the networking issues as a vector are there for pretty much any car with these kinds of services.
-sprint also took some unspecified action. I suspect they took some measure that limits the ability of someone attached to the network to scan everyone connected to the network, or more limited, locked down some port the scans occurred on. Maybe partitioned the bulk inactive subscription people somehow. Regardless they did something. The renegade people are likely a beneficiary of this action, but it protects you not at all form exposure over wi-fi if you have that turned on.
