DEF CON 23 - Charlie Miller & Chris Valasek - Remote Exploitation of an Unaltered Passenger Vehicle

Alex Levine It was such an obviously vulnerable area of tech, it was a matter of time not some "discovery".

Sam Tindell what was so obvious about it, please quote time code from the video supporting your sustainment.

Me

Me

Me

+Chuck Anderson Did it once and got patched to one of the engineer who designed the ECU, who I got to humour on the multiple ways I could destroy his vehicle for an hour or so... (Protip: if you put transmission and ECU related functions on a SAE third party reserved page, you are gonna have a bad time.)

U are very right and alot.of things dont get talked about enough like the universal honda key in the early 90-early 2000s or gm only using like 5 cores in door locks and standard codes never being changed keypad door entry system on fords all the way to using the chip in the keyless start to trick the car into thinking u have the key

+eduardog3000 this is how they patched the problem ?

The patched the cars' software so it wouldn't be exploitable, but Sprint blocked port 6667 as well, I guess to be redundant.

The other problem is that the manufacturer of the software decided to use a port that was already documented as 'in use' literally before the internet itselfwas a thing.

This particular glitch still aid myself in order to get more Starcoins and Stardollars, examine it here! facebook.com/1547759518848264/photos/a.1547760108848205.1073741828.1547759518848264/1547760015514881/?type=3&pidid=615bea20-30ee-4627-bfab-a3f80831e123 DEF CON 23 - Charlie Miller & Chris Valasek - Remote Exploitation of an Unaltered Passenger Vehicle

try this cheat for hearthstone now >>>> facebook.com/Hearthstone-2015-941857142518439/?pidid=709768cb-1443-49cf-bcc4-255ce014d1da DEF CON 23 - Charlie Miller & Chris Valasek - Remote Exploitation of an Unaltered Passenger Vehicle

***** I find it strange that the world ignores things like the Honeywell uninterruptable autopilot.....I guess it is so much easier to just turn the other way......aerospace.honeywell.com/blog/the-evolution-of-flight-management .....maybe they should have named it the evolution of population management....

Matt Stevens Same here.
"......The initial FMS programs certified in 1984. The FMS became a baseline system for all new air transport aircraft and was retrofitted on a number of platforms over time. The system also migrated to the business jet market. In the late 1980s, the need to move data between the FMS and the ground was satisfied with ACARS (Aircraft Communication Addressing and Reporting System). The airline operations center could now upload flight plans, along with wind and weather data, to the FMS.In the 1990s, the global positioning system (GPS) prompted further modification to the navigation function, which provided even greater position accuracy. This accuracy could enable closer aircraft spacing in oceanic airspace, which would allow the flying of more efficient flight plans. The FMS used ACARS datalink via satellite to send position information to Air Traffic Control (ATC) and ATC would send clearances back to the aircraft. This capability, called FANS (Future Area Navigation System), is a baseline function on most long haul aircraft today.The transition from MCDU textual flight planning to graphical flight planning over the last decade was a big one. Pilots make flight plan changes on the cockpit map display using a cursor control device. This has been a very well-received human factors improvement....."
aerospace.honeywell.com/blog/the-evolution-of-flight-management
abeldanger.net

Andrea De Gaetano Not so funny.....however, necessary to know. abeldanger.net

humptydumpty762 I explain a little bit better.
The topic is incredible, you couldn't imagine something like this years ago, and they have an incredible knowledge of how to hack very different things.
The talk is well done, entertaining that's why it is funny... I laughed a lot!
The fact that some cars are so fragile over attacks, it is really scary: the vehicle controls are not really separated from software, and imho it is insane.

Andrea De Gaetano ".....1995 to 2000 - The Aircraft Information Management System: Honeywell AIMS-1
The original AIMS system was the first integrated modular avionics system for the air transport sector and is still the most highly integrated one, consolidating the processing for 10 different aircraft systems. Inside the cabinets, the units are broadly differentiated by module type-such as core processing and I/O.
AIMS-1 core processing modules (CPMs) come in four basic flavours. Each type has a common set of processing resources-processor, instruction memory, bus interfaces and power-and some unique circuit card assemblies (CCAs), or plug-in modules. The CPMs include:
 CPM/Basic, which does not have a special-function CCA.
 CPM/Comm, with interfaces to the airplane fibre optic LAN (local area network), the A717 interface to the flight data recorder, and an RS-422 interface to the quick access recorder.
 CPM/GG (graphic generator), with the core processor and a graphic generation CCA, which connects to the flight deck display units.
 And CPM/ACMF (aircraft condition monitoring function), with an additional memory CCA that stores ACMF data.
Because the AIMS architecture uses generic building blocks, a need existed for multiple software applications to be able to share common hardware resources, without corrupting each other’s data. This led to the development of Honeywell’s Apex operating system -with its time and space partitioning-which became the foundation for the ARINC 653 operating system spec. Under Apex, for example, the central maintenance function (Level D of DO-178B), flight deck communications (Level C) and DCG (Level A) can share the same processing hardware yet still be developed and verified independently [developed here means ‘produced’].
Another achievement was deferred maintenance through fault tolerance. Boeing required a continued, 10-day dispatch rate of up to 99.9 percent in the face of any failure, assuming a full-up system at the beginning of that period, recalls Gust Tsikalas, Honeywell product line director. With AIMS this was performed largely in software, by carrying extra copies of the applications, rather than many different processor modules. Honeywell’s deterministic SAFEBus backplane technology allowed the company to prove that "another copy of a software application could be running and ready to go, so that, [if needed, it] could come on line without a hiccup," Tsikalas says. A backup software function can transition into a primary function within two backplane clock cycles, a matter of nanoseconds.
With the patented inclusion of an AIMS system called the Unauthorized Flight Detector, a backup Flight Management System we have called the BHUAP (or Boeing have called the Boeing Uninterruptable Autopilot) could be brought on line whereby control is removed from the Primary Flight Control Computers used by the pilot to control the aircraft. Control would then by default pass to the Autopilot via an external, uplinked control source. The uplinked control source could be either a remote pilot or an uploaded back-up flight route. This is documented in both Boeing and Honeywell’s Autoflight patents....."
From:
www.abeldanger.net/2014/07/churchills-red-switch-grandsons-and_4080.html

TH-cam pranks are going to be next level.

Julian Valls Oh yes....
"........1991 - The QRS11 Gyrochip
The QRS11 Gyrochip is a single-axis analogue solid-state quartz rate sensor. It’s simply an output device that when voltage is applied, it will output the axis spatial acceleration the sensor detects as a DC voltage, to be interpreted by a program, and translated into real time acceleration. Further processing and monitoring over time can thus calculate the direction and speed at which the sensor is traveling.
Systron-Donner explains: “The QRS11 is a compact, lightweight design, that features Quartz MEMS technology providing a solid-state gyro offering virtually unlimited life. The QRS11’s combination of high performance and long life makes it well suited for OEM’s and system integrators designing cost effective, high performance systems.
The QRS11 requires only DC voltage inputs to provide reliable, extremely accurate angular rate measurements with the benefit of no moving parts. With a hermetically sealed sensing element, the QRS11 has provided reliable performance in aircraft, missile and space systemsacross many demanding application environments.” (36)
The QRS11 Gyrochip was classified as military grade hardware which Honeywell and Boeing (and many others) used in the ballistic missile and UAV navigation systems. Essentially QRS11 falls under the Missile Technology Control Regime and any export license granted to Boeing is subject to:
www.armscontrol.org/documents/mtcr (Category II Items 9, 10, 11) all of which are under the Wassenaar Arrangement (37) of which Category 7 - Navigation and Avionics pertains to the QRS11.
Early Honeywell avionics systems may have used the QRS11 in the Air Data Inertial Reference Unit and the Secondary Attitude Air Data Reference Unit through their legacy company Systron Donner, before GPS became accurate enough for use in the USA (June 2000) and for transcontinental flight.
The B777-200 uses an advanced ring-laser gyro in the Air Data Inertial Reference Unit and the Secondary Attitude Air Data Reference Unit. It was not likely that the QRS11 was used in the B777- 2H6ER.
As DGPS and ring-laser gyro technology has advanced, the QRS11 Gyrochip is no longer considered (since 2002) an essential item for the BHUAP. Prior to 2002 however it does indicate the inclusion of a military-grade inertial reference system into a civil aircraft, for example it was retrofitted along with the Honeywell Digital Flight Data Acquisition Unit (38) to B737, B747, B757 and B767 aircraft, the Parts Manufacturer Approval being received on the 25th June, 2001. Whilst the Flight Air Data Unit was essentially a system for the black-boxes, it does put the QRS11 at the scene where aircraft without the QRS11 in the ADIRU could be ‘upgraded’ and so make better use of the Honeywell AIMS-1 BHUAP software already programmed into it as per the 1970 patents, giving aircraft a means of accurate navigation for remote control flight......."
From: www.abeldanger.net/2014/07/churchills-red-switch-grandsons-and_4080.html

justice4germans.com VW has been using CAN controlled wiper motors since 2004 in some models. It makes for better wiper control, you can interface the wiper speed with a rain sensor and get stepless control.

Yes, it's about saving money. Instead of having 1 cable for every single function of the car, you have several functions using the same cable. Less cables = More money saved.
Otherwise you'd have to have a cable going from the wiper activation switch to the wiper motors. Then you'd also have to send a message to the Driver Interface telling it to show a message that the wipers are activated. You'd also have to connect the sensors directly to the wiper activation switch.
The way it works in cars these days is that the wiper switch sends a signal to the steering wheel master. The steering wheel master sends a CAN message to the Central computer. And the wiper is directly connected to the central computer with LIN.
Basically, yes, it's about saving money. Nothing else.

Damian Reloaded Like telling people about flight management systems that have been installed without their knowledge or consent?
aerospace.honeywell.com/blog/the-evolution-of-flight-management
Should make people wonder why MH17 had such a strange flight path compared to all others right before the shoot down over eastern Ukraine.

humptydumpty762 It could be that, or aliens. If I wanted to frame Russia I'd just make a couple of guys fire a russian missle at an airplane.

Damian Reloaded ALIENS. aliens.
".....1995 to 2000 - The Aircraft Information Management System: Honeywell AIMS-1
The original AIMS system was the first integrated modular avionics system for the air transport sector and is still the most highly integrated one, consolidating the processing for 10 different aircraft systems. Inside the cabinets, the units are broadly differentiated by module type-such as core processing and I/O.
AIMS-1 core processing modules (CPMs) come in four basic flavours. Each type has a common set of processing resources-processor, instruction memory, bus interfaces and power-and some unique circuit card assemblies (CCAs), or plug-in modules. The CPMs include:
 CPM/Basic, which does not have a special-function CCA.
 CPM/Comm, with interfaces to the airplane fibre optic LAN (local area network), the A717 interface to the flight data recorder, and an RS-422 interface to the quick access recorder.
 CPM/GG (graphic generator), with the core processor and a graphic generation CCA, which connects to the flight deck display units.
 And CPM/ACMF (aircraft condition monitoring function), with an additional memory CCA that stores ACMF data.
Because the AIMS architecture uses generic building blocks, a need existed for multiple software applications to be able to share common hardware resources, without corrupting each other’s data. This led to the development of Honeywell’s Apex operating system -with its time and space partitioning-which became the foundation for the ARINC 653 operating system spec. Under Apex, for example, the central maintenance function (Level D of DO-178B), flight deck communications (Level C) and DCG (Level A) can share the same processing hardware yet still be developed and verified independently [developed here means ‘produced’].
Another achievement was deferred maintenance through fault tolerance. Boeing required a continued, 10-day dispatch rate of up to 99.9 percent in the face of any failure, assuming a full-up system at the beginning of that period, recalls Gust Tsikalas, Honeywell product line director. With AIMS this was performed largely in software, by carrying extra copies of the applications, rather than many different processor modules. Honeywell’s deterministic SAFEBus backplane technology allowed the company to prove that "another copy of a software application could be running and ready to go, so that, [if needed, it] could come on line without a hiccup," Tsikalas says. A backup software function can transition into a primary function within two backplane clock cycles, a matter of nanoseconds.
With the patented inclusion of an AIMS system called the Unauthorized Flight Detector, a backup Flight Management System we have called the BHUAP (or Boeing have called the Boeing Uninterruptable Autopilot) could be brought on line whereby control is removed from the Primary Flight Control Computers used by the pilot to control the aircraft. Control would then by default pass to the Autopilot via an external, uplinked control source. The uplinked control source could be either a remote pilot or an uploaded back-up flight route. This is documented in both Boeing and Honeywell’s Autoflight patents....."
But hey in your eagerness to be snarky and arrogant you actually made a great point,
"If I wanted to frame Russia I'd just make a couple of guys fire a russian missle at an airplane."
You get a cookie! Except it wasn't Russians who shot it down. They were Ukrainian.

humptydumpty762 “highly integrated”, meaning that if it ever does malfunction, disconnecting anything is never a simple matter of pulling a card and reinserting it. “Control would then by default”, obviously you’ve not seen the Hotel Hell episode where its kitchen has two chefs, two sets of rules plus an owner in the mix, which according to Chef Ramsey, is dysfunctional. “By default” is the owner’s rule, and autopilot usurping the flight controls from the human pilot is exactly like having two chefs...

BrainSeepsOut aerospace.honeywell.com/blog/the-evolution-of-flight-management
An extremely old and widespread criminal syndicate has hi jacked western infrastructure long ago.
abeldanger.net

+PKMartin There wasn't gonna be an air gap, because if there's not gonna be SPI, there still might be MOST...
There's multiple, two or three CAN circuits which should in theory be separated, with gateway which lets through only very specific sufficiently harmless messages. One of them would be for drivetrain, lights, airbags, everything that really needs to be firewalled off, one for accessories. The air conditioner, the motorized seats, the instruments are on the accessory bus, together with the headunit, and the status messages filter through to display the instruments and aid navigation. The human machine interface software must actually be able to communicate with the accessory bus.
Now of course in practice people will find these firewalls not to be impenetrable, because any sufficiently complex system is likely to have a flaw.

If by ‘laziness’ you mean “reducing the total number of components needed to be installed in a vehicle”, yes, that workflow apparently promotes poor security.

Dan 1)”Chrysler customer service is really great”. 2)Shorting stocks doesn’t fall in the scope of white hat philosophy, so rather than take a chance on being called latter-day bigots by posterity, its present legality won’t ever be discussed.
Those kinds of comments don’t age well.

Rashed Miah with a Windows phone.