The Flaws that Allow Hackers to Remotely Access Cars

Its security holes in a software could have caused all transmissions to go into neutral for a million

cars

. Their creators do not know them. You can find it yourself. You can hire someone to find it or you can be attacked. It can be exploited. For covert attacks, our ultimate goal is not to attack but to defend, they are coveted by

hackers

and spies alike. We are going to use all the national power of the US to protect our interests and those of our allies, but what do they want? Hackers look for them because they call them zero days, but most people have no idea what they are, simply put, a zero day is a flaw in a specific piece of software, a vulnerability that the software company doesn't even know about. that code could be. running on everything from your iPhone to your computer's webcam to the network that protects the Pentagon, and if these holes aren't patched with new code,

hackers

can design exploits or figurative torpedoes to attack the software Charlie Miller discovered one of the most amazing.

Zero days in recent history. He is a former NSA hacker and world-renowned security researcher based in St. Louis. In 2015, he and a partner found a way to

remotely

hack Chrysler models with a specific computer system and could do it among thousands. Thousands of kilometers away and it wasn't just turning up the music or turning on the air conditioning, they could seriously damage a car on the road. I contacted Charlie and asked him if he would hack one of these

cars

while I was behind the wheel. I'm Ben Charlie, how's he doing? This is the car, this is, yes, you are ready to be hacked, yes, so what part of this car exactly did you target that was hackable?

So this part here is called the main drive and that's the part that we actually hacked, the fact that it's on the Internet, we were able to talk to it and there was a vulnerability that

allow

ed us to run the code, we were able to do it

remotely

, but it was We told Chrysler and they fixed it. now you can't do it remotely anymore, how long did it take them to patch it? Chris and I told them about this and for nine months they were working on it and then once we publicized it, they fixed it within a year. week, so once everyone was really upset, they fixed it very quickly, so now I'm physically connected to the main unit, okay, so I can start showing you some things here.

Which was? I guess that's the most dangerous thing you could do. The car with this particular trick probably the scariest thing we could do is when you stop, we can get to where the brakes stop working and then you'll start moving forward again, so we'll stop, yeah, but now. we're not stopped, oh man, I don't like that sound at all, yeah I know, so the brake pedal just won't go down, jeez, so you wanna see some steering and stuff, yeah, check out some steering, okay, so go. somewhere where we can go backwards so that in reverse you can, oh yeah, turn the wheel as much as you want, hands-free, yeah, that's for sure, there's really no scenario where you think a hacker gets

access

to a vulnerability in a car that is connected to the Internet that a million cars could shut down.

He could have done it like this, even if they were driving on a highway. He could have put all the transmissions in neutral for a million cars, including the cars that go, you know. 100 miles per hour yeah, you know, obviously that wasn't my intention, right? My intention was simply to show that it could happen. Car companies are as new to this as most car companies, you don't even know who you would contact. tell them you find a vulnerability, but the crazy thing is that even when researchers tell a car company about a security hole in their software, they are often scorned for discovering it in the first place when people complain about people like me that find vulnerabilities.

They don't realize that we're not putting the vulnerabilities in the product, they're already there reporting the bugs that's what fixes them and I mean, that's the good thing. Do you find it ridiculous that companies don't pay for them? Ker didn't tell you anything right, no, I really didn't expect them. I think it's more ridiculous when big companies that have been doing this for a long time and have a billion dollars in the bank and you know they're promoting their security like that, it doesn't make a lot of sense to me since I was a consultant for many years and companies would pay me to come and find vulnerabilities for them and it's hard, if it wasn't hard they would do it.

Finding all the vulnerabilities well is like you know I worked really hard. Maybe I should get something for that. Charlie Miller did not receive a cent for his feat, but a year later, Chrysler changed its policy and became the first major automobile company. introduce a bounty program for hackers who find

flaws

in your software and it's not just the chers of the world who are willing to pay for them. Zero-days can be worth a lot of money to a software vendor, and for security companies that want to patch the hole at the same time, they can be sold through private brokers for more than half a million dollars to spy agencies or other covert operators. who use them for surveillance or sabotage my career as a professional penetration tester with those skills, obviously you know I could have been robbing banks and taking the money instead of being hired by the banks to see how they could be robbed, right? ktie murus is a security researcher who created Microsoft's first Bug Bounty program in 2013.

She lives in Seattle, but I met her in Vancouver, where I was attending a security conference people typically like to define in terms of white market and black market, but the black market actually implies that trading is illegal and at the moment it is not illegal to trade zero days or exploits, so I usually talk about them in terms of the defense market is an offensive market and do you think then that Are bug bounties the answer? Do you think hackers when they find these things should reveal them to the company? Well my goal in creating bug bounty programs is to really give hackers more opportunities to not just hand it over to the defense but also make money at the same time so they don't have to choose whether I do the right thing or make money they can do. the right thing and make money all software contains vulnerabilities its just a fact there are three ways you can know about it you can find it yourself you can hire someone to find it or pay a bug bounty if someone finds it or you can be attacked, point at the Canac West Conference in Vancouver, hackers are invited to find it. new ways to enter widely used software like Safari and Adobe Flash here in a competition known as pwn to own the team showdown for nearly half a million dollars in prizes.

Some teams have been working for months in advance developing and testing their exploits. Any defects they find will be revealed to suppliers so they can be repaired. Ben white. I met up with a volunteer named Whitey who agreed to show me around, so one of them is going down right now, here, yeah, yeah, so this is what's really starting. Now I see this, we have a 10 cent security team sniper, this is Keen Lab and PC Manager, the target is Adobe Flash with a system these guys are trying to get into a computer using their zero-day exploit for Adobe Flash , that was really, that was really strange.

You know, it's like designing a show and they just did it and you know it can seem anticlimactic. You know it's definitely not hacking that. You see things like that in a movie, but this is real and yet what? they just did it, they could, like you said, take down a company, oh, they could take down a company, they could wreak havoc, you know on the internet, the 10 cent security team sniper was finally declared master of communication, the Shanghai-based researchers working for China's largest Internet company won. This ridiculous smoking jacket also raised over $142,000 in prize money.

I met up with them after a super tame hacker rap party, so you won a pwn to own it, how does that feel really good? Yes, relaxed, you are relaxed now, weren't you relaxed before this? uh, the day before, I wasn't very nervous. Could you have sold those zero days to someone else and made more money? If so, why didn't you do it? Yes, in fact, during the conference uh kest uh, so some of the private companies come to us. someone actually reached out to you during KC West to pay for some of the exploits you had, yeah, who were you, no comment, no, and you guys didn't, you didn't want to, yeah, no, we never do now, those of us who They found.

In zero days, he discovered what they affect when the user browses the Internet, if such an error is involved. You can take control of users and even gain a system privilege, which means you will take full control of the system. Our ultimate goal is not to attack but to defend, yes, but if you want to defend and protect the user more, you need to find the most advanced way of attack, otherwise you can't, you will never know how to defend the user for the rest of the time. year, if you find zero days, what do you do with them?

We use an official channel. Open the suppliers' page and report it. Yes, report it. I'm in Vancouver for a cybersecurity conference. What I'm really looking for is more Intel. At Shady Zero Day Markets, people here tell me that I should talk to Emerson, since he has worked for a major government contractor, but has also been part of the hacking community for years and describes himself as a dark lord in recovery, at least according to his LinkedIn profile. I heard you have some questions. I want you to show me what the market for these exploits is really like.

Can you buy dark web exploits online from the black market? Well, it depends on what you mean, but exploits, as you know, come in a couple different flavors. um there are the ones that have already been patched and then there are the Odes that you wouldn't buy, if you're a criminal you wouldn't bother buying Odes, they're too expensive, um It costs a huge amount of money to test them to make them reliable. If you're a criminal, you just want what works, at the lowest cost for maximum performance, let's see what it's like, let's take a look. a real forum, like a real forum, it's the worst web design in the world, it's really cheap and cheesy and they don't care, so you can go there, you buy an exploit and it's usually an exploit that hasn't been patched well, no, has been patched. or has been patched, the thing to remember is that a large number of people around the world do not patch their systems, they do not patch their software, especially considering that a large amount of software that exists is not patched. bought legally is everything, everything is stolen, everything is stolen, those things are never updated, so that way you still have a huge tax area, yeah, billions, millions and millions and millions and millions of people, I mean, like them, this is this. brilliant, this is an android phone, it's my android phone, people put all their personal data and stuff on there and they know everything they need to go and steal your identity mhm, it's brilliant, but in terms of zero days no There is a place where you can buy a zero day.

I mean, I'm sure they exist, but to be completely honest with you, if you were, if you were a researcher, um, and you really wanted the best price, you wouldn't bother with these open markets. go and talk to a runner. I mean, the thing is, they all, this community is small, they all know each other. The runners know the spies, the criminals, the investigators and the re, yes, and the investigators, and then, depending on where you are. the world that you know, you know, that's the community that you sell to, it would be very, very strange, for example, since you know, as a Russian researcher, you would like to try to sell to a broker that is me.

You don't know that working for the Americans and you know that somewhere like China or Russia you know that selling to the opposition will get you a visit from some men in ill-fitting leather jackets, maybe some stockings or a bat. baseball. Have you ever dealt with an intelligence agency, we'll leave that question aside. I can't confirm or deny which Beltway is talking about to get any answer other than no, so the strange thing is that almost everyone has done it, yes, at some point, yes If you ever meet someone who says they're whiter than White, he's lying.

One of the reasons researchers are so easily tempted to sell zero-days to spy agencies is that governments are willing to pay a high price just to be able to hack specific data. The objectives that find a day zero tooThey can generate a large reward from the software companies that buy them to patch holes in their products. Apple recently announced that it would pay out bug bounties ranging from $25,000 to $200,000, depending on the vulnerability some bug hunters make. It works as a side job, but a few can make a living by finding zero days. Mark Lichfield is a professional bug hunter who claims to have earned hundreds of thousands of dollars in bug bounties over the past few years.

I headed to the gated community outside of Las Vegas. Vegas, where he lives and works. Oh wow, he has that closed community life. Hello how are you? Wait a minute, no problem, they say no, the association said no, no cameraman can't go back there yet unless you clear it with them and I don't believe it, he got into a golf cart, what do you think they were doing? Remember when it was easier to shoot the White House and the FBI? We didn't manage to penetrate the perimeter of Mark Lichfield's gated community, so I met Mark and his wife Carly Lynn at a nearby restaurant Hi Mark, Hi mate, how are you?

Pleased to meet you. I'm sorry for everything. That problem hey, no problem, how was the trip? I'm pen, it was good for me, yeah, it was good, I didn't realize it would be so safe, uh, in the Community, I guess so, it was, uh, they brought the whole Brigade in like a golf cart. USA, yes, they actually came to the house. I was hoping they were armed, but I don't think they were. Is Finding Zero Days difficult to make a living? It seems like you have a pretty good lifestyle here. I got it. Well, what's the most you've been paid for one day Zer?

On bug limiting programs, it's $15,000 just for one, just for one, yeah, okay, so let's say you're doing your thing at home and you find day zero on a particularly large user-based software, okay, what do you do with it? Do you report it? Interesting question, um, the first reaction would be yes, absolutely report it, um, but the second part of this is, um, with everything that's going on right now, um, my personal opinion on These are some states that could make a better use of this bug than just giving it to the supplier, so what do you mean what is happening today?

Isis CL, you know, North Korea, I mean, there's so much crap going on, if it's a chance. It came my way whereby I could give a zero-day vulnerability to an agency. Anyone who could use this, then I would give it to them and not report it. Have you ever done that before? Have you ever sold a zero day to a government? If you sold a government a zero-day, would you say no? A nice poker face for the Liv guy in Las Vegas. I don't play poker. Unpatched

flaws

and software can be used to hack almost anything that runs code from a smartphone.

In a car, those failures known as zero days are bought and sold to companies and governments. The US sometimes uses zero-day vulnerabilities for attack purposes, but there were also official guidelines, but when they are supposed to be disclosed to the software vendor, the rules are an attempt to balance the public's interest in protecting the security of The Internet and the government's interest in acquiring intelligence, so you can certainly imagine that if we were to discover that and find out about a vulnerability in, say, a piece of software that was widely used within the U.S. government is our ally or within our critical infrastructure, that it might be in our interest to purchase it so we can ensure that there is a patch.

I went to Washington to meet with Michael Daniel, he's Obama's cybersecurity coordinator. The administration and when you say the NSA is in a vulnerability if you look at those disclosure criteria and imagine the reverse right you have in a situation where we have a vulnerability that is in a very limited set of software or hardware. that's not very widely used um that could be frequently employed by our adversaries that um uh would give us unique

access

that we can't get any other way that's the kind of thing that we would retain Michael Daniel wouldn't get more specific about the type of zero days that the government maintains or the number, what I can say is that you know that we are going to use the full range of US national power to protect ourselves, our interests and those of our allies.

But not everyone is comfortable letting the US government judge what to do with a zero-day. Chris Seoyan is a privacy activist who tracks the zero-day market and has been sounding the alarm for years. Why? What is so critical of companies than selling zero days to the US government or any government you know. I really think there should be a public debate about the government's role in the zero-day market. I've been very bothered by the fact that for 5 or 10 years there has been a conversation in Washington DC about cybersecurity, but this was a missing piece and this is an essential piece of who U.S. government agencies target when they use zero-day exploits, you know it really depends, so for the NSA, that could be foreign leaders, They could be foreign corporations that have information that the US government considers to be of national security interest.

They could be terrorists on the side of law enforcement. You know that the FBI has tried to hack people who have downloaded or shared child pornography. People who have threatened with bombs. in schools, it really ranges from the most horrible and serious crimes to things that are, you know, teenagers making prank calls at home because I guess that's the point, although it's easy to be very critical of it because it sounds on the surface. quite malevolent, but there may be cases where the Zer day is used to hack a terrorist computer. It is the classic argument.

I'm less focused and less interested in who they use it against and more in what the side effects of the government's actions are. acquisition, storage and use of that vulnerability or that exploitation A couple of years ago there were protests in Ferguson and the Americans you know wake up with their morning newspapers showing pictures of armed personnel carriers, camouflage-clad police with machine guns and giving each other Realizing that their law enforcement had suddenly become militarized, they could see the triple trickle-down effect in which technologies designed for the military and intelligence community eventually trickle down first to the feds and then to state and local law enforcement agencies, and this has happened with armored personnel carriers. with tear gas it has happened with SWAT teams and drones and license plate readers and it will almost certainly happen with zero days and when you give those tools to the people who are going to operate them without much training and without much supervision, you know we're We're going to see abuse, we're going to see police officers spying on their ex-spouses or their next-door neighbor who's pissing them off.

I don't think America is ready for local cops to hack into computers, but we definitely are. We're on our way there, but it's not just local cops, spy agencies and hackers everywhere want them and they're not just for surveillance, they can be used as weapons to seize any physical object that runs with code, from a cell phone to a truck or a power plant. and that means that if zero-days fall into the wrong hands, they can be real threats to your privacy, individual freedom and even personal security, but as things stand there is no real consensus on whose hands they are in the wrong.