Chrysler Jeep Hack Exposes the Need for Application Hardening


If you watch the evening news or read any number of online news sources, then you likely saw a sobering story on hackers that took control of a Jeep while it was on the road and being driven. Fortunately this was a planned hack done for the purposes of awareness and it certainly achieved that! If you haven’t seen the story yet you can check it out at NBC NEWS.

In a follow up piece, NBC interviewed Mark Rosekind, administrator of the National Highway Traffic Safety Administration (NHTSA). In his words:

For these innovations to reach their true potential, we’ve got to account for, well, us — people, with all our failings and foibles. We will need to help folks who can’t tell a lidar from a coffee maker understand how these innovations work, and how they will make us all safer, so that the public embraces them. We must reassure vehicle owners that their data is secure, that their vehicle is secure, and that we are looking out for threats from hackers, thieves, and anyone else who might seek to tamper with safety-critical technology.

Really, any connected device needs to be treated much like applications from a security standpoint and use robust software protection schemes to prevent attacks and prevent the theft or tampering with proprietary algorithms. Today – in part as a result of the Internet of Things (IoT) – connected devices go beyond automobiles to refrigerators, washing machines, thermostats, and other household appliances. While hacks to these connected devices may not be as eye opening as the hack to the in-motion automobile, they are just as vulnerable.

Some of the vulnerabilities and security risks include:

  • Lack of sufficient bus protection. The signaling and communications bus, CAN bus, lacks the necessary protection to ensure confidentiality, integrity, availability, authentication, and non-repudiation.
  • Weak authentication. It’s very possible to re-program the ECUs illicitly.
  • Misuse of the protocols. Denial of Service (DoS) attacks via CAN; malicious error messages can be used to trigger the fault-detection-mechanism in CAN.
  • Poor protocol implementation. For example… reprogramming the ECU while the vehicle is moving is not allowed, however it is possible to launch commands that disable the CAN communication and set the ECU into programming mode while the vehicle is moving.
  • Information leakage and corruption. Hackers can manipulate the diagnostic protocol by sniffing ordinary diagnostic sessions and injecting modified messages.

Our Cryptanium Code Protection is the best solution for integrating with your existing applications delivering the next level of application obfuscation, self-defense and tamper resistance technology against piracy. Further, our solution will increase your efficiency — saving money and reducing limitations and risks.

Mobile Apps to Access

  • Mobile App Unlocks Vehicle (Code Protection and SKB)
  • Remote Start
  • Status of Vehicle
  • Authentication (Smartphone – Apple iOS, Android)

Operation of Car

  • Over the air updates (OTA) & status
  • Hacking into systems – threat to car manufacturer (Code Protection)
  • Vehicle data – threat to user (Data Protection – SKB)
  • GPS
  • Speed
  • Driving habits

Infotainment

  • Apps Integrity (Code Protection)
  • Media (Data Protection – SKB)

Chrysler just recalled 1.4 million cars after this story broke. With better protection they could have saved a TON of money – not to mention the hit on their credibility.