A pair of well-known hackers has found another way to take control of a Jeep Cherokee — this time while it’s moving at high speed.

Charlie Miller and Chris Valasek grabbed headlines last year by showing how they could kill a Jeep Cherokee’s engine while it was traveling down a highway. The news prompted an embarrassing recall of 1.4 million Jeeps and other vehicles by parent company Fiat Chrysler.

There’s more at Black Hat, such as a presentation about a threat to Amazon Web Services (AWS) users.

The talk: “Access Keys will kill you before you kill the password”


AWS users, whether they are devops in a startup or system administrators tasked with migrating an enterprise service into the cloud, interact on a daily basis with the AWS APIs, using either the web console or tools such as the AWS CLI to manage their infrastructure. When working with the latter, authentication is done using long-lived access keys that are often stored in plaintext files, shared between developers, and sometimes publicly exposed. This creates a significant security risk as possession of such credentials provides unconditional and permanent access to the AWS API, which may yield catastrophic events in case of credentials compromise.

(Read details at: https://www.blackhat.com/us-16/briefings.html )

In other Black Hat news with headlines from website Dark Reading:

  • Apple Finally Launches Bug Bounty Program
  • DDoS Attacks: Cybercriminals Are More Homegrown Than You Think
  • FBI Reportedly Took Months To Warn DNC That Russia May Be Behind Hackings
  • Hacker Creates Software Ratings System
  • ‘Nigerian Prince’ All Grown Up And Bilking Millions From Businesses Via BEC
  • 8 Alternatives to Selfie Authentication
  • Do Security Companies Need to Issue Warranties?

(Get details at: http://www.darkreading.com )

The Jeep hack

In front of a packed lecture hall at the Black Hat hacker conference on Thursday in Las Vegas, the pair demonstrated how they could again take control of the same 2014 JeepCherokee they hacked the year before. This time they sent false messages to its internal network, overriding the correct ones.

That allowed them to do new — and scarier — things, such as making the vehicle turn sharply while it was speeding down a country road. They also were able to make the vehicle unintentionally speed up, or remotely slam on its brakes.

“If you can steer a car at any speed, that’s pretty dangerous,” Miller said, as video showed the Jeep turning so hard and fast it left skid marks. Another turn sent it into a ditch alongside a Midwestern cornfield.

The pair’s previous hack only allowed them to do similar things if the Jeep was moving slower than 5 mph, making for a much less dangerous scenario.

This time, it was more about reverse engineering than actual hacking. They dissected why the vehicle’s safety systems prevented remote attempts to yank the car’s steering wheel or slam on its brakes if it was moving at more than 5 mph, but not at lower speeds, then looked for a way around that.

Fiat Chrysler said that while the company admired the pair’s creativity, Thursday’s presentation didn’t show any new ways to breach the Jeep remotely. It also argued that the attack couldn’t have been carried out remotely because of fixes made after the previous hack, which is something Miller and Valasek dispute.

The automaker added that the methods Miller and Valasek used were costly, time consuming and required extensive technical expertise.

The pair acknowledged that they did put quite a bit of time and effort into their hack and that it’s not something the average person needs to worry about falling victim to.

For their part, Miller and Valasek, who now work for the ride-hailing service Uber, said that after four years of hacking cars together, they’ve decided to move on. They encouraged other hackers to pick up where they left off.

“There’s no reason to think that this car company, or just American cars, is the only one that could be hacked,” Miller said.