The Flaws that Allow Hackers to Remotely Access Cars | Cyberwar

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

their security holes in a piece of software I could have made all the Transmissions go to neutral for a million cars they're unknown to their creators you can find it yourself you can hire somebody to find it or you can be attacked it can be exploited for covert attacks our ultimate goal is not to attack but to defend they're coveted by hackers and spies alike we are going to bring the full array of US National Power to Bear to protect us interest and those of our allies but what do they want them [Applause] for they call them zero days hackers hunt for them but most people have no idea what they are put simply a zero day is a flaw on a specific piece of software a vulnerability that the software company doesn't even know about that code could be running on everything from your iPhone to the webcam on your computer to the network protecting the Pentagon and if these holes aren't fixed with new code hackers can design exploits or figurative Torpedoes to attack the software Charlie Miller discovered one of the most mind-blowing zero days in recent history he's a former NSA hacker and a world-renowned security researcher based in St Louis back in 2015 he and a partner actually found a way to remotely hack into chryler models with a specific computer system and they could do it from thousands of miles away and it wasn't just turning the music up or jacking the AC they could seriously mess up a car on the road I got in touch with Charlie and asked him if he'd hack one of these cars while I was behind the wheel I'm Ben Charlie how's it going so this is the car this is it yeah you ready to get hacked yeah so what part of this car exact ly did you target that was hackable so this part right here is called the head unit and that's the part that we actually hacked the fact it's on the internet met we could talk to it and there was a vulnerability that allowed us to to actually get code running on it we could do it remotely but we told Chrysler about it and they fixed it so now you can't do it remotely anymore how long did it take for them to patch it well Chris and I told them about it and for nine months they were working on it and then once we sort of publicized it then they fixed it within a week so it was once everyone was really upset they fix it very quickly so now I'm physically plugged into the head unit okay so I can start showing you some stuff here what was the what was the I guess more dangerous thing you could do to the car with this particular hack probably the the the most scary thing we could do is when you come to a stop we can make it to where then the brakes stop working and then you'll start going again so we're stopped yeah but now we're not stopped oh man I don't like that sound at all yeah I know so the brake pedal just doesn't go down jeez all right so you want to see like some steering and stuff yeah see some steering okay right so get somewhere where we can go backwards so in Reverse you can oh yeah crank the steering wheel as much as I want no hands yep that's safe not really is there ever scenario where you think a hacker get access to a vulnerability in a car that's connected to the internet that a million cars just could be turn off I could have done that just like that even if they were driving on a highway I could have made them all all the Transmissions go to neutral for a million cars so including cars that are going you know 100 miles an hour yes you know obviously that wasn't my intent right my intent was to just demonstrate that it could happen right car companies are so new to this like they most car companies it's you don't even know who you would contact to to tell them you find a vulnerability but the crazy thing is that even when researchers do tell a car company about a security hole in their software they're often scorned for discovering it in the first place when people complain about people like me who find vulnerabilities they don't realize that we're not putting the vulnerabilities in the product they're already there reporting the bugs is what gets them fixed and I mean that's the good thing do you find it ridiculous that companies won't pay for them like ker didn't give you anything right no I didn't really expect them I think it's more ridiculous when huge companies that have been doing this for a long time and they've got a billion dollars in the bank and you know they're they they tout their security like that doesn't make as much sense to me like I was a consultant for many years and and companies would pay me to come in and find vulnerabilities for them and it's hard right if it wasn't hard they would find all the vulnerabilities themselves right it's like I feel like you know I worked really hard I should maybe get something for that Charlie Miller didn't get a dime for his exploit but a year later Chrysler changed its policy it became the first major car company to introduce a bounty program for hackers who find flaws in its software and it's not just the chers of the world who willing to pay for them zero days can be worth a lot of money to a software vendor and the security companies who want to patch the holes at the same time they can be sold through private Brokers for upwards of half a million dollars to spy agencies or other covert operators who use them for surveillance or sabotage my career as as a professional penetration tester with those skills obviously you know I could have been robbing banks and taking the money as opposed to being hired by the Banks to see how they could be robbed right ktie murus is a security researcher who created Microsoft's first bug Bounty program in 2013 she's based in Seattle but I met her in Vancouver where she was attending a security conference people usually like to Define them in in terms of white market and black market but black market actually implies that the trading is illegal and right now it's not illegal to trade zero days or exploits so I usually talk about them in terms of Defense Market an offense market and do you think then that bug bounties are the answer do you think hackers when they find this stuff they should be disclosing to the company well my goal with creating bug Bounty programs is really about giving hackers more opportunities to not just turn it over to defense but also make money at the same time so they don't have to make a choice do I do the right thing or do I make money they can do the right thing and make money all software contains vulnerabilities it's just a fact there are three ways you can learn about it you can find it yourself you can hire somebody to find it or pay a bug Bounty if someone finds it or you can be attacked period at the canac West Conference in Vancouver hackers are invited to find new ways to break into widely used software like Safari and Adobe Flash here at a competition known as pwn to own the team's face off for nearly half a million dollars in prize money some teams have been working for months in advance developing and testing their exploits the flaws they find will be disclosed to the vendors so they can be patched white Ben I met up with a volunteer named Whitey who agreed to show me around so is one of them going down right now right here yeah yeah so this is it's actually starting up n i watch this we have 10 cent security team sniper this is Keen lab and PC manager the target is Adobe Flash with [Music] system these guys are trying to break into a computer using their zero day exploit for Adobe Flash that was that was really that was really weird you know it's kind of like uh architecting a program it and they just did that and you know it might seem anticlimactic you know it's definitely not hacking that You' see in a movie stuff like that but this is this is the real thing and yet what they just did could like you said end a company oh it could end a company it could wreak havoc you know across the internet 10-cent security team sniper was eventually declared the masters of pone the Shanghai based researchers who work for China's biggest internet company won this ridiculous smoking jacket they also collected more than $142,000 in prize [Music] money I met up with them after a super tame hacker rap party so you won pwn to own how's that feel pretty good yeah relaxed now you're relaxed now were you not relaxed before this uh the day before not not very nervous could you have sold those zero days to somebody else and gotten more money and if so why didn't you Yes actually during the uh kest uh conference so uh some some of the private companies come to us so somebody actually approached you guys during KC West to pay for some of the exploits you had yeah who were they no comments no and you didn't do it didn't want to do it yeah no we never do it now the ones you found the zero days you found what do they affect when the user browse the internet if such bug is involved uh it can take takeen the users's control and even get a system privilege which means uh it will take full control of the system our ultimate goal is not to attack but to defend yeah but uh if you want to defend and protect more on user you need to uh to find uh the most advanced attack way attacking way otherwise you cannot you you will not never know how to defend the user for the rest of the year if you find zero days what do you do with [Music] them we we use a official channel uh open the by the vendors and you report it yeah report it I'm in Vancouver for a computer security conference what I'm really after is more Intel on Shady zero day markets people here tell me I should speak with Emerson tan he's worked for major government contractor but he's also been a part of the hacking Community for years tan is a self-described recovering dark lord at least according to his LinkedIn profile I hear you have some questions I want him to show me what the marketplace for these exploits really looks like so can you buy exploits in the Black Market online dark web well it depends what you mean but so exploits as you know come in couple of different flavors um there are the ones that have already been patched and then there are the Odes you wouldn't buy bother if you're a criminal you you wouldn't bother buying Odes they're just far too a they're very very expensive um it costs a huge huge amount of money to test them to make them reliable if you're a criminal you just want the thing that works um for the lowest cost for the maximum return let's see it what's it look like let's let's have a look at a real like a real Forum it's the world's worst web design it's really cheap and cheesy and they don't care so you can go on there you buy an exploit and usually it's an exploit that hasn't been patched well no it has been patched or has it has been patched what you have to remember is is that huge numbers of people around the world do not patch their so do not patch their systems do not patch their software especially given that a huge amount of the the software out there is not legally bought it's all it's all stolen it's all nicked that stuff never gets updated so that in that way you still have a huge tax surface yeah thousand millions millions and millions and millions and millions and millions of people I mean like they this is the this is brilliant this this is a this is an Android phone it's my Android phone people put all their personal details and stuff on there and they you know everything everything you need to go and steal their identity mhm it's brilliant but in terms of zero days there is no site where you can buy a zero day I mean I'm sure they exist but to be perfectly honest with you if you were if you were a researcher um and you really wanted top dollar you you wouldn't bother with these open marketplaces You' go and talk to a broker I mean like the thing is every they this community is Tiny they all know each other the Brokers know the spies the criminals and and the researchers and and the re yeah and the researchers and then depending on where you are in the world you know you you you know that that that's the community that you you you sell to it would be very very odd for example for you know like a Russian researcher to you know like to try and sell to a broker who is I don't know working for the Americans and you know somewhere like China or Russia you know selling to the opposition will get you a visit from some men in very ill-fitting leather jackets maybe with a hose or a baseball bat right have you ever dealt with an intelligence agency we'll Shuffle that question off to the side I can neither confirm or deny which is Beltway speak for some answer other than no so here's the weird thing though is is that almost everybody has done it yeah at some at some point if you if you ever meet anyone who says they're whiter than white they're lying one of the reasons that researchers are so easily tempted to sell zero days to spy agencies is that governments are willing to pay a high price just so they can hack specific targets finding a zero day can also earn you a big payoff from software companies who buy them in order to patch the holes in their products Apple recently announced it would pay bug bounties that range from 25,000 to $200,000 depending on the vulnerability some bug Hunters do that work as a side gig but a select few can actually earn a living finding zero days Mark Lichfield is a professional bug Hunter who says he's earned hundreds of thousands of dollars in bug bounties over the past few years I headed to the Gated Community outside of Las Vegas where he lives and works oh my wow it's got that ballar gated community life hello how you doing hold on a minute no problem they say no the association said no no camer can't go back there yet unless he get it clear with them and I don't think so she sh up in a golf cart what do they think were doing do you remember when the White House and the FBI was easier to shoot in we didn't manage to penetrate the perimeter of Mark lichfield's gated community so we met Mark and his wife Carly Lynn at a nearby restaurant hey Mark hey mate how you doing how do nice to meet you sorry about all that trouble hey no problem how was a trip I'm pen it was good me yeah it was good I didn't realize it'd be that secure uh at Community I guess yeah it was uh they brought the whole like golf cart Brigade onto US yeah that actually come up to the house I have expected them to be armed but I don't think they were so is it tough to make a living off of Finding zero days you seem to have a pretty good lifestyle here yeah uh I do okay what's the most you've ever gotten paid for one Zer day um on the bug bounding programs is uh $15,000 just for one just for one yeah okay so let's say you're doing your thing in your house and you find zero day in a particularly large user based software okay what do you do with it do you report it interesting question um the uh first reaction would be yes report it absolutely um but the second part of this is um with everything that's going on right now um my personal view on this is some uh States could make better use of this bug than uh just giving it to the uh the vendor so what do you mean by what's going on nowadays Isis CL you know North Korea I mean there so much crap going on uh if an opportunity came my way whereby I could give a zero day vulnerability to an agency whoever um someone that could use this then I would abs give it to them and not report it have you ever done that before have you ever sold a zero Day to a government no if you did sell to a government a zero day would you tell me no a good Poker Face for guy Liv in Las Vegas I don't play poker unpatched flaws and software can be used to hack into almost anything that runs on code from a smartphone to a car those flaws known as zero days are bought and sold to companies and govern governments the US sometimes uses zero day exploits for attack purposes but there were also Official Guidelines but when they're supposed to be disclosed to the software vendor the rules are an attempt to balance the Public's interest in protecting Internet safety and the government's interest in acquiring intelligence so you can certainly imagine that um if we discovered that uh and learned about uh a vulnerability in say uh a piece of software that was either widely used within the US government our allly or within our critical infrastructure that it might be in our interest to actually uh purchase it so we could make sure that there was a patch for it I went to Washington to meet with Michael Daniel he's the cyber security coordinator in the Obama Administration and when does say the NSA sit on a vulnerability if you sort of look at uh those criteria for disclosure and imagine the inverse right that you've got um a situation where we have a vulnerability that's in a very limited set of software or Hardware that's not used very broadly um that might be frequently employed by our adversaries that um uh would provide us a unique access that we can't get any other way those are the kinds of uh things that we would retain Michael Daniel wouldn't get more specific about the type of zero days the government holds on to or the number what I can say is that you know we are going to bring the full uh array of US National Power to bear to you know protect us us interest and those of our allies but not everyone is comfortable leaving it up to the US government to judge what to do with a zero day Chris seoyan is a privacy activist who tracks the zero day market and he's been sounding the alarm for years why are you so critical of companies that are selling zero days to the US government or any government you know I really feel that there should be a public debate around the the government's role in on the zero day Market I've been really bothered by the fact that for 5 or 10 years there's been a conversation in Washington DC about cyber security but this was a missing piece and this is an essential piece who are the US government agencies targeting when they're using zero day exploits you know it really depends so for the NSA that could be foreign leaders it could be foreign corporations who have information that the US government believes is of National Security interest could be terrorists on the law enforcement side you know the FBI has attempted to hack people who've downloaded or shared child porn people who've called in bomb threats to schools it really runs the range of the most horrific and serious crime to things that are you know sort of teenagers making prank calls at home because I guess it's the thing though is it's easy to be very critical of it because it sounds in the surface pretty malevolent but then there may be instances where Zer day is used to hack into a terrorist computer it's the classic argument right I'm less focused and less interested on who they use it against and more on what are the side effects of of the government's acquisition and stockpiling and use of that vulnerability or that exploit a couple years ago protests in Ferguson happened and Americans you know wake up to their morning newspapers showing photographs of armed personnel carriers police wearing camouflage holding machine guns and realizing that that their suddenly their law enforcement had become militarized they got to see the tri trickle down effect where technologies that are designed for the military and the intelligence Community eventually trickle down first to the feds and then to State and local law enforcement agencies and this has happened with armored personnel carriers it's happened with tear gas it's happened with SWAT teams and drones and license plate readers and it will almost certainly happen with zero days and when you give those tools to people who are going to be operating them without much training and without much oversight you know we're going to see abuses we're going to see police officers spying on their ex spouses or their you know their nextdoor neighbor who's pissing them off uh I don't think that America is ready for local cops to be hacking into computers but we are definitely on our way there but it's not just the local cops spy agencies and hackers everywhere want them and they're not just for surveillance they can be weaponized to take over any physical object running on code from a cell phone to an SUV to a power plant and that means that if zero days fall into the wrong hands they can be real threats to your privacy individual freedom and even personal safety but as it stands there's no real consensus on Whose hands are the wrong hands [Music]

Info

Channel: VICE News

Views: 567,194

Rating: undefined out of 5

Keywords: zero days, cyberwar, flaws, car hacing, crysler, hacking, attack, hack, Cybersecurity vulnerabilities, Day one exploits, Security exploits, Exploitable software flaws, Advanced persistent threats, Cybersecurity risks, Software security flaws, Secret vulnerabilities, High-risk vulnerabilities, Critical software flaws, unreported, threat, undetected, unpatched, VICE News, VICE News Tonight, VICE on HBO, news, vice video, VICE on SHOWTIME, vice news 2024

Id: mp0SA6tECdg

Channel Id: undefined

Length: 22min 17sec (1337 seconds)

Published: Thu May 09 2024