Case Study 31.2: The Jeep Cherokee Remote Hack and Ring Doorbell Vulnerabilities

When IoT Meets Physical Safety — Connected Vehicles and Smart Home Devices

Background

Two landmark IoT security research projects demonstrate the breadth of risk when embedded systems connect to networks: Charlie Miller and Chris Valasek's remote exploitation of a Jeep Cherokee in 2015, which proved that connected vehicles could be remotely controlled by attackers, and the series of vulnerabilities discovered in Amazon's Ring doorbell cameras, which exposed the privacy and security risks of consumer IoT devices deployed in homes.

Together, these cases span the IoT security spectrum — from life-threatening automotive vulnerabilities to privacy-undermining consumer device flaws — and illustrate that the fundamental problems of IoT security (insufficient authentication, unencrypted communication, excessive connectivity, poor update mechanisms) are consistent across device categories.

The Jeep Cherokee Hack (2015)

Researchers. Charlie Miller, a former NSA employee, and Chris Valasek, director of vehicle security research at IOActive, had been researching automotive security since 2013. Their initial work demonstrated attacks requiring physical access to the vehicle's OBD-II diagnostic port. By 2015, they had achieved fully remote exploitation.

The Attack Chain. Miller and Valasek's attack targeted the 2014 Jeep Cherokee's Uconnect infotainment system:

  1. Initial Access — Cellular Network. Uconnect connected to Sprint's cellular network for navigation, entertainment, and remote features. The researchers discovered that Uconnect's D-Bus service was accessible over the Sprint network. By scanning Sprint's IP address range, they could identify and connect to any Uconnect-equipped vehicle.

  2. Code Execution on Head Unit. The Uconnect system ran QNX (a real-time operating system) and exposed a service that accepted commands over the cellular connection. Through a vulnerability in this service, the researchers achieved code execution on the head unit (infotainment computer).

  3. CAN Bus Access. The head unit was connected to the vehicle's CAN (Controller Area Network) bus — the internal communication network that connects electronic control units (ECUs) throughout the vehicle. Critically, there was no firewall, gateway, or segmentation between the infotainment system and the safety-critical CAN bus.

  4. Vehicle Control. Once on the CAN bus, the researchers could send messages to ECUs controlling: - Steering: Turning the steering wheel at low speeds - Brakes: Disabling the brakes - Transmission: Shifting the transmission to neutral at highway speed - Engine: Killing the engine - Climate control: Blasting AC or heat - Radio: Changing stations and volume - Display: Displaying images on the dashboard

The Demonstration. In a widely publicized demonstration for Wired journalist Andy Greenberg, Miller and Valasek remotely exploited a Jeep Cherokee while Greenberg drove it on a highway. They disabled the transmission while the vehicle was moving at 70 mph on a St. Louis freeway, cut the brakes as Greenberg attempted to slow down, and manipulated the steering — all from a laptop miles away.

Impact and Response. The demonstration triggered: - A recall of 1.4 million vehicles by Fiat Chrysler (now Stellantis) — the first recall in automotive history specifically for a cybersecurity vulnerability - A patch distributed via USB drives mailed to vehicle owners (highlighting the challenge of updating embedded systems) - Congressional action — Senators Ed Markey and Richard Blumenthal introduced the SPY Car Act (Security and Privacy in Your Car Act) - Industry-wide reckoning — Automotive manufacturers accelerated cybersecurity programs, hired security researchers, and began implementing vehicle security operations centers (VSOCs) - Regulatory attention — NHTSA issued cybersecurity best practices for the automotive industry

Technical Lessons:

Network Segmentation is Critical. The Jeep's fatal flaw was the lack of segmentation between the internet-connected infotainment system and the safety-critical CAN bus. This is analogous to connecting a public-facing web server directly to a SCADA network — a practice that would be considered negligent in industrial settings.

The CAN Bus Protocol Has No Security. CAN (developed in the 1980s) has no authentication, no encryption, and no access control. Any device on the CAN bus can send any message to any other device. ECUs authenticate messages based on the message ID, not the sender — meaning a compromised device can impersonate any other device on the bus.

Cellular Connectivity Expands Attack Surface. The Sprint cellular connection made every Uconnect vehicle on the road remotely accessible to anyone who could scan Sprint's IP range. The vehicle's attack surface was not limited to physical proximity — it was the entire internet.

Ring Doorbell Vulnerabilities

Background. Amazon's Ring doorbell cameras became one of the most popular consumer IoT devices, installed on millions of homes for security monitoring. However, the devices themselves became a security liability through a series of vulnerability disclosures.

Credential Stuffing and Account Takeover (2019). In late 2019, multiple reports emerged of Ring camera accounts being compromised. Attackers used credential stuffing — automated testing of username/password combinations leaked from other data breaches — to gain access to Ring accounts. Because Ring did not enforce multi-factor authentication by default, reused passwords from other breaches gave attackers full access to: - Live camera feeds (watching homes in real time) - Two-way audio (speaking to and harassing occupants) - Historical video recordings - Device settings and WiFi network information

In one widely reported incident, an attacker accessed a Ring camera in an 8-year-old girl's bedroom in Mississippi, spoke to the child through the camera's speaker, and told her he was Santa Claus. Other incidents included attackers threatening families, making racist remarks, and demanding Bitcoin ransom.

WiFi Credential Exposure (2019). Bitdefender researchers discovered that Ring doorbells transmitted the owner's WiFi network credentials (SSID and password) in plaintext during the device setup process. When a Ring doorbell was being configured, it created an open WiFi access point and communicated setup information — including the home WiFi password — without encryption. An attacker within WiFi range during device setup could capture the home network credentials.

Unencrypted Video Transmission (2020). Researchers at Electronic Frontier Foundation (EFF) found that Ring doorbell video was transmitted from the device to Ring's cloud servers without end-to-end encryption. While the connection to Amazon's servers used TLS, Ring (as the service provider) had access to unencrypted video. This was particularly concerning given Ring's partnerships with law enforcement — over 2,000 police departments had partnerships with Ring, raising surveillance and privacy concerns.

API Vulnerabilities. Security researchers found additional issues: - The Ring API did not implement rate limiting on authentication endpoints, facilitating credential stuffing - Session tokens had excessively long lifetimes - Previous shared access credentials were not invalidated when sharing was revoked - The Ring app exposed device configuration details through the API

Amazon/Ring Response. Ring eventually implemented: - Mandatory two-factor authentication for all accounts (starting February 2020) - Rate limiting on login attempts - Notifications for account logins from new devices - End-to-end encryption option for video (introduced 2021) - Suspension of police access to Ring footage without a warrant (2023)

Comparative Analysis

The Jeep Cherokee and Ring doorbell cases, while different in severity, share fundamental IoT security failures:

Issue Jeep Cherokee Ring Doorbell
Authentication No authentication between head unit and CAN bus No MFA by default; no rate limiting
Encryption No encryption on CAN bus; exposed cellular interface WiFi credentials in plaintext during setup
Segmentation No firewall between infotainment and safety systems No separation between public API and device control
Update mechanism USB drives mailed to owners Over-the-air updates (better, but still delayed)
Impact Life-threatening (vehicle control) Privacy violation and harassment
Root cause Convenience (connectivity) prioritized over safety Ease of setup prioritized over security

Relevance to MedSecure

MedSecure's IoT medical devices face risks analogous to both cases:

Like the Jeep Cherokee: MedSecure's vital signs monitors connect to a network (WiFi/BLE) and control sensitive functions (reporting patient data, triggering alerts). If a device's network interface is compromised and there is insufficient segmentation between the communication module and the sensor/data storage components, an attacker could manipulate vital signs data, suppress critical alerts, or access patient records.

Like Ring Doorbells: MedSecure's cloud platform collects sensitive health data from thousands of devices. Credential stuffing attacks against provider accounts, insufficient MFA enforcement, API vulnerabilities, and data transmission without end-to-end encryption could expose patient health information at scale.

Lessons for Ethical Hackers

  1. Test network segmentation in embedded systems. Determine whether internet-facing interfaces are isolated from safety-critical or data-sensitive components. In a medical device, can a compromised WiFi module access the sensor data processor? In a vehicle, can the infotainment system reach the braking ECU?

  2. Assess the full communication chain. Test encryption and authentication at every hop: device to cloud, device to mobile app, device to device, and internal bus communication. The weakest link in the chain defines the overall security level.

  3. Test credential management at scale. For IoT platforms that manage many devices (or user accounts), test for credential stuffing, brute force, rate limiting, MFA enforcement, and session management. A single compromised account may provide access to video feeds, health data, or device controls.

  4. Consider the physical safety implications. When testing IoT devices that interact with the physical world — vehicles, medical devices, industrial controllers, smart locks — every finding must be assessed not just for data confidentiality but for physical safety impact. A "medium" web vulnerability becomes "critical" when it can disable brakes or falsify vital signs.

  5. Test the setup and provisioning process. The Ring WiFi credential exposure occurred during device setup — a phase often overlooked in security testing. Test the entire lifecycle: provisioning, normal operation, firmware update, decommissioning.

Discussion Questions

  1. Miller and Valasek publicly demonstrated their Jeep hack on a live highway (with the driver's consent). Was this demonstration irresponsible, or was it necessary to force the automotive industry to take cybersecurity seriously? How should researchers balance impact with safety?

  2. Ring doorbells are marketed as security devices, but they themselves became a security vulnerability. How does this irony affect consumer trust in IoT security products? What responsibility do manufacturers have when their security products create new vulnerabilities?

  3. The Jeep hack was possible because of a cellular connection that consumers valued for navigation and entertainment. Ring vulnerabilities stemmed from cloud connectivity that enabled remote monitoring. How should product designers balance connectivity features with the attack surface they create?

  4. Ring's partnerships with 2,000+ police departments raised surveillance concerns independent of the technical vulnerabilities. How should IoT security assessments address privacy and civil liberties implications beyond traditional vulnerability identification?

  5. If MedSecure's vital signs monitors had a vulnerability similar to the Jeep Cherokee's (a network-accessible interface with access to safety-critical functions), what would be the appropriate disclosure timeline? How does the healthcare context affect responsible disclosure decisions?

Timeline

Jeep Cherokee: | Date | Event | |------|-------| | 2013 | Miller and Valasek demonstrate physical-access vehicle hacking | | July 2015 | Wired publishes the remote Jeep hack article and video | | July 2015 | Fiat Chrysler issues recall for 1.4 million vehicles | | August 2015 | Miller and Valasek present full technical details at Black Hat and DEF CON | | 2015-2016 | SPY Car Act introduced in Congress | | 2016 | Miller and Valasek demonstrate additional attacks on 2015 Jeep Cherokee |

Ring Doorbell: | Date | Event | |------|-------| | November 2019 | Bitdefender discloses WiFi credential exposure vulnerability | | December 2019 | Multiple reports of Ring camera account compromises | | December 2019 | Class-action lawsuits filed against Ring/Amazon | | February 2020 | Ring mandates two-factor authentication for all accounts | | January 2020 | EFF reports on unencrypted Ring video transmission | | 2021 | Ring introduces optional end-to-end encryption | | 2023 | Ring suspends police access without warrants |

References

  • Miller, Charlie, and Chris Valasek. "Remote Exploitation of an Unaltered Passenger Vehicle." Black Hat USA, 2015.
  • Greenberg, Andy. "Hackers Remotely Kill a Jeep on the Highway — With Me In It." Wired, July 21, 2015.
  • Bitdefender. "Ring Doorbell WiFi Credential Vulnerability." November 2019.
  • Electronic Frontier Foundation. "Ring Doorbell Surveillance." January 2020.
  • Fiat Chrysler Automobiles. "Safety Recall U8V — Uconnect Software Update." July 2015.
  • NHTSA. "Cybersecurity Best Practices for Modern Vehicles." October 2016.
  • Amazon Ring. "Security and Privacy Updates." February 2020.
  • U.S. Senate. "SPY Car Act (Security and Privacy in Your Car Act)." S.1806, 2015.