It’s been eight months since a pair of security researchers proved beyond any doubt that car hacking is more than an action movie plot device when they remotely killed the transmission of a 2014 Jeep Cherokee (news also noted in this blog). Now the FBI has caught up with that news, and it’s warning Americans to take the risk of vehicular cybersabotage seriously.
The FBI Warns That Car Hacking Is a Real Risk article at http://www.wired.com/2016/03/fbi-warns-car-hacking-real-risk/ tells that in a public service announcement issued together with the Department of Transportation and the National Highway Traffic and Safety Administration, the FBI on Thursday released a warning to drivers about the threat of over-the-internet attacks on cars and trucks.
We are really entering the era of Internet of Exploits.
The FBI and DOT’s advice includes keeping automotive software up to date and staying aware of any possible recalls that require manual security patches to your car’s code. You should also avoid any unauthorized changes to a vehicle’s software and being careful about plugging insecure gadgets into the car’s network.
156 Comments
Tomi Engdahl says:
Poltergeist attack could leave autonomous vehicles blind to obstacles or haunt them with new ones https://www.theregister.com/2021/06/18/poltergeist_autonomous_vehicles/
Researchers at the Ubiquitous System Security Lab of Zhejiang University and the University of Michigan’s Security and Privacy Research Group say they’ve found a way to blind autonomous vehicles to obstacles using simple audio signals.
Tomi Engdahl says:
https://hackaday.com/2021/07/03/hacking-old-honda-ecus/
Tomi Engdahl says:
When Does Car Hacking Become “Tampering”? The British Government Seeks Guidance
https://hackaday.com/2021/12/18/when-does-car-hacking-become-tampering-the-british-government-seeks-guidance/
When a government decides to take a look at your particular field of experimentation, it’s never necessarily a cause for rejoicing, as British motor vehicle enthusiasts are finding out through a UK Government consultation. Titled “Future of transport regulatory review: modernising vehicle standards“, the document explains that it is part of the process of re-adopting under UK law areas which have previously been governed by the European Union. Of particular interest is the section “Tackling tampering”, which promises a new set of offences for “tampering with a system, part or component of a vehicle intended or adapted to be used on a road“.
They go into detail as to the nature of the offences, which seem to relate to the production of devices designed to negate the safety or environmental features of the car.
Tomi Engdahl says:
Examining Log4j Vulnerabilities in Connected Cars and Charging Stations https://www.trendmicro.com/en_us/research/21/l/examining-log4j-vulnerabilities-in-connected-cars.html
Since its disclosure on Dec. 9, a vast number of articles have been written on the remote code execution (RCE) vulnerability in the library Apache Log4j a reflection of its impact. Further expanding the attack surface, the vulnerability, dubbed Log4Shell, affects even embedded devices that use this library. In this report, we focus on the devices or properties found in or used for cars, specifically chargers, in-vehicle infotainment (IVI) systems, and “digital remotes”
for opening cars.
Tomi Engdahl says:
How To Get Into Cars: E85 Fuel
https://hackaday.com/2021/12/23/how-to-get-into-cars-e85-fuel/
Tomi Engdahl says:
LTE Modem Transplant For A Tesla Imported Into Europe
https://hackaday.com/2022/01/03/lte-modem-transplant-for-a-tesla-imported-into-europe/
Tomi Engdahl says:
https://www.bloomberg.com/news/articles/2022-01-12/teen-hacker-claims-to-have-taken-control-of-25-teslas-worldwide?sref=YfHlo0rL
Tomi Engdahl says:
https://techcrunch.com/2022/01/27/lets-make-the-teen-tesla-hack-a-teachable-moment/
Tomi Engdahl says:
Hantek 6022be For Automotive? | Oscilloscope Diagnostics | Mechanic Mindset
https://www.youtube.com/watch?v=13LZ5P_zBAM
We review the Hantek 6022be oscilloscope and see if is is any good for automotive diagnostics. We put the Hantek 6022be through some basic automotive diagnostics tests. Does it stack up against my favourite oscilloscope the 2204A? We will test CAN Bus, MAF sensor, relative compression check and diesel injector signals. Hantek also market an automotive oscilloscope called the Hantek 1008c, it has 8 channels! I have heard mixed reviews about this scope so never did buy it…
Tomi Engdahl says:
CHEAP AUTOMOTIVE OSCILLOSCOPE!! [PicoScope 2204A Automotive Oscilloscope review] Mechanic Mindset
https://www.youtube.com/watch?v=1LBKtlpCj_4
Tomi Engdahl says:
Various Honda vehicles send the same, unencrypted RF signal for each door-open
This is a proof of concept for [CVE-2022-27254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27254), wherein the remote keyless system on various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start(if applicable). This allows for an attacker to eavesdrop on the request and conduct a replay attack.
https://github.com/nonamecoder/CVE-2022-27254
Tomi Engdahl says:
Just In Case You Want To Charge Your Neighbor’s Tesla
https://hackaday.com/2022/04/08/just-in-case-you-want-to-charge-your-neighbors-tesla/
Tesla vehicles have a charging port that is under a cover that only opens on command from a charging station. Well, maybe not only. [IfNotPike] reports that he was able to replay the 315MHz signal using a software defined radio and pop the port open on any Tesla he happened to be near.
Apparently, opening the charging port isn’t the end of the world since there isn’t much you can do with the charging port other than charging the car. At least, that we know of. If history shows anything, it is that anything you can get to will be exploited eventually.
Apparently, it was as simple as record and replay to get the sesame to open. However, if you are too lazy to get to do your own recording, GitHub can help you out.
TIL: Tesla’s charging ports use a standard wireless message to open up on 315MHz…
https://twitter.com/IfNotPike/status/1507818836568858631
jimilinuxguy /
Tesla-Charging-Port-Opener
https://github.com/jimilinuxguy/Tesla-Charging-Port-Opener
Files for HackRF + Portapack MAYHEM firmware to open any and all Tesla vehicle charging ports in range!
Move this folder to the root of your SD card and run them with the “Replay” app
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/honda-bug-lets-a-hacker-unlock-and-start-your-car-via-replay-attack/
Tomi Engdahl says:
I Hacked Into My Own Car
https://www.youtube.com/watch?v=5CsD8I396wo
Gaining unauthorised entry to someone else’s car is illegal. Jamming is illegal in the UK. It might be illegal where you live too.
Car key fobs transmit a binary code to the car over radio. If the car recognises the code it unlocks. There are various systems in place to make that process secure. This video is about the way vulnerabilities in those systems can be exploited. Including replay and rolljam attacks.
“but most of all, Samy is my hero”
Tomi Engdahl says:
Hakkeri näytti, miten Tesla varastetaan ovet aukesivat 10 sekunnissa
https://www.tivi.fi/uutiset/tv/5641141c-08d5-44a4-88f8-d621cf268b43
Teknisen osaamisen lisäksi siistiin murtoon riittää 150 dollarin panostus.
Tomi Engdahl says:
Bill Toulas / BleepingComputer:
Researchers detail a BLE relay attack to unlock and operate a Tesla outside its BLE range; when told in April, Tesla said relay attacks are a “known limitation”
Hackers can steal your Tesla Model 3, Y using new Bluetooth attack
https://www.bleepingcomputer.com/news/security/hackers-can-steal-your-tesla-model-3-y-using-new-bluetooth-attack/
Security researchers at the NCC Group have developed a tool to carry out a Bluetooth Low Energy (BLE) relay attack that bypasses all existing protections to authenticate on target devices.
BLE technology is used in a wide spectrum of products, from electronics like laptops, mobile phones, smart locks, and building access control systems to cars like Tesla Model 3 and Model Y.
Pushing out fixes for this security problem is complicated, and even if the response is immediate and coordinated, it would still take a long time for the updates to trickle to impacted products.
How the attack works
In this type of relay attacks, an adversary intercepts and can manipulate the communication between two parties, such as the key fob that unlocks and operates the car and the vehicle itself.
This places the attacker in the middle of the two ends of the communication, allowing them to relay the signal as if they were standing right next to the car.
Products that rely on BLE for proximity-based authentication protect against known relay attack methods by introducing checks based on precise amounts of latency and also link-layer encryption.
NCC Group has developed a tool that operates at the link layer and with a latency of 8ms that is within the accepted 30ms range of the GATT (Generic ATTribute Profile) response.
According to Sultan Qasim Khan, a senior security consultant at NCC Group, it takes about ten seconds to run the attack and it can be repeated endlessly.
Both the Tesla Model 3 and Model Y use a BLE-based entry system, so NCC’s attack could be used to unlock and start the cars.
While technical details behind this new BLE relay attack have not been published, the researchers say that they tested the method on a Tesla Model 3 from 2020 using an iPhone 13 mini running version 4.6.1-891 of the Tesla app.
“NCC Group was able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was outside the BLE range of the vehicle” – NCC Group
During the experiment, they were able to deliver to the car the communication from the iPhone via two relay devices, one placed seven meters away from the phone, the other sitting three meters from the car. The distance between the phone and the car was 25 meters.
The experiment was also replicated successfully on a Tesla Model Y from 2021, since it uses similar technologies.
These findings were reported to Tesla on April 21st. A week later, the company responded by saying “that relay attacks are a known limitation of the passive entry system.”
The researchers also notified Spectrum Brands, the parent company behind Kwikset (makers of the Kevo line of smart locks).
What can be done
NCC Group’s research on this new proximity attack is available in three separate advisories, for BLE in general, one for Tesla cars, and another for Kwikset/Weiser smart locks, each illustrating the issue on the tested devices and how it affects a larger set of products from other vendors.
The Bluetooth Core Specification warns device makers about relay attacks and notes that proximity-based authentication shouldn’t be used for valuable assets.
This leaves users with few possibilities, one being to disable it, if possible, and switch to an alternative authentication method that requires user interaction.
Another solution would be for makers to adopt a distance bounding solution such as UWB (ultra-wideband) radio technology instead of Bluetooth.
Tesla owners are encouraged to use the ‘PIN to Drive’ feature, so even if their car is unlocked, at least the attacker won’t be able to drive away with it.
Additionally, disabling the passive entry functionality in the mobile app when the phone is stationary would make the relay attack impossible to carry out.
If none of the above is possible on your device, keep in mind the possibility of relay attacks and implement additional protection measures accordingly.
Tomi Engdahl says:
Defeat Your Car’s Autostop Feature With A Little SwitchBot
https://hackaday.com/2022/05/18/defeat-your-cars-autostop-feature-with-a-little-switchbot/
These days, many new cars come with some variant of an “auto-stop” feature. This shuts down the car’s engine at stop lights and in other similar situations in order to save fuel and reduce emissions. Not everyone is a fan however, and [CGamer_OS] got sick of having to switch off the feature every time they got in the car. So they employed a little robot to handle the problem instead.
The robot in question is a SwitchBot, a small Internet of Things tool that’s highly configurable for pressing buttons. It’s literally a robot designed to press buttons, either when remotely commanded to, or when certain rules are met. It can even be configured to work with IFTTT.
Got real tired of turning this off every time I got in my car.
https://www.reddit.com/r/funny/comments/uqjrkr/got_real_tired_of_turning_this_off_every_time_i/
Tomi Engdahl says:
https://hackaday.com/2022/05/20/this-week-in-security-iphone-unpowered-python-unsandboxed-and-wizard-spider-unmasked/
Bluetooth Low Energy
It’s yet another Bluetooth related problem, this time concerning Bluetooth Low Energy (BLE) used as an authentication token. You’ve probably seen this idea in one form or another, like the Android option to remain unlocked whenever connected to your BLE earbuds. It’s used for various vehicles, to unlock once the appropriate phone is within BLE range.
It’s always been sort-of a bad idea to use BLE for this sort of authentication, because BLE is succeptible to in-flight relay attacks. One half of the attack is next to your phone, acting like the car’s BLE chip, and the other is next to the car, spoofing your phone. Connect the two spoofing devices, and the car thinks the authorized phone is right there. To make this “secure”, vendors have added encryption features, as well as signal timing analysis to try to catch spoofing.
New Bluetooth hack can unlock your Tesla—and all kinds of other devices
All it takes to hijack Bluetooth-secured devices is custom code and $100 in hardware.
https://arstechnica.com/information-technology/2022/05/new-bluetooth-hack-can-unlock-your-tesla-and-all-kinds-of-other-devices/
NCC Group Demo Bluetooth Low Energy Link Layer Relay Attack on Tesla Model Y
https://www.youtube.com/watch?v=HF-tAujvckA&t=1s
Tomi Engdahl says:
I Tried the Honda Key Fob Hack on My Own Car. It Totally Worked
We demonstrate the vulnerability by unlocking and starting our own car wirelessly.
https://www.thedrive.com/tech/i-tried-the-honda-keyfob-hack-on-my-own-car-it-totally-worked
Hackers have uncovered ways to unlock and start nearly all modern Honda-branded vehicles by wirelessly stealing codes from an owner’s key fob. Dubbed “Rolling Pwn,” the attack allows any individual to “eavesdrop” on a remote key fob from nearly 100 feet away and reuse them later to unlock or start a vehicle in the future without owner’s knowledge.
Despite Honda’s dispute that the technology in its key fobs “would not allow the vulnerability,” The Drive has independently confirmed the validity of the attack with its own demonstration.
Older vehicles used static codes for keyless entry. These static codes are inherently vulnerable, as any individual can capture and replay them at will to lock and unlock a vehicle. Manufacturers later introduced rolling codes to improve vehicle security. Rolling codes work by using a Pseudorandom Number Generator (PRNG). When a lock or unlock button is pressed on a paired key fob, the fob sends a unique code wirelessly to the vehicle encapsulated within the message. The vehicle then checks the code sent to it against its internal database of valid PRNG-generated codes, and if the code is valid, the car grants the request to lock, unlock, or start the vehicle.
The database contains several allowed codes, as a key fob may not be in range of a vehicle when a button is pressed and may transmit a different code than what the vehicle is expecting to be next chronologically. This series of codes is also known as a “window,”
When a vehicle receives a newer code, it typically invalidates all previous codes to protect against replay attacks.
This attack works by eavesdropping on a paired keyfob and capturing several codes sent by the fob. The attacker can later replay a sequence of valid codes and re-sync the PRNG. This allows the attacker to re-use older codes that would normally be invalid, even months after the codes have been captured.
A similar vulnerability was discovered late last year and added to the Common Vulnerabilities and Exposures database (CVE-2021-46145), and again this year for other Honda-branded vehicles (CVE-2022-27254). However, Honda has yet to address the issue publicly, or with any of the security researchers who have reported it.
Furthermore, when questioned by The Drive, a Honda spokesperson said that the automaker wasn’t able to determine if the report was credible.
“[W]e’ve looked into past similar allegations and found them to lack substance,”
Contrary to Honda’s claim, I independently confirmed the vulnerability by capturing and replaying a sequence of lock and unlock requests with my 2021 Honda Accord and a Software-Defined Radio.
Despite being able to start and unlock the car, the vulnerability doesn’t allow the attacker to actually drive off with the vehicle due to the proximity functionality of the key fob. However, the fact that a bad actor can get this far is already a bad sign.
This is a significant vulnerability that affects an unknown number of Honda-branded vehicles across the globe. Essentially, any affected Honda vehicle can be unlocked today using the vulnerability, and the owners have no protection against the attack. What’s more, it’s unclear if this can be addressed with an over-the-air update, if a dealer visit will be required, or if Honda will address it.
Tomi Engdahl says:
https://www.thedrive.com/news/nerds-are-trolling-tesla-owners-by-wirelessly-opening-charging-ports
Tomi Engdahl says:
BMW owners are figuring out how to pirate their heated seats
By Andy Chalk published 4 days ago
https://www.pcgamer.com/bmw-owners-are-figuring-out-how-to-pirate-their-heated-seats/?utm_source=facebook.com&utm_medium=social&utm_campaign=socialflow
The intersection between physical and digital products is growing, and consumers are pushing back.
Tomi Engdahl says:
BMW’s Heated Seats as a Service Model Has Drivers Seeking Hacks https://www.wired.com/story/bmw-heated-seats-as-a-service-model-has-drivers-seeking-hacks/
THERE’S BEEN A bit of a backlash to the news that BMW will now charge owners a subscription to use the heated seats in their cars if they weren’t a paid-for option when new. The German carmaker has been putting extra features like high-beam assist behind a paywall for a couple of years now, and you pay to access the pre-installed software feature. But heated seats are hardware: Pads are integrated in the seat during production, there is wiring and switches. And to top it all, drivers have already bought and own this physical kit, hardware that will not benefit from software updates or regular over-the-air upgrades. Software as a service (SAAS), then, is not new in the car world. And you won’t be surprised to learn that you can go online and find someone who will unlock these dormant features of your car for much less than a carmaker charges. “This has been popular on VW/Audi cars for a while now, ” says Iain Litchfield, boss of Litchfield Motors, one of the UK’s foremost car tuners. He concentrates mainly on cracking engine management systems to get more power, but knows people who can give upgraded sat nav, the latest tune for your adaptive suspension or, indeed, unlock access to your heated seats.
Tomi Engdahl says:
Rolling Pwn Attack
https://rollingpwn.github.io/rolling-pwn/
Modern vehicles are often equipped with a remote keyless entry system.
These RKE systems allow unlocking or starting the vehicle remotely.
The goal of our research was to evaluate the resistance of a modern-day RKE system. Our research disclosed a Rolling-PWN attack vulnerability affecting all Honda vehicles currently existing on the market (From the Year 2012 up to the Year 2022). This weakness allows anyone to permanently open the car door or even start the car engine from a long distance.
Tomi Engdahl says:
RollBack Breaks Into Your Car
https://hackaday.com/2022/08/17/rollback-breaks-into-your-car/
Tomi Engdahl says:
Hyundain tietoturva murtui Google-haulla
https://www.tivi.fi/uutiset/tv/899c5283-98b1-4899-af18-6e923df69816
Yhdysvaltain Minnesotassa asuva ohjelmistokehittäjä Daniel Feldman onnistui päivittämään Hyundai-merkkisen autonsa kojelaudan viihdejärjestelmän omalla ohjelmistollaan, kun korealaisvalmistajan suojaukset osoittautuivat poskettoman heppoisiksi. Aiheesta uutisoi The Register. Alkup.
https://www.theregister.com/2022/08/17/software_developer_cracks_hyundai_encryption/
Tomi Engdahl says:
Tietoturva on traktoreissa uskomattoman heikolla tasolla, eikä ongelma ratkea “purkkavirityksillä”
https://www.kauppalehti.fi/uutiset/tietoturva-on-traktoreissa-uskomattoman-heikolla-tasolla-eika-ongelma-ratkea-purkkavirityksilla/42e33edf-b82a-4587-afa7-fe46baa36f89
Nimimerkkiä Sick Codes käyttävä australialainen valkohattuhakkeri toi Def Con -tietoturvakonferenssissa esille John Deere -traktoreiden ja
- -maatalouskoneiden heikon tietoturvan. Esimerkkinä traktoreiden korkattavuudesta hän esitteli, kuinka farmilaitteet pyörittävät legendaarista Doom-peliä. Kyseessä oli vieläpä maataloushengessä modattu versio Doomista, joten tarjolla oli traktorilla ajoa Doomissa, traktorin näytöllä. The Register kertoo, että Doomia ajettiin John Deere 4240 -traktorin kosketusnäytöllä, jonka ohjaimena käytetään arm-yhteensopivaa NXP I.MX 6 -järjestelmäpiiriä Wind Linux 8
- -käyttöjärjestelmällä. Useiden traktoreiden laitteisiin tutustuneen Sick Codesin mukaan käytössä on paljon myös Windows CE -pohjaisia laitteita. Hakkerin mukaan ongelmana laitteissa on, ettei niissä käytetä asianmukaisia salauksia tai tarkistussummia. Ongelma on laitetasolla, eli purkkavirityksillä ei tilannetta auta lähteä korjaamaan. Ainoa oikea ratkaisu hänen mukaansa olisi tehdä uudet järjestelmät alusta asti turvallisuus mielessä. Sick Codesin hakkeroinnissa kyse on ikään kuin jailbreak-tyyppisestä murrosta, jolla voidaan ohittaa valmistajan omia suojauksia ja estoj
Tomi Engdahl says:
Software developer cracks Hyundai car security with Google search https://www.theregister.com/2022/08/17/software_developer_cracks_hyundai_encryption/
A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicle’s manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples. Luck held out, in a way.
“Greenluigi1″ found within the firmware image the RSA public key used by the updater, and searched online for a portion of that key. The search results pointed to a common public key that shows up in online tutorials like “RSA Encryption & Decryption Example with OpenSSL in C.”. That tutorial and other projects implementing OpenSSL include within their source code that public key and the corresponding RSA private key. This means Hyundai used a public-private key pair from a tutorial, and placed the public key in its code, allowing “greenluigi1″ to track down the private key. Thus he was able to sign Hyundai’s files and have them accepted by the updater.
Tomi Engdahl says:
Esk8 Rider Opens Tesla Cars All Over The City With Flipper Zero
https://m.youtube.com/watch?v=VCkvIpAe_do&feature=youtu.be
Tomi Engdahl says:
If you don’t understand this video is a joke you cant hack teslas with flipper. The tesla cars all share the same remote to open the charging port at the charging station and literally anyone with a tesla and phone can do this. If you park your car to charge it often it will open other charging doors as well. No crimes committed video was shot in a misleading way to encourage tesla to fix this problem.
Tomi Engdahl says:
Police dismantles criminal ring that hacked keyless cars https://www.bleepingcomputer.com/news/security/police-dismantles-criminal-ring-that-hacked-keyless-cars/
Authorities from France, Latvia, and Spain arrested 31 suspects believed to be part of a car theft ring that targeted vehicles from two French car manufacturers. The criminals only targeted cars that use keyless entry and start systems and stole them after exploiting their keyless technology to unlock the doors and start the engines without having to use the key fobs. To do that, they used a fraudulent tool promoted online as an automotive diagnostic solution to replace the stolen cars’ software and bypass the vehicles’ keyless system to enter and steal them.
Tomi Engdahl says:
Automakers Are Locking the Aftermarket Out of ECUs https://www.roadandtrack.com/news/a41926249/automakers-locking-aftermarket-tuners-out-of-ecus/
As our vehicles start to integrate more complex systems such as Advanced Driver Assist Systems and over-the-air updates, automakers are growing weary of what potential bad actors could gain access to by way of hacking. Whether those hacks come in an attempt to retrieve personal customer data, or to take control of certain aspects of these integrated vehicles, automakers want to leave no part of that equation unchecked. In order to prevent this from becoming a potential safety or legal issue, companies like Ford have moved to heavily encrypt their vehicles software. Krenz specifically noted that the new FNV architecture can detect when someone attempts to modify any of the vehicles coding, and that it can respond by shutting down an individual vehicle system or the vehicle entirely if that’s what is required.
Tomi Engdahl says:
Researchers find bugs allowing access, remote control of cars https://therecord.media/researchers-find-bugs-allowing-access-remote-control-of-cars/
Several major car brands have addressed vulnerabilities that would have allowed hackers to remotely control the locks, engine, horn, headlights, and trunk of certain cars made after 2012, according to a security researcher. Yuga Labs staff security engineer Sam Curry published two threads on Twitter detailing his research into the mobile apps for several car brands that give customers the ability to remotely start, stop, lock and unlock their vehicles. Curry and several other researchers started with Hyundai and Genesis, finding that much of the verification process for getting access to a vehicle relied on registered email addresses. They found a way to bypass the email verification feature and gain full control.
Tomi Engdahl says:
Several Car Brands Exposed to Hacking by Flaw in Sirius XM Connected Vehicle Service
https://www.securityweek.com/several-car-brands-exposed-hacking-flaw-sirius-xm-connected-vehicle-service
Cybersecurity researchers discovered that several car brands were exposed to remote hacker attacks due to a vulnerability in a connected vehicle service provided by Sirius XM.
Sirius XM claims on its website that its connected services are used by more than 12 million vehicles in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota cars.
Researcher Sam Curry on Wednesday described a recent car hacking project targeting Sirius XM, which he and his team learned about when looking for a telematic solution shared by multiple car brands.
An analysis led to the discovery of a domain used when enrolling vehicles in the Sirius XM remote management functionality, Curry said in a Twitter thread.
Tomi Engdahl says:
SiriusXM Vulnerability Lets Hackers Remotely Unlock and Start Connected Cars https://thehackernews.com/2022/12/siriusxm-vulnerability-lets-hackers.html
Cybersecurity researchers have discovered a security vulnerability that exposes cars from Honda, Nissan, Infiniti, and Acura to remote attacks through a connected vehicle service provided by SiriusXM. The issue could be exploited to unlock, start, locate, and honk any car in an unauthorized manner just by knowing the vehicle’s vehicle identification number (VIN), researcher Sam Curry said in a Twitter thread last week. SiriusXM’s Connected Vehicles (CV) Services are said to be used by more than 10 million vehicles in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota.
Tomi Engdahl says:
https://hackaday.com/2022/12/23/this-week-in-security-github-actions-sha-1-retirement-and-a-self-worming-vulnerability/
Your Tires Are Leaking (Data)
Back a few years ago, [Mike Metzger] gave a DEFCON talk about TPMS, Tire Pressure Monitoring Systems. This nifty safety feature allows sensors in car tires to talk to the infotainment center, and warn when a tire is low. [Drew Griess] decided to follow up on this bit of info, and see just how practical it would be to use and abuse these gizmos.
An RTL_SDR and the very useful rtl_433 project do the job quite nicely. Add an antenna, and the signals are readable over fifty feet away. It really becomes interesting when you realize that each of those sensors have a unique ID sent in each ping. Need to track a vehicle? Just follow its tires!
Your Car is Trackable by Law
TPMS Tracking
Today I learned how to read the unique ID of a tire pressure sensor which can be used to track vehicles using a sensor network.
https://medium.com/@doctoreww/day-2-your-car-is-trackable-by-law-1d5f74388850
Tomi Engdahl says:
https://www.facebook.com/groups/2600net/permalink/3521260451430388/
How to crack the official firmware for Hyundai. They call it “navigation”, but it is basically the firmware of the entire head unit. The same firmware is shipped on different Hyundai, KIA and Genesis models manufactured in the 2018-2021 time frame.
The head unit is running on Telechips TCC893X SoC and its SDK has been leaked on the internet. There is a secret recovery mechanism which is triggered by holding the POWER button (left knob) and the MAP button upon start.
https://xakcop.com/post/hyundai-hack-2/
Tomi Engdahl says:
Autojen langattoman keskuslukituksen häiriöt
Autojen kauko-ohjatun lukituksen ongelmat saattavat johtua radiohäiriöstä. Niiden aiheuttajia ovat usein muut samaa taajuusaluetta käyttävät laitteet. Lukkojen oikutteluun tuskastuneille tarjoamme itseapua vian selvittämiseen sekä neuvontaa niihin pulmiin, joita autoilija ei itse pysty selvittämään.
https://www.traficom.fi/fi/autojen-langattoman-keskuslukituksen-hairiot
Tomi Engdahl says:
Thieves Use CAN Injection Hack to Steal Cars
https://www.securityweek.com/thieves-use-can-injection-hack-to-steal-cars/
An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.
A hacking device can allow thieves to steal a wide range of car models using an attack method named CAN injection, researchers have revealed.
Automotive cybersecurity experts Ian Tabor of the EDAG Group and Ken Tindell, CTO of Canis Automotive Labs, started analyzing these attacks after Tabor had his 2021 Toyota RAV4 stolen last year.
The car was stolen after on two occasions Tabor found that someone had pulled apart his headlight and unplugged the cables. What initially appeared as vandalism turned out to be part of an attempt to steal the vehicle.
Specifically, the thieves pulled off the bumper and unplugged the headlight cables in an attempt to reach wires connected to an electronic control unit (ECU) responsible for the vehicle’s smart key.
An investigation conducted by Tabor showed that the thieves likely connected a special hacking device that allowed them to unlock the vehicle and drive away.
Such hacking devices can be acquired on dark web sites for up to €5,000 ($5,500), and they are often advertised as ‘emergency start’ devices that can be used by vehicle owners who have lost their keys or automotive locksmiths. In the case of the device designed for Toyota cars, the electronics responsible for hacking the vehicle are hidden inside a Bluetooth speaker case.
The hacking device is designed to conduct what the researchers call a CAN injection attack. These devices appear to be increasingly used by thieves. At least one theft was caught by CCTV cameras in London
The researchers analyzed diagnostics data from Tabor’s stolen RAV4 and such a CAN injection device in an effort to see how they work.
Modern cars have several ECUs, each responsible for a different system, such as headlights, climate control, telematics, cameras, engine control, and the smart key that unlocks and starts the vehicle. ECUs are connected together through controller area network (CAN) buses.
The attacker does not need to directly connect to the smart key ECU. Instead, they can reach the smart key ECU from the wires connected to, for example, the headlight, as long as the headlight and the smart key ECU are on the same CAN bus.
The attacker connects the hacking device to the headlight wires and can send a specially crafted CAN message that tells the smart key receiver ECU that the key is validated. The attacker can then send a specially crafted CAN message to the door ECU to unlock the door. This allows the thieves to get in the car and drive away.
The attack can be carried out by connecting the hacking device to other CAN wires as well, but the ones in the headlight are often the most accessible and connecting to them does not involve causing too much damage to the car, which would lower its value.
While in this case the stolen vehicle was a Toyota and the hacking device tested by the researchers is specifically designed for Toyota cars, the problem is not specific to Toyota.
Similar hacking devices offered for sale to car thieves target many brands, including BMW, GMC, Cadillac, Chrysler, Ford, Honda, Jaguar, Jeep, Maserati, Nissan, Peugeot, Renault, and Volkswagen.
Tomi Engdahl says:
https://www.autoblog.com/2023/04/10/vehicle-headlight-can-bus-injection-theft-method/
Someone has developed a tool (disguised as a JBL Bluetooth speaker and sold on the dark web) that when wired into a vehicle’s control CAN bus, can impersonate the vehicle’s key fob. The vehicle used as an example is a current-generation Toyota RAV4, but it’s vital to note that this vulnerability is not specific to any particular OEM or model — this is an industry-wide problem at the moment.
Details..
Tomi Engdahl says:
HACKERS SAY THEY CAN ACCESS TESLAS AND MAKE THEM HONK WILDLY
https://futurism.com/the-byte/hackers-teslas-honk
Tomi Engdahl says:
https://www.uusiteknologia.fi/2023/06/02/kyberuhkat-iskevat-seuraavaksi-autoihin/
Tomi Engdahl says:
https://hackaday.com/2023/06/08/hacking-a-hyundai-ioniqs-infotainment-system-again-after-security-fixes/
Tomi Engdahl says:
https://hackaday.com/2023/06/27/honda-headunit-reverse-engineering-and-the-dismal-state-of-infotainment-systems/
Tomi Engdahl says:
Tesla infotainment jailbreak unlocks paid features, extracts secrets https://www.bleepingcomputer.com/news/security/tesla-infotainment-jailbreak-unlocks-paid-features-extracts-secrets/
Researchers from the Technical University of Berlin have developed a method to jailbreak the AMD-based infotainment systems used in all recent Tesla car models and make it run any software they choose.
Additionally, the hack allows the researchers to extract the unique hardware-bound RSA key that Tesla uses for car authentication in its service network, as well as voltage glitching to activate software-locked features such as seat heating and ‘Acceleration Boost’ that Tesla car owners normally have to pay for.
The German researchers shared the full details of their hack with BleepingComputer, which will be published in an upcoming BlackHat 2023 presentation scheduled for August 9, 2023, titled ‘Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla’s x86-Based Seat Heater.’
Tomi Engdahl says:
Tesla hackers turn to voltage glitching to unlock paywalled features
Oh, this old thing? Yeah, it’s got an AMD processor. Why?
https://www.theregister.com/2023/08/07/black_hat_tesla_hackers/
BLACK HAT There is a way to unlock those paywalled features in your car, as a group of German PhD students demonstrated at Black Hat, but it probably won’t keep the automakers up at night.
In a talk this week, a trio of Technische Universität Berlin boffins demonstrated how they were able to bypass the $300 purchase requirement to activate heated rear seats in a Tesla Model 3 – or at least in the computer from a Tesla Model 3.
Instead of approaching the problem like Tesla hackers of the past, who’ve tried to gain control of vehicles or break into them as an outsider, Christian Werling and his fellow researchers wanted to approach the problem like someone who already had physical access to a vehicle and was trying to make their own modifications – like breaking through soft locks on optional, but installed, features.
The researchers’ first attempt was simply to try to modify the firmware in the Tesla’s computer, but they were rebuffed by the secure boot process – something that Werling told us was a relatively new development in Tesla’s computers.
Previous versions of Tesla computers were vulnerable to an off-chip boot loader buffer overflow that was fixed via firmware updates.
Previous versions of Tesla computers were vulnerable to an off-chip boot loader buffer overflow that was fixed via firmware updates. Another buffer overflow issue affecting the ROM on Tesla computers remained, but was fixed when Tesla later upgraded from AMD Zen 1 APUs to Zen 2s.
The problems were even worse before, Werling pointed out – Tesla computers used to have open X servers, hard-coded passwords, and their code wasn’t even signed. Now, in 2023, Tesla computers have a boot chain of trust, firmware and OS signing and a root of trust in their AMD SoCs that left the researchers faced with a hard reality: They couldn’t get in.
Tomi Engdahl says:
Researchers reveal Tesla jailbreak that could unlock Full Self-Driving for free
The group found a hardware exploit they say would be hard for Tesla to mitigate.
https://www.engadget.com/researchers-reveal-tesla-jailbreak-that-could-unlock-full-self-driving-for-free-190431645.html
Tomi Engdahl says:
https://hackaday.com/2023/08/05/jailbreaking-tesla-infotainment-systems/
Tomi Engdahl says:
Unfixable AMD Chip Vulnerability Unlocks Paid Tesla Features for Free
Researchers say the company’s third-gen Media Control Unit can provide full access to the car’s software.
https://www.extremetech.com/cars/unfixable-amd-chip-vulnerability-unlocks-paid-tesla-features-for-free
Tomi Engdahl says:
Over $1 Million Offered at New Pwn2Own Automotive Hacking Contest
https://www.securityweek.com/over-1-million-offered-at-new-pwn2own-automotive-hacking-contest/
ZDI is offering more than $1 million at the Pwn2Own Automotive hacking contest, hosted in January at the Automotive World conference in Tokyo.
The Zero Day Initiative (ZDI) this week announced that it will be offering more than $1 million in cash and prizes at Pwn2Own Automotive, the first Pwn2Own hacking contest focused on car systems.
The competition will be hosted at the Automotive World conference, which is scheduled for January 24 – 26, 2024, in Tokyo, Japan.
Interested security researchers have until January 18 to register for the contest and submit an entry, consisting of “a detailed whitepaper completely explaining your exploit chain and instructions on how to run the entry”, ZDI has announced.
The same as with other similar events, ZDI is allowing remote participation to Pwn2Own Automotive, on the basis that not all researchers will be able to attend the conference.
Tomi Engdahl says:
ICS/OT
ZDI Discusses First Automotive Pwn2Own
https://www.securityweek.com/zdi-discusses-first-automotive-pwn2own/
The Zero Day Initiative (ZDI) will host a new Automotive Pwn2Own at the Automotive World Conference in Tokyo, January 24 to 26, 2024.