Remotely Controlling Automobiles Via Insecure Dongles

Automobiles are getting smarter and smarter. Nowadays many vehicles run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled. We’re not just talking about the window or seat adjustment controls, but also the instrument cluster, steering, brakes, and accelerator. These systems can make the driving experience better, but they also introduce an interesting avenue of attack. If the entire car is controlled by a computer, then what if an attacker were to gain control of that computer? You may think that’s nothing to worry about, because an attacker would have no way to remotely access your vehicle’s computer system. It turns out this isn’t so hard after all. Two recent research projects have shown that some ODBII dongles are very susceptible to attack.

The first was an attack on a device called Zubie. Zubie is a dongle that you can purchase to plug into your vehicle’s ODBII diagnostic port. The device can monitor sensor data from your vehicle and them perform logging and reporting back to your smart phone. It also includes a built-in GPRS modem to connect back to the Zubie cloud. One of the first things the Argus Security research team noticed when dissecting the Zubie was that it included what appeared to be a diagnostic port inside the ODBII connector.

Online documentation showed the researchers that this was a +2.8V UART serial port. They were able to communicate over this port with a computer with minimal effort. Once connected, they were presented with an AT command interface with no authentication. Next, the team decompiled all of the Python pyo files to get the original scripts. After reading through these, they were able to reverse engineer the communication protocols used for communication between the Zubie and the cloud. One particularly interesting finding was that the device was open for firmware updates every time it checked in with the cloud.

The team then setup a rogue cellular tower to perform a man in the middle attack against the Zubie. This allowed them to control the DNS address associated with the Zubie cloud. The Zubie then connected to the team’s own server and downloaded a fake update crafted by the research team. This acted as a trojan horse, which allowed the team to control various aspects of the vehicle remotely via the cellular connection. Functions included tracking the vehicle’s location, unlocking hte doors, and manipulating the instrument cluster. All of this can be done from anywhere in the world as long as the vehicle has a cellular signal.

A separate but similar project was also recently discussed by [Corey Thuen] at the S4x15 security conference. He didn’t attack the Zubie, but it was a similar device. If you are a Progressive insurance customer, you may know that the company offers a device that monitors your driving habits via the ODBII port called SnapShot. In exchange for you providing this data, the company may offer you lower rates. This device also has a cellular modem to upload data back to Progressive.

After some research, [Thuen] found that there were multiple security flaws in Progressive’s tracker. For one, the firmware is neither signed nor validated. On top of that, the system does not authenticate to the cellular network, or even encrypt its Internet traffic. This leaves the system wide open for a man in the middle attack. In fact, [Thuen] mentions that the system can be hacked by using a rogue cellular radio tower, just like the researchers did with the Zubie. [Thuen] didn’t take his research this far, but he likely doesn’t have too in order to prove his point.

The first research team provided their findings to Zubie who have supposedly fixed some of the issues. Progressive has made a statement that they hadn’t heard anything from [Thuen], but they would be happy to listen to his findings. There are far more devices on the market that perform these same functions. These are just two examples that have very similar security flaws. With that in mind, it’s very likely that others have similar issues as well. Hopefully with findings like this made public, these companies will start to take security more seriously before it turns into a big problem.

[Thanks Ellery]

Peculiar Radial Mill from Car Parts

Whether 3D printer, lasercutter, or mill, most CNC machines use human-friendly, square-angle Cartesian geometry. This intriguing concept mill instead uses radial axes where motion is derived from scrap Chevy flywheels. It may look and feel weird at first, but it works – sort of.

Cartesian axes are intuitive. If you want to go to the right, increase X. If you want to go to away from you, increase Y. If you want to lift, increase Z. On a manual mill this is easy for making rectangles and blocks, or, with creative clamping, straight lines of any sort. But if you want to carve a circle? As we all learned on an Etch-A-Sketch, you increase your swearing and then throw it in the corner.

HAD - Radial Mill2[Jason] knew that with a CNC machine all geometry problems are reduced to math done by software. With two offset discs, any position is possible by rotating both the correct way. It may look odd that both plates drunkenly meander about just to draw a straight line but the computer is ambivalent. Software can be complicated without penalty and is free once written – more on that later. If a machine is physically simple then it can be built and repaired easily and cheaply. This design does away with almost all the familiar – and [Jason] argues complicated – components of normal hobby CNC machines. No slides, rails, carriages or belts here. His design uses only about a dozen parts.

Because automotive flywheels are made from cast iron the machine is rigid and naturally dampening. Sticking with the junkyard theme he pulled bearings from an F-450 truck, good for a few thousand pounds. Some steppers and a Raspberry Pi and he was done – well, sort of.

[Jason] let us know that his project has sat for long enough that he has become passionate about other things and decided to move on. He documented his progress and submitted the tip in hope to inspire someone else to continue the design further. Any type of CNC is possible, not just a mill. 3D printer perhaps?

Two big caveats: it needs a Z-axis (linear, probably standard) and there appears to be deeper-seated-than-expected G-code demands to chit-chat about rectangles and only rectangles. Nothing insurmountable, just nothing he has solved yet himself.

[Jason] said not to expect any further updates from him but he would love to see what the next person could do with it.

See the video after the break of the mill drawing our skull and wrenches logo, (soft of, without a Z-axis to lift).

Continue reading “Peculiar Radial Mill from Car Parts”

Project Binky, Putting a Celica in a Mini The Hard Way

The old Mini – not the new one, mind you – was a fantastic rally car, but fifty odd horsepower won’t get you very far today. The name of the game is souping up a pile of rust from 1980 to create one of the fastest Minis on the planet. That’s the goal of Bad Obsession Motorsport, a project by [Nik Blackhurst], [Richard Brunning], and [Rex Hamilton] as [Abraham Lincoln].

[Nik] has a 1980 Mini 1000, a car-shaped pile of rust. The plan for this multi-year build is to stuff the engine, gearbox, and suspension from a Toyota Celica ST185 GT4 into the old Mini. If you’re wondering, that’s a two liter, turbocharged engine with 200 horsepower and four-wheel drive in a Mini that originally had 50 or 60 horsepower. No, the engine doesn’t fit, but that’s not going to stop these guys.

This isn’t the kind of build you just dive into. Once the guys had the Mini in the garage, a load of measurements were taken from both cars, written down, and the car stripped down. This is not a simple mod, and a few pieces of equipment were custom-made just for this build. The biggest of these is a custom jig the Mini chassis can be bolted down to. This jig gives [Nik] and [Richard] the ability to mount the Mini and engine on rollers, and rotate the entire chassis 90 degrees for easy welding of the underside of the car.

Already there are eight videos covering a year and a half of work, and only now is there a light at the end of the tunnel. Most of the old body panels from the Mini were removed and replaced with reproduction parts. Those parts were quickly ruined with a cutting disk and some custom fabricated panels were put in place. Somehow, it still looks like a Mini but it’s massively strengthened and cut to accommodate the much larger suspension and engine from the Celica.

Grab a cup of coffee (or tea, if you’re into that) and check out the videos below. It’s incredible how much time and work went into this build, and we can’t wait to see the next update in a few months or so.

Continue reading “Project Binky, Putting a Celica in a Mini The Hard Way”

Redlining Your CPU via Automotive Tachometer

Many CPU-usage widgets have stylistically borrowed from vehicles, displaying something mimicking the tachometer found in the dashboard. [Pat] took it a step further and tried his hand at re-borrowing this style. He figured, why not use an actual physical tachometer to display how hard the CPU on his Raspberry Pi was revving?

With the goal of tuning 0-100% CPU usage to 0-8000 RPM on the tach, the first step was diagnosing the range of PWM input frequencies that moved the needle across the tach’s full arc. Using his Tektronix 3252C function generator he quickly determined 0-440 Hz would be needed and graphed a handful of intermediate points. The response curve was not linear, so he drew up some fudging guidelines to make all the datapoints match.

Next, he wrote a few lines of Python (he shared) to make the Pi to poll its CPU usage and translate it to the proper frequency. The Pi makes outputting easy, GPIO pin 11 carried the signal to a 7404 for buffering, then out to the tach. The automotive tach itself ran on 12V, but its input signal required only 5V so he pulled a 7805 from his parts bin.

Once it was all put together it worked beautifully using just the one extra component. Some might see this as more clever than USB dependent or Arduino bloated based tachometer hacks.

See the video after the break of the tach twitching even when the mouse moved, and pegging the red when opening a browser. No more need to use up valuable screen real-estate (or use a screen at all) if you want to see at a glance when your Pi is putting in work.

Continue reading “Redlining Your CPU via Automotive Tachometer”

$15 Car Stereo Bluetooth Upgrade

We’ve seen all sorts of ways to implement Bluetooth connectivity on your car stereo, but [Tony’s] hack may be the cheapest and easiest way yet. The above-featured Bluetooth receiver is a measly $15 over at Amazon (actually $7.50 today—it’s Cyber Monday after all) and couldn’t be any more hacker-friendly. It features a headphone jack for plugging into your car’s AUX port and is powered via USB.

[Tony] didn’t want the receiver clunking around in the console, though, so he cracked it open and went about integrating it directly by soldering the appropriate USB pins to 5V and GND on the stereo. There was just one catch: the stereo had no AUX input. [Tony] needed to rig his own, so he hijacked the CD player’s left and right audio channels (read about it in his other post), which he then soldered to the audio output of the Bluetooth device. After shoving all the bits back into the dashboard, [Tony] just needed to fool his stereo into thinking a CD was playing, so he burned a disc with 10 hours of silence to spin while the tunes play wirelessly. Nice!

An Interview with Tesla Battery Hacker [wk057]

We covered [wk057] and his Tesla Model S battery teardown back in September. Since then we had some time to catch up with him, and ask a few questions.

You’ve mentioned that you have a (non hacked) Tesla Model S. What do you think of the car?

It’s the best car I’ve ever driven or owned, period. Not to get too into it, but, I love it. I’ve put almost 20,000 miles on it already in under a year and I have no real complaints. Software feature requests… but no complaints. After almost a year, multiple 1700-miles-in-a-weekend trips, and an overall great experience… I can never go back to a gas vehicle after this. It would be like going back to horses and buggies.

A salvage Tesla Lithium battery had to be expensive compared to a Lead Acid setup. What made you go with the Tesla?

Actually, if you consider that the Model S battery is already pre-setup as a high-capacity pack, contains the wiring to do so, and the modules are much more energy and power dense than any lead acid battery bank, it’s actually almost cheaper than a comparable lead acid bank and all the trimmings.

I haven’t officially weighed them, but the modules from the Model S battery are roughly 80 lbs. 80 lbs for a 5.3 kWh battery is around 15 lbs per kWh, which is impressive. For comparison, a decent lead acid battery will have a little over 1 kWh (of low-rate discharge capacity) and weigh almost the same.

Also, the Tesla pack is much more powerful than a lead acid bank of the same capacity.
Generally a lead acid battery bank would have a capacity that would only be realized with slow discharges, so, 1/20C. Much over that and you sacrifice capacity for power. 1/20C for an 85kWh pack is only 4.25kW, barely enough for a central air unit and some lights without losing capacity.

Now the Tesla pack can be discharged (based on how it does so in the vehicle) at up to 3.75C for short periods, and at 1/2C continuously without really affecting the overall capacity of the pack. That means I can run 10x more power than lead acid without a loss in overall charge capacity. Leads to a much more flexible battery solution since the loads will, in reality, always be so low that this will not even come into play with the Tesla pack, but would almost always be a factor with lead acid.

Charging is also somewhat better with the Tesla battery. Charge a lead acid battery at a 1/2C and it will boil. Charge the Tesla pack at 1/2C (42kW) and it might warm up a few degrees. Oh, and the charging losses at high rates are much less than lead acid also.
Overall, without continuing to yack about the technical aspects, it’s just a much better battery, takes up less space, weighs less, and has more power available.

There are likely decent arguments for other solutions, but the rest aside, this one won out because it was definitely more interesting.

Click past the break to read the rest of our interview with [wk057]!

Continue reading “An Interview with Tesla Battery Hacker [wk057]”

Capacitive Garage Door Opener Hides Behind Your Dash

[Pyrow] wanted to upgrade his garage door opener remote. It worked just fine, but changing those tiny batteries out can be an inconvenience. Plus, the remote control was taking up valuable storage space and would always rattle around while driving. [Pyrow] decided to make use of an Omron E2K-F10MC2 capacitive touch sensor to fix these issues.

[Pyrow’s] circuit still makes use of the original remote control. He just added some of his own components to get it to do what he wanted. The circuit is powered by the car’s battery, so it never needs a battery replacement. The circuit is protected with a fuse and the power is regulated to prevent electrical spikes from burning up the original remote control. The actual circuit is pretty simple and uses mostly discrete components. It’s all soldered onto proto board to keep it together. He only had to solder to three places on the original remote control in order to provide power and simulate a button press.

Next, [Pyrow] took his dash apart. He used double-sided tape to attach the touch sensor to the back of the dash.  After securing the electronics in place with tape, he now has a working hidden garage door opener. Full schematics are available in the writeup linked above. Also, be sure to watch the demonstration video below.

Continue reading “Capacitive Garage Door Opener Hides Behind Your Dash”