Remotely Controlling Automobiles Via Insecure Dongles

Automobiles are getting smarter and smarter. Nowadays many vehicles run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled. We’re not just talking about the window or seat adjustment controls, but also the instrument cluster, steering, brakes, and accelerator. These systems can make the driving experience better, but they also introduce an interesting avenue of attack. If the entire car is controlled by a computer, then what if an attacker were to gain control of that computer? You may think that’s nothing to worry about, because an attacker would have no way to remotely access your vehicle’s computer system. It turns out this isn’t so hard after all. Two recent research projects have shown that some ODBII dongles are very susceptible to attack.

The first was an attack on a device called Zubie. Zubie is a dongle that you can purchase to plug into your vehicle’s ODBII diagnostic port. The device can monitor sensor data from your vehicle and them perform logging and reporting back to your smart phone. It also includes a built-in GPRS modem to connect back to the Zubie cloud. One of the first things the Argus Security research team noticed when dissecting the Zubie was that it included what appeared to be a diagnostic port inside the ODBII connector.

Online documentation showed the researchers that this was a +2.8V UART serial port. They were able to communicate over this port with a computer with minimal effort. Once connected, they were presented with an AT command interface with no authentication. Next, the team decompiled all of the Python pyo files to get the original scripts. After reading through these, they were able to reverse engineer the communication protocols used for communication between the Zubie and the cloud. One particularly interesting finding was that the device was open for firmware updates every time it checked in with the cloud.

The team then setup a rogue cellular tower to perform a man in the middle attack against the Zubie. This allowed them to control the DNS address associated with the Zubie cloud. The Zubie then connected to the team’s own server and downloaded a fake update crafted by the research team. This acted as a trojan horse, which allowed the team to control various aspects of the vehicle remotely via the cellular connection. Functions included tracking the vehicle’s location, unlocking hte doors, and manipulating the instrument cluster. All of this can be done from anywhere in the world as long as the vehicle has a cellular signal.

A separate but similar project was also recently discussed by [Corey Thuen] at the S4x15 security conference. He didn’t attack the Zubie, but it was a similar device. If you are a Progressive insurance customer, you may know that the company offers a device that monitors your driving habits via the ODBII port called SnapShot. In exchange for you providing this data, the company may offer you lower rates. This device also has a cellular modem to upload data back to Progressive.

After some research, [Thuen] found that there were multiple security flaws in Progressive’s tracker. For one, the firmware is neither signed nor validated. On top of that, the system does not authenticate to the cellular network, or even encrypt its Internet traffic. This leaves the system wide open for a man in the middle attack. In fact, [Thuen] mentions that the system can be hacked by using a rogue cellular radio tower, just like the researchers did with the Zubie. [Thuen] didn’t take his research this far, but he likely doesn’t have too in order to prove his point.

The first research team provided their findings to Zubie who have supposedly fixed some of the issues. Progressive has made a statement that they hadn’t heard anything from [Thuen], but they would be happy to listen to his findings. There are far more devices on the market that perform these same functions. These are just two examples that have very similar security flaws. With that in mind, it’s very likely that others have similar issues as well. Hopefully with findings like this made public, these companies will start to take security more seriously before it turns into a big problem.

[Thanks Ellery]

Dedicated Automobile Traffic Monitor with Raspberry Pi

[j3tstream] wanted an easier way to monitor traffic on the roads in his area. Specifically, he wanted to monitor the roads from his car while driving. That meant it needed to be easy to use, and not too distracting.

[j3tstream] figured he could use a Raspberry Pi to run the system. This would make things easy since he’d have a full Linux system at his disposal. The Pi is relatively low power, so it’s run from a car cigarette lighter adapter. [j3tstream] did have to add a custom power button to the Pi. This allows the system to boot up and shut down gracefully, preventing system files from being corrupted.

After searching eBay, [j3tstream] found an inexpensive 3.2″ TFT LCD touchscreen display that would work nicely for displaying the traffic data. The display was easy to get working with the Pi. [j3tstream] used the Raspbian linux distribution. His project page includes a link to download a Raspbian image that already includes the necessary modules to work with the LCD screen. Once the image is loaded, all that needs to be done is to calibrate the screen using built-in operating system functions.

The system still needed a data connection. To make things simple and inexpensive, [j3tstream] used a USB WiFi dongle. The Pi then connects to a WiFi hot spot built into his 4G mobile phone. To view the traffic map, [j3tstream] just connects to a website that displays traffic for his area.

The last steps were to automate as much as possible. After all, you don’t want to be fumbling with a little touch screen while driving. [j3tstream] made some edits to the LXDE autostart file. These changes automatically load a browser in full screen mode to the traffic website. Now when [j3tstream] boots up his Pi, it automatically connects to his WiFi hotspot and loads up local traffic maps.

Capacitive Garage Door Opener Hides Behind Your Dash

[Pyrow] wanted to upgrade his garage door opener remote. It worked just fine, but changing those tiny batteries out can be an inconvenience. Plus, the remote control was taking up valuable storage space and would always rattle around while driving. [Pyrow] decided to make use of an Omron E2K-F10MC2 capacitive touch sensor to fix these issues.

[Pyrow’s] circuit still makes use of the original remote control. He just added some of his own components to get it to do what he wanted. The circuit is powered by the car’s battery, so it never needs a battery replacement. The circuit is protected with a fuse and the power is regulated to prevent electrical spikes from burning up the original remote control. The actual circuit is pretty simple and uses mostly discrete components. It’s all soldered onto proto board to keep it together. He only had to solder to three places on the original remote control in order to provide power and simulate a button press.

Next, [Pyrow] took his dash apart. He used double-sided tape to attach the touch sensor to the back of the dash.  After securing the electronics in place with tape, he now has a working hidden garage door opener. Full schematics are available in the writeup linked above. Also, be sure to watch the demonstration video below.

Continue reading “Capacitive Garage Door Opener Hides Behind Your Dash”

LuxBlaster: Blast a Beam of Light at the Most Intense Light Source

HighBeams

[Hazim] wrote in to tell us about his project that teaches inconsiderate drivers a lesson! Well, theoretically. The LuxBlaster is a spot light which points towards the most intense light source.

The idea is that you can blast drivers who do not turn their high-beams off with a reverse high-beam of your own. It is very important to note that this should never be used, as [Hazim] also clearly states. While this project is meant to prove that it can be done (a “what if”) project, it has two components that are very well done and can easily be used in different projects: the Arduino controlled spotlight and the light intensity tracker.

What would you use an Arduino controlled spotlight for? Smart lighting? What about a light source tracker? Let us know in the comments.

Continue reading “LuxBlaster: Blast a Beam of Light at the Most Intense Light Source”

BAMF2010: CMT 380X Blackbird

Okay, we lied, we totally want one of these too. The CMT 380X Blackbird is one wicked hybrid car!

Looking like it just rolled off the set of the next Batman film, the Blackbird is the brainchild of Electronic Arts Chief Creative Director [Richard Hilleman]. Starting from a kit car base — the Factory Five Racing GTM chassis — [Hilleman] created a unique 230 horsepower drive train combining a 30 kilowatt diesel turbine and 24 KWh lithium polymer battery pack.

As a purely plug-in electric car, the Blackbird has a range of 85 miles. In hybrid mode, range is extended to 500 miles. The car can accelerate from 0 to 60 in about 7 seconds. Come decelerating, the car makes use of regenerative braking.

It’s strictly a one-off for the time being, but several companies have approached [Hilleman] about possibly commercializing the design. A couple more choice pics follow the break…

Continue reading “BAMF2010: CMT 380X Blackbird”