Remotely Controlling Automobiles Via Insecure Dongles

Automobiles are getting smarter and smarter. Nowadays many vehicles run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled. We’re not just talking about the window or seat adjustment controls, but also the instrument cluster, steering, brakes, and accelerator. These systems can make the driving experience better, but they also introduce an interesting avenue of attack. If the entire car is controlled by a computer, then what if an attacker were to gain control of that computer? You may think that’s nothing to worry about, because an attacker would have no way to remotely access your vehicle’s computer system. It turns out this isn’t so hard after all. Two recent research projects have shown that some ODBII dongles are very susceptible to attack.

The first was an attack on a device called Zubie. Zubie is a dongle that you can purchase to plug into your vehicle’s ODBII diagnostic port. The device can monitor sensor data from your vehicle and them perform logging and reporting back to your smart phone. It also includes a built-in GPRS modem to connect back to the Zubie cloud. One of the first things the Argus Security research team noticed when dissecting the Zubie was that it included what appeared to be a diagnostic port inside the ODBII connector.

Online documentation showed the researchers that this was a +2.8V UART serial port. They were able to communicate over this port with a computer with minimal effort. Once connected, they were presented with an AT command interface with no authentication. Next, the team decompiled all of the Python pyo files to get the original scripts. After reading through these, they were able to reverse engineer the communication protocols used for communication between the Zubie and the cloud. One particularly interesting finding was that the device was open for firmware updates every time it checked in with the cloud.

The team then setup a rogue cellular tower to perform a man in the middle attack against the Zubie. This allowed them to control the DNS address associated with the Zubie cloud. The Zubie then connected to the team’s own server and downloaded a fake update crafted by the research team. This acted as a trojan horse, which allowed the team to control various aspects of the vehicle remotely via the cellular connection. Functions included tracking the vehicle’s location, unlocking hte doors, and manipulating the instrument cluster. All of this can be done from anywhere in the world as long as the vehicle has a cellular signal.

A separate but similar project was also recently discussed by [Corey Thuen] at the S4x15 security conference. He didn’t attack the Zubie, but it was a similar device. If you are a Progressive insurance customer, you may know that the company offers a device that monitors your driving habits via the ODBII port called SnapShot. In exchange for you providing this data, the company may offer you lower rates. This device also has a cellular modem to upload data back to Progressive.

After some research, [Thuen] found that there were multiple security flaws in Progressive’s tracker. For one, the firmware is neither signed nor validated. On top of that, the system does not authenticate to the cellular network, or even encrypt its Internet traffic. This leaves the system wide open for a man in the middle attack. In fact, [Thuen] mentions that the system can be hacked by using a rogue cellular radio tower, just like the researchers did with the Zubie. [Thuen] didn’t take his research this far, but he likely doesn’t have too in order to prove his point.

The first research team provided their findings to Zubie who have supposedly fixed some of the issues. Progressive has made a statement that they hadn’t heard anything from [Thuen], but they would be happy to listen to his findings. There are far more devices on the market that perform these same functions. These are just two examples that have very similar security flaws. With that in mind, it’s very likely that others have similar issues as well. Hopefully with findings like this made public, these companies will start to take security more seriously before it turns into a big problem.

[Thanks Ellery]

Raspis with double the RAM in the wild

There is buzz all over the reddits and Element 14 discussion boards about an updated version of the Raspberry Pi that bumps the amount of RAM from 256 MB to 512 MB.

This new update comes after the announcement of an upgraded version of the yet-to-be-released Raspi Model A (from 128 MB of RAM to 256 MB), and a few slight modifications to the Model B that include fixing a few hardware bugs (nothing serious) and adding mounting holes.

After perusing the Element 14 and Raspberry Pi discussion boards, a few things become apparent. Firstly, it appears this new upgrade to double the amount of RAM was initiated by manufacturers. It seems 512 MB RAM chips are cheap enough now to include in the Raspi without impacting the cost of components. Secondly, 512 MB seems to be the upper limit for the Raspberry Pi, at least for this iteration of hardware. Not enough address lines, they say, but you’re welcome to try and hack your own RAM to a Raspi CPU.

So far, attentive Raspi enthusiasts have found Raspberry Pis with double the amount of RAM on the UK Farnell site and the Australian Element 14 site. Nothing so far on the US Element 14 site, although we’ll gladly update this post when a Hackaday reader finds the relevant link.

EDIT: Here’s the link for the US version of Newark. No, there aren’t any in stock. Also, Hackaday beat the official Farnell/Element 14/Newark press release and the Raspberry Pi blog to the punch. Woo, go us.

Sony removes PS3 Linux support with an update… errrrr, downgrade?

Sony is rolling out a firmware update for the PS3 on April 1 but we’re pretty sure it’s not a joke. What we’re not sure about is that you can call it an update. It removes features rather than fixing or adding them. In this case, it is removing the “Install Other OS” option that allows you to run Linux on non-slim versions of the PlayStation 3. It is fairly obvious that this is a reaction to the hypervisor exploit that was released back in January that breaks down the machine’s security barriers.

[Geohot], the guy who found and release the exploit, published a post on his blog expressing his disapproval of Sony’s actions. We’d have to agree. It’s pretty cold-hearted to remove functionality that was advertised with a product. We’re sure there are many folks out there using the Linux support who have no interest in exploiting the product. This is gardening with a backhoe and quite frankly it stinks.

This may bring on a torrent of new effort in unlocking and laying bare the PS3. If so, doesn’t Sony deserve it?

[Photos credit: I’m with Stupid]

[Thanks Shueddue]

Ask a winner…

nokiapush1

We’ve been given the honor of interviewing each team from the Nokia N900 PUSH competition one on one. However, rather than be selfish, we thought it would be fun and informative if the readers got to ask the teams some questions too.

Just post your question in a comment and we will be sure to ask.

Avoid the basics, like “what was your inspiration” – don’t worry, we’ve got those covered. But maybe you have that dieing question of “Haptic Guide: What kind of battery life do you expect with 9 or more motors constantly spinning, surly we wont be wearing Lead Acid around will we?”

Nokia PUSH competition update

A couple of readers weren’t too thrilled when the winners were announced a while back for the Nokia N900 competition. And to be honest, we even wondered on some ideas (like what does skateboarding have to do with hacking?) However, The teams have been hard at work and a picture video is starting to form for each. Check after the break for some video recaps.

[Thanks Matt]
Continue reading “Nokia PUSH competition update”

Capacitive discharge spot welder update

welder

It seems one of our commenters took great umbrage with [PodeCoet] not documenting his capacitive discharge cutting properly. [PodeCoet] had been waiting till he got the full spot welder working before publishing, but he’s expedited the work after all our whining. Check out his full writeup of the device in its current state. It uses a 1Farad audio cap for storage. A dsPIC monitors all of the voltage sources and regulates charging. A nice touch is the tactile switch on the electrode.