Nissan Gives Up Root Shell Thanks To Hacked USB Drive

For the impatient Nissan owners who may be joining us from Google, a hacker by the name of [ea] has figured out how to get a root shell on the Bosch LCN2kai head unit of their 2015 Xterra, and it looks like the process should be the same for other vehicles in the Nissan family such as the Rogue, Sentra, Altima, and Frontier. If you want to play along at home, all you have to do is write the provided image to a USB flash drive and insert it.

Now for those of us who are a more interested in how this whole process works, [ea] was kind of enough to provide a very detailed account of how the exploit was discovered. Starting with getting a spare Linux-powered head unit out of a crashed Xterra to experiment with, the write-up takes the reader through each discovery and privilege escalation that ultimately leads to the development of a non-invasive hack that doesn’t require the user to pull their whole dashboard apart to run.

The early stages of the process will look familiar to anyone who’s messed with embedded Linux hacking. The first step was to locate the board’s serial port and connect it to the computer. From there, [ea] was able to change the kernel parameters in the bootloader to spawn an interactive shell. To make things a little easier, the boot scripts were then modified so the system would start up an SSH server accessible over a USB Ethernet adapter. With full access to the system, the search for exploits could begin.

A simple script on the flash drive enables the SSH server.

After some poking, [ea] discovered the script designed to mount USB storage devices had a potential flaw in it. The script was written in such a way that the filesystem label of the device would be used to create the mount point, but there were no checks in place to prevent a directory traversal attack. By crafting a label that read ../../usr/bin/ and placing a Bash script on the drive, it’s possible to run arbitrary commands on the head unit. The provided script permanently adds SSHd to the startup process, so when the system reboots, you’ll be able to log in and explore.

So what does [ea] want to do with this new-found exploit? It looks like the goal is to eventually come up with some custom programs that extend the functionality of the in-dash Linux system. As it seems like these “infotainment” systems are now an inescapable feature of modern automobiles, we’re certainly excited to see projects that aim to keep them under the consumer’s control.

44 thoughts on “Nissan Gives Up Root Shell Thanks To Hacked USB Drive

    1. Given this new development, you’ll be able to surrender the control of your vehicles software to the whim and whimsy of the open source community where people who own similar vehicles will create amazing software that’ll almost work correctly, then they’ll get bored maintaining it because they sold their own Nissan, but encourage you to just do a ‘git pull’ and fork it. You’ll not know what that really means and how to proceed so you’ll be at the whim and whimsy of the next open source project that focuses on the product but has a completely different direction and isn’t at all what you’re looking for, but is said to be better in every other way, so you switch over to it, only to find that its just as awful as you thought it was. At this point you’ll realize that any software has a price, whether it be monetary or not. Welcome to Open Source.

      And if anybody has an argument with what I just said, I have one word: CentOS (and I know it’s not the exact same scenario, and I don’t care)

      1. Perhaps you can persuade the original devs to keep working on it if you lend them a hand or some compensation. This original work was done for free for the original author’s amusement and curiosity. It was incredibly generous of them to share their scripts and findings that they’ve made thus far.

        If you’re in the market for commercially-supported “enterprise-grade” products, you may be getting your news from the wrong website.

        1. Just expressing some healthy skepticynicism with regards to the story arc that I’ve seen so many FOSS projects take over the years, and making the point that Free doesn’t mean Without Cost .As another commenter said below, $200 for an update doesn’t sound all that bad. In fact your own sentence drives the point home:

          “Perhaps you can persuade the original devs to keep working on it if you lend them a hand or some compensation.”

          Or perhaps he can just cut to the chase and buy the update from the manufacturer. There are countless other aspects of it. This is a tinkerers website, and so maybe the OP wants to tinker and see if he can write some scripts to do some things in nodpyrubash. Then that’s great. But doing it to avoid paying for an update? meh. Buy the update. That way when it doesn’t work the way you want it to, at least you are justified in complaining about it!

          [Note: All of this is meant in good humor and for fun. I’m bored and a little out of my head right now, so take it or leave it. No offense is meant and I’m not bashing any one community, just trying to have some fun making a point that sometimes people forget to make.]

          1. You’re not alone in your opinions. Many times there are too many cooks in the kitchen with open source projects. You can eventually become a slave to their idiosyncracies if it’s some sort of development library. They appear to need a strong guiding force or presence in order to maintain coherence.
            I’ve got no problem paying for commercial software, and have many a time, but with so much moving to subscription-based, or demanding exhorbitant prices for beta-level software at best…
            I’ve got no answer. There aren’t answers to everthing…

          2. Your disclaimer aside i still feel like you’re quite a bit more negative then you need to be, bottom line very few people that hear the term “Open Source” expect it to mean “Perfect Software, for free”, those that do somehow make this translation only have themselves to blame.

            Any vaguely self respecting person that releases any sort of code will plaster it in warnings and disclaimers, if somebody struggles understanding those then that’s their own fault.

            That said, most open source projects actually do surpass their paid counterparts, because end-users are working together and trying to squeeze every last bit of possible improvement out of the hardware they are working with, where as a manufacturer wants to cut costs (directly translates to “spend as little time as possible on something”) whenever they can

            To summarize, i strongly disagree with the depressing picture you paint of “Open Source” in general, please try to not spew hate towards literally millions of projects because you’ve had a bad experience with a few.

          3. Fair enough. There are many open source projects that do not suffer such a drastic fate. Thunderbird comes to mind. But you would probably after that many of the “newest shiny thing” projects do. And it’s not all bad.

            Also I never once said that one should expect “perfect software for free” but rather that the imperfection was an intrinsic cost.

            As for the baditude: sorry. Rough last few days, to put it mildly. I should step away from the keyboard on days like this.

      2. In other words. “I’ve been getting a free lunch every day but it doesn’t compare to that one lunch I bought 5 years ago at the Ritz hotel.”

        That’s what you’ve got with obsolete hardware and software, the memory of a great lunch years in the past, but a plateful of mouldy crap now. Replacing that with any kind of food is a step forward, because you’re just not going to get it commercially. Sure buy the latest hardware if possible, then after the bugs get worked out after 6 to 12 months, you get that one great lunch out of it, but in a few more months that is abandoned even more completely by the people that wrote it, no nothing, no code, then you’ve only got the memory of that one great lunch again for your money.

      3. If you ever really like an old project that much, but don’t care to fork it just live with it as is. If you run into trouble and still can’t be bothered to fork and fix it, considering you a reader of this web site that is very much your problem.. Anybody who can comprehend the articles and comments here should be able to fix an open source project if they cared enough about it to do so…

        For something like a stereo (that isn’t connected to the internet) there isn’t a reason to care if the project you picked has ceased being updated either, like that dos computer/NES/C64/etc you probably have kicking around somewhere, its old but functional. And even if it is internet connected its not like your old phone/car-infotainment/etc gets manufacturer supplied updates long (if at all) anyway, so your probably better off running the old open source project than the even older garbage they foisted on you when you bought it…

      4. I HAVE to use Centos daily. This issue you ignore about it is that it was/is at the whimsy of RedHat and now IBM. This occured not because of RedHat but because of “BIG BROTHER” known as IBM. OpenSource has always been just that Opensource. So you must be prepared to take the responsibility along with the price. If you want Windoz which is crap for the price then go that route. Just don’t complain about something you never paid for. Did you even buy any of these guys a cup of coffee. Most don’t even do that. So what do you expect?
        I work for a company that is upstream with opensource software. It is a great example of well supported opensourrce. There are a lot of others that do the same thing. By the way the Linux you are using is still supported by the same guy. Ever heard of a guy named Torvalds?

      5. Since when has open source been “I get free software from other people”? GNU/Open source is simply the ability and the freedom to control the hardware (and the software running on it) that you own.

        Anything extra like community-run coding projects are just that: extras. It doesn’t matter who’s maintaining a project; you have the opportunity to modify the software as you see fit. If you’re don’t have the ability to do so, that’s not a failing of open source, that’s your issue.

      6. This is absolutely true!

        The only way to truly take advantage of this is if you know hot to write user-level applications in Linux. Otherwise, your fate is exactly like @geocrasher says.

      7. I don’t get the CentOS example (I found RedHat just as painful), but the rest of your point is certainly valid.

        To people who complain about @geocrashers’ response: the comment he was replying to saw this as a way to save $200 on his infotainment system in his car. While this is a cool hack and certainly has potential, I think it’s a bad way to save $200.

        I know from experience that the time and effort you’d put into getting and keeping an aftermarket firmware running on a closed commercial platform with a limited install base will be worth more to most than $200. And it will almost certainly have some really neat features that are offset by quirks and bugs that don’t really bother the author but will bother you.

        I love tinkering with software, hardware and weird embedded devices, but these days I’d not risk bricking the head unit in my car. When I was 21 and had ample spare time to tweak and fix things, sure.Or if I had a spare car/headunit. But time, cars and headunits all cost more than $200.

      8. That’s a ridiculous rant full of FUD.

        I hope you realize… The device is already running Linux (kernel) – open source. I presume nearly everything else on the system is also open source (likely GNU under GPL), outside of whatever proprietary Nissan software is installed ON TOP of the Linux system. So, this device is already highly dependent on open source projects.

        There are plenty of excellent open source projects that have been around for a long time. Yes, often projects are abandoned, but, who cares? No going to install “MyOwnNissanMappingSystem 0.0.1 alpha” from GitHub and expect that some stranger on the internet is going to support the project in any way.

        And the CentOS scenario is very different. Everyone assumed, based on the CentOS page itself and history, that RedHat would support CentOS 8 through 2029… No one installing “MyOwnNissanMappingSystem 0.0.1 alpha” is going to expect enterprise level support for 10 years.

        Did you forget which site you are on? Come on, it’s rooting a car’s infotainment system. This is cool and fun.

        Also, I would speculate that the $200 upgrade (which seems reasonable) is likely nothing more than flipping a few bits in a licensing or entitlement file / firmware. It’s unlikely extra OSS software would be necessary to unlock that. Though of course a person could roll their own – and that’d be a cool hack.

    2. To be honest? $200 is a very decent price. Your time is not free. Only do this for fun. Open source UI has a long history of being more miss than hit. UI is a “boring” problem so few do it well without being payed.

    1. That’s tricky stuff. There’s a whole legal debate about whether farmer’s reserve the right to edit the software of their tractor’s computer. So I feel like playing with Gleimm’s software (or whoever makes it for the 737) is going to have some serious lawyers. But… If you know some cool guys in maintenance then you might be able to play with it. Probably not though, the FAA came down pretty hard on the aviation industry as a whole after 9/11 so getting to play with any airliner’s software is gonna end up being a felony. But who knows, as long as you keep a good maintenance record you could stay clean. Ask the chief maintenance guy for your company, I’m sure they’d be happy to talk about avionics.

    2. Folks, don’t get your panties in a wad… the pilot thing is/was a joke. It was meant to sarcastically expand automotive software hacks to the more critical flight control arena… sheesh. I’m not a fan of hackers modding their car software and fully understand the importance of manufacturer/FAA approved changes to flight software.

  1. A) Woohoo, this is great. B) Crap that sounds like a remote vulnerability too.

    I have a family member with a 2015 Nissan and the support has declined, only the older versions of the apps work with it. It would be great to get openstreetmaps or something working on it, or plug an ELM-327 USB model into the USB port and get extra gauges or diagnostics.

    But secondly, eeek, the stock USB port is used by many as a phone charger. The phone mounts as a USB drive when used with a data cable. Ergo, vulnerable phones could have a script uploaded to them that will execute when plugged into the car??

    1. that’s a really good point with the phone port, but couldn’t that offer an advantage? If hypothetically, you purposely had code that autoconnects the phone to the car’s bluetooth or allows you to pull up map locations on your phone. Fuck it, have your car call triple A for you. The potential can out-weigh the problems, but really I’m wondering if its worth capitalizing on. Or if any code wizards or console cowboys care enough to write it.

      1. Yah, it’s great if you want to run stuff from your phone, but if you don’t want to run stuff from your phone and downloaded CoolTunezToCruiseInUrNissan.mp3.sh or were victim of another attack vector through the phone, then not so cool.

    2. Yeah USB ports are somewhat the bane of a security minded techie – they have managed to become to universal, rather overcomplex (just look at the USB3 specs – all the modes its supports) and relatively effortless to use as an exploit vector..

      Does this Nissan’s system actually do anything but the music and maps? It sounds from what you are saying like it might be on the CAN bus proper, and therefore in theory able to futz with (maybe even control fully) anything in the cars operation… I don’t think you want to have a phone connected to that USB port able to turn the car into a big Bluetooth toy… well it sounds like fun done right, but not really what you want in normal use.

      1. Most of them do have a connection to 1 or more CAN buses in the car and have been like this for years. They’ve integrated it for things like diagnostics, detecting the position of the handbrake to lockout the screen, for climate control and adjusting other features of your car.

    3. “Vulnerable phones could have a script uploaded to them that will execute when plugged into the car??”

      This is gonna sound harsher then i mean, but uh, so what?
      Unless im missing something obvious here, there’s really only 2 possible reasons this could happen:

      1] Somebody or some government wants to spy on you, if this is the case then patching a bug in the usb code wont change that at all, they will just find another way to spy on you.

      2] Somebody wants to use this to make you crash your car (lets for a moment assume that thats even possible, and i highly doubt it is) if this is the case then why not simply cut some brake-lines, you can reach those a lot easier and the effect will be the same.

      Its safe to assume that nobody has a reason to hack the infotainment system of your family member unless they are a super important person somewhere, and if thats the case then not hacking the infotainment system would still be the better option, dont freak out your family member with doomsday stories, there is no need too.

      1. You want to make Nissan look bad for whatever reason you don’t cut lines or cause any real harm to their vehicles, just make them try rather hard to suicide the occupants.

        Plus a little ‘helpful’ phone app virus to restore functionality isn’t hard to get people to download, or hard to create (to really make it perfect for practical use can be, but good enough that with the promise of updates you can get nearly everyone who uses one of these boxes to load it isn’t hard- Heck I’d quite possibly do the same (Not that I’d ever have a vehicle with an onboard computer that in anyway can talk to the outside world and the car’s engine/abs/etc systems – they should be 100% separate, or at the very read only so you don’t get jerks triggering or turning off the brakes, which among many other things has been demonstrated wirelessly.))

        Doesn’t need to be YOU being targeted, could be the company you work for, the company that made the product your using.. the list goes on, the anonymity of the flock doesn’t mean you can ignore security, it just means that very little effort on your part will likely be enough, as you the relative nobody are not worth putting any effort into compared to other targets, but if you go yelling your banking details through a loudhailer, which is what being so cavalier with your security pretty much amounts to in stupidity, expect to get bitten eventually – You were not worth hunting down, but giving it all away by taking no care… Nobody with criminal intent is going to pass on the free lunch.

  2. You know … why do we have info-tainment systems in cars/trucks anyway. Most people carry around the ‘latest’ info-tainment /gps/map systems in their pockets now. So the car should just have a usb port to ‘extend’ into the car for speaker, screen access. That’s it. Then you never are ‘obsolete’. As for me … I could do with just a radio, a few usb ports, and cd/dvd in the dash. Keep it simple, is my motto. In fact my 2015 Altima shows a ‘blank’ screen with the time on it. That’s it normally. Could use that space for more vents or something :) .

    One thing that always puzzled me though about car manufacturers…. The clock. Why is it, they can’t add a receiver to keep the clock sync’ed with local time. I had a watch that did this at one time. I have inexpensive wall clocks at home that do this. But none of my vehicles have it. As much as you pay for a vehicle … you’d think…. But here I am adjusting the clock at least twice a year and they are usually off by a couple of minutes….

    Interesting hack though.

    1. You are describing Android auto/Apple carplay. I have retrofitted this to my old BMW. Best setup ever. Maps and apps always up to date. The car is nothing more than a remote display.

    2. You’re describing what a lot of companies have started doing already :P in the latest mid-range price cars the “infotainment system” is essentially just a touch monitor and not much else.

  3. The lower versions of the Renault/Nissan/Smart radios (monochrome display) also run Linux. Console is available through test points. Holes are even poked into the housing, so jo need to open the box. Wonder if anyone else experimented with that…

  4. The automotive hacking that is coming out on Hackaday is really exciting. Now I have a whole new hobby I didn’t need. I recently saw a similar story on hacking the Nissan display. I have a Nissan Rogue which is now going to be the subject of a hacking project.
    More importantly though is my diesel tractor. Yes, tractor. It is in sorry need of an upgrade in electronics. I have a number of functions I want to add like a clock (yes it does not have a clock), a battery voltage display, a engine temperature and transmission temperature sensor, a camera to display the implement I am pulling (like my square baler), well you get the general idea.
    So if anyone knows of an article for hacking a farm tractor please let me know.
    It’s been on my list for a while now……Like all of us, we have more list items than we have time to work on them.

    Glenn.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.