Car Security Experts Dump All Their Research And Vulnerabilities Online

May 14, 2017 by Jack Laidlaw 81 Comments

[Charlie Miller] and [Chris Valasek] Have just released all their research including (but not limited to) how they hacked a Jeep Cherokee after the newest firmware updates which were rolled out in response to their Hacking of a Cherokee in 2015.

FCA, the Corp that owns Jeep had to recall 1.5 million Cherokee’s to deal with the 2015 hack, issuing them all a patch. However the patch wasn’t all that great it actually gave [Charlie] and [Chris] even more control of the car than they had in the first place once exploited. The papers they have released are a goldmine for anyone interesting in hacking or even just messing around with cars via the CAN bus. It goes on to chronicle multiple hacks, from changing the speedometer to remotely controlling a car through CAN message injection. And this release isn’t limited to Jeep. The research covers a massive amount of topics on a number of different cars and models so if you want to do play around with your car this is the car hacking bible you have been waiting for.

Jeep are not too happy about the whole situation. The dump includes a lot of background for vehicles by multiple manufactureres. But the 2015 hack was prominent and has step by step instructions. Their statement on the matter is below.

Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.

We anticipate seeing an increasing number of security related releases and buzz as summer approaches. It is, after all, Network Security Theatre season.

Better Car Audio With Guitar Effects

May 13, 2017 by Lewin Day 18 Comments

Automotive sound is a huge deal; for many people, it’s the place to listen to music. Back in the 80s, you were lucky to get anything more than two door speakers in the front of the car. Fast forward to today, and you can expect a 10-speaker system in an up-spec’d family sedan.

[Josh] has a car, and wanted to improve the sound. In particular, the aim was to improve the sense of space felt when listening. A car is a relatively small space, and the driver sits in close proximity to the front speakers, so it’s difficult to get a good soundstage.

[Josh]’s approach was to create a “surround” effect for the car stereo, by feeding a left/right difference signal to the rear speakers. This was achieved by the use of a series of op-amps that buffer and then generate a mono signal that represents the difference between the left and right channel. For optimum results, [Josh] wanted to delay the signal being sent to the rear speakers, with a longer delay making the soundstage feel bigger, as if reflections are coming from farther away in a bigger room. To do this, [Josh] simply hooked up the signal to a Boss DD-3 Digital Delay guitar pedal – an off-the-shelf solution to an otherwise sticky problem. The DD-3 gives [Josh] a variable delay time with reasonably high fidelity, so it’s a perfect way to get the project done quickly.

The final piece of the puzzle is a filter. The difference signal doesn’t actually sound all that pleasant to the ears by itself, especially when it comes to transient high-pitched sounds like cymbals, so a lowpass filter is implemented to cut these higher frequencies down.

[Josh] made everything adjustable, from the filter to the delay, so it’s simple to dial things in until they’re just right, rather than relying on calculation or guesswork. The general idea is to feed the difference signal into the rear speakers at a low enough volume and with a subtle delay so that it adds to a general feeling of being in a larger room with the sound coming from all around, as opposed to listening to very loud point sources of audio.

It’s a cool project that we imagine would be very satisfying to dial in and enjoy on the road. What’s more, it’s a fairly straightforward build if you want to experiment with it yourself on your own car. Perhaps your problem is that you need an auxiliary input to your head unit, though – in that case, check out this Subaru project.

Reverse-Engineering The Peugeot 207’s CAN Bus

May 4, 2017 by Anool Mahidharia 53 Comments

Here’s a classic “one thing led to another” car hack. [Alexandre Blin] wanted a reversing camera for his old Peugeot 207 and went down a rabbit hole which led him to do some extreme CAN bus reverse-engineering with Arduino and iOS. Buying an expensive bezel, a cheap HDMI display, an Arduino, a CAN bus shield, an iPod touch with a ghetto serial interface cable that didn’t work out, a HM-10 BLE module, an iPad 4S, the camera itself, and about a year and a half of working on it intermittently, he finally emerged poorer by about 275€, but victorious in a job well done. A company retrofit would not only have cost him a lot more, but would have deprived him of everything that he learned along the way.

Adding the camera was the easiest part of the exercise when he found an after-market version specifically meant for his 207 model. The original non-graphical display had to make room for a new HDMI display and a fresh bezel, which cost him much more than the display. Besides displaying the camera image when reversing, the new display also needed to show all of the other entertainment system information. This couldn’t be obtained from the OBD-II port but the CAN bus looked promising, although he couldn’t find any details for his model initially. But with over 2.5 million of the 207’s on the road, it wasn’t long before [Alexandre] hit jackpot in a French University student project who used a 207 to study the CAN bus. The 207’s CAN bus system was sub-divided in to three separate buses and the “comfort” bus provided all the data he needed. To decode the CAN frames, he used an Arduino, a CAN bus shield and a python script to visualize the data, checking to see which frames changed when he performed certain functions — such as changing volume or putting the gear in reverse, for example.

The Arduino could not drive the HDMI display directly, so he needed additional hardware to complete his hack. While a Raspberry Pi would have been ideal, [Alexandre] is an iOS developer so he naturally gravitated towards the Apple ecosystem. He connected an old iPod to the Arduino via a serial connection from the Dock port on the iPod. But using the Apple HDMI adapter to connect to the display broke the serial connection, so he had to put his thinking cap back on. This time, he used a HM-10 BLE module connected to the Arduino, and replaced the older iPod Touch (which didn’t support BLE) with a more modern iPhone 4S. Once he had all the bits and pieces working, it wasn’t too long before he could wrap up this long drawn upgrade, but the final result looks as good as a factory original. Check out the video after the break.

It’s great to read about these kinds of hacks where the hacker digs in his feet and doesn’t give up until it’s done and dusted. And thanks to his detailed post, and all the code shared on his GitHub repository, it should be easy to replicate this the second time around, for those looking to upgrade their old 207. And if you’re looking for inspiration, check out this great Homemade Subaru Head Unit Upgrade.

Continue reading “Reverse-Engineering The Peugeot 207’s CAN Bus” →

Stealing Cars For 20 Bucks

April 27, 2017 by Pedro Umbelino 85 Comments

[Yingtao Zeng], [Qing Yang], and [Jun Li], a.k.a. the [UnicornTeam], developed the cheapest way so far to hack a passive keyless entry system, as found on some cars: around $22 in parts, give or take a buck. But that’s not all, they manage to increase the previous known effective range of this type of attack from 100 m to around 320 m. They gave a talk at HITB Amsterdam, a couple of weeks ago, and shown their results.

The attack in its essence is not new, and it’s basically just creating a range extender for the keyfob. One radio stays near the car, the other near the car key, and the two radios relay the signals coming from the car to the keyfob and vice-versa. This version of the hack stands out in that the [UnicornTeam] reverse engineered and decoded the keyless entry system signals, produced by NXP, so they can send the decoded signals via any channel of their choice. The only constraint, from what we could tell, it’s the transmission timeout. It all has to happen within 27 ms. You could almost pull this off over Internet instead of radio.

The actual keycode is not cracked, like in a HiTag2 attack. It’s not like hacking a rolling key keyfob either. The signals are just sniffed, decoded and relayed between the two devices.

A suggested fix from the researchers is to decrease this 27 ms timeout. If it is short enough, at least the distance for these types of attacks is reduced. Even if that could eventually mitigate or reduce the impact of an attack on new cars, old cars are still at risk. We suggest that the passive keyless system is broken from the get-go: allowing the keyfob to open and start your car without any user interaction is asking for it. Are car drivers really so lazy that they can’t press a button to unlock their car? Anyway, if you’re stuck with one of these systems, it looks like the only sure fallback is the tinfoil hat. For the keyfob, of course.

[via Wired]

Different Differentials & The Pitfalls Of The Easy Swap

April 25, 2017 by Lewin Day 70 Comments

I dig cars, and I do car stuff. I started fairly late in life, though, and I’m only just starting to get into the whole modification thing. Now, as far as automobiles go, you can pretty much do anything you set your mind to – engine swaps, drivetrain conversions, you name it – it’s been done. But such jobs require a high level of fabrication skill, automotive knowledge, and often a fully stocked machine shop to match. Those of us new to the scene tend to start a little bit smaller.

So where does one begin? Well, there’s a huge realm of mods that can be done that are generally referred to as “bolt-ons”. This centers around the idea that the install process of the modification is as simple as following a basic set of instructions to unbolt the old hardware and bolt in the upgraded parts. Those that have tread this ground before me will be chuckling at this point – so rarely is a bolt-on ever just a bolt-on. As follows, the journey of my Mazda’s differential upgrade will bear this out.

The car in question, currently known as the “Junkbox MX-5” until it starts running well enough to earn a real name. It somehow looks passable here, but in person I promise you, it looks awful. Credit: Lewin Day

It all started when I bought the car, back in December 2016. I’d just started writing for Hackaday and my humble Daihatsu had, unbeknownst to me, just breathed its last. I’d recently come to the realisation that I wasn’t getting any younger, and despite being obsessed with cars, I’d never actually owned a sports car or driven one in anger. It was time to change. Continue reading “Different Differentials & The Pitfalls Of The Easy Swap” →

Smart Child Seat Aims To Prevent Tragedy

April 21, 2017 by Dan Maloney 76 Comments

For most of us, a memory lapse is as harmless as forgetting to bring the garbage to the curb, or maybe as expensive as leaving a cell phone and cup of coffee on the roof of the car before driving off. But when the toddler sleeping peacefully in the car seat slips your mind in the parking lot, the results can be deadly.

We have no doubt that child detection systems will soon be standard equipment on cars, like backup cameras and trunk-escape levers are now. Not willing to wait, [ayavilevich] came up with his own car occupancy sensor for child seats (Update: We originally linked to the Instructable but [ayavilevich] wrote in and mentioned this is actual Hackaday Prize entry and he’s looking for more people to get involved in the project).

Dubbed Fochica, for “Forgotten Child in Car Alert,” the system is clearly a proof of concept right now, but it has potential. The Arduino Uno senses Junior’s presence in the car seat with a homebrew capacitive sensor under the padding of the seat and a magnetic reed switch in the chest harness buckle. An Android app on a smartphone pairs with a BLE module to get the sensors’ status, and when the phone goes out of Bluetooth range while the seat is occupied, the app sounds an alarm. Simple, but effective.

We like how well [ayavilevich] thought this through. Systems like this are best left uncomplicated, so any improvements he makes should probably concentrate on engineering a reliable, fieldable device. Another hack we’ve presented in the kid-safety space is fast stairwell lights for a visually impaired girl, which might provide some ideas.

Continue reading “Smart Child Seat Aims To Prevent Tragedy” →

OBD-II Dongle Attack: Stopping A Moving Car Via Bluetooth

April 14, 2017 by Pedro Umbelino 30 Comments

Researchers from the Argus Research Team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving vehicle by connecting to the dongle via Bluetooth.

Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect via Bluetooth to track fuel consumption and to be alerted when service is necessary. It was compromised in a two stage attack. The first vulnerability, an information leak in the authentication process, between the dongle and the smart phone application allowed them to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. After being connected, security holes in the message filter of the dongle allowed them to inject malicious messages into the CAN bus.

The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device. The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.

Bosch downplays the issue a bit in their statement:

It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.

The problem is that physical proximity does not equal Bluetooth range. Standard Bluetooth range is about 10m, which is very arguable physical proximity, but it is pretty easy to buy or even modify a Bluetooth dongle with 10x and 100x more range. When adding a wireless connection to the CAN bus of an automobile, the manufacturer has an obligation to ensure the data system is not compromised. This near-proximity example is still technically a remote hack, and it’s an example of the worst kind of vulnerability.