OBD-II Dongle Attack: Stopping A Moving Car Via Bluetooth

April 14, 2017 by Pedro Umbelino 30 Comments

Researchers from the Argus Research Team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving vehicle by connecting to the dongle via Bluetooth.

Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect via Bluetooth to track fuel consumption and to be alerted when service is necessary. It was compromised in a two stage attack. The first vulnerability, an information leak in the authentication process, between the dongle and the smart phone application allowed them to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. After being connected, security holes in the message filter of the dongle allowed them to inject malicious messages into the CAN bus.

The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device. The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.

Bosch downplays the issue a bit in their statement:

It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.

The problem is that physical proximity does not equal Bluetooth range. Standard Bluetooth range is about 10m, which is very arguable physical proximity, but it is pretty easy to buy or even modify a Bluetooth dongle with 10x and 100x more range. When adding a wireless connection to the CAN bus of an automobile, the manufacturer has an obligation to ensure the data system is not compromised. This near-proximity example is still technically a remote hack, and it’s an example of the worst kind of vulnerability.

How Many Parts In A Triumph Herald Heater?

April 4, 2017 by Jenny List 67 Comments

This Herald is in much better condition than my 12/50 was. Philafrenzy [CC BY-SA 4.0]

What was your first car? Mine was a 1965 Triumph Herald 12/50 in conifer green, and to be frank, it was a bit of a dog.

The Triumph Herald is a small saloon car manufactured between about 1959 and 1971. If you are British your grandparents probably had one, though if you are not a Brit you may have never heard of it. Americans may be familiar with the Triumph Spitfire sports car, a derivative on a shortened version of the same platform. It was an odd car even by the standards of British cars of the 1950s and 1960s. Standard Triumph, the manufacturer, had a problem with their pressing plant being owned by a rival, so had to design a car that used pressings of a smaller size that they could do in-house. Thus the Herald was one of the last British mass-produced cars to have a separate chassis, at a time when all other manufacturers had produced moncoques for years.

My 12/50 was the sporty model, it had the high-lift cam from the Spitfire and a full-length Britax sunroof. It was this sunroof that was its downfall, when I had it around a quarter century of rainwater had leaked in and rotted its rear bodywork. This combined with the engine being spectacularly tired and the Solex carburetor having a penchant for flooding the engine with petrol made it more of a pretty thing to look at than a useful piece of transport. But I loved it, tended it, and when it finally died irreparably I broke it for parts. Since then I’ve had four other Heralds of various different varieties, and the current one, a 1960 Herald 948, I’ve owned since the early 1990s. A piece of advice: never buy version 0 of a car.

Continue reading “How Many Parts In A Triumph Herald Heater?” →

Build Your Own Animated Turn Signals

March 13, 2017 by Lewin Day 79 Comments

Automotive lighting used to be strictly controlled, particularly in the United States — anyone remember sealed beam headlamps? These days, pretty much anything goes. You can even have an animated turn signal, because a simple flash isn’t fancy enough these days. You can get a scanning-LED turn signal on your new model Audi, among others. [Shravan] wanted this on their Mazda and set about building an animated turn signal and daytime running lights setup for their car.

It’s not a complicated build by any means; an off-the-shelf WS2812B strip provides the blinkums, an Arduino Nano the smarts. Using a modified library to drive the LEDs allowed [Shravan] to get things running with a minimum of fuss. We’d love to see a little more of the gritty reality of this build — how the Nano is getting directional signals from the car, and how it’s all wired up and bolted on. When you’re installing custom hardware onto a vehicle, the devil really is in the details. It’s supremely difficult to create something that looks tidy and functions well.

It’s amazing to think about how far we’ve come. When high-brightness LEDs first came on to the market in the 1990s, you would have been on the hook for wiring your own loom to connect the 20+ LEDs, building your own driver circuitry, and likely etching a custom PCB — all the while you programmed a PIC in assembly as it dangled off a parallel-port programmer. But then again, our cave-dwelling ancestors didn’t even have matches. Time marches on. Use today’s technology to build the very best things you can.

We love seeing car mods, particularly those that are well executed. Check out [Dave]’s interior lighting mods to the Nissan Juke — a car this writer has weighty opinions about. Video after the break.

Continue reading “Build Your Own Animated Turn Signals” →

Reverse Engineering The Smart ForTwo CAN Bus

February 28, 2017 by Lewin Day 33 Comments

The CAN bus has become a defacto standard in modern cars. Just about everything electronic in a car these days talks over this bus, which makes it fertile ground for aspiring hackers. [Daniel Velazquez] is striking out in this area, attempting to decode the messages on the CAN bus of his Smart ForTwo.

[Daniel] has had some pitfalls – first attempts with a Beaglebone Black were somewhat successful in reading messages, but led to strange activity of the car and indicators. This is par for the course in any hack that wires into an existing system – there’s a high chance of disrupting what’s going on leading to unintended consequences.

Further work using an Arduino with the MCP_CAN library netted [Daniel] better results, but it would be great to understand precisely why the BeagleBone was causing a disturbance to the bus. Safety is highly important when you’re hacking on a speeding one-ton metal death cart, so it pays to double and triple check everything you’re doing.

Thus far, [Daniel] is part way through documenting the messages on the bus, finding registers that cover the ignition and turn signals, among others. Share your CAN hacking tips in the comments. For those interested in more on the CAN bus, check out [Eric]’s great primer on CAN hacking – and keep those car hacking projects flowing to the tip line!

Tesla Model S Battery Pack Teardown

February 28, 2017 by Jenny List 78 Comments

We’ve heard a lot about the Tesla Model S over the last few years, it’s a vehicle with a habit of being newsworthy. And as a fast luxury electric saloon car with a range of over 300 miles per charge depending on the model, its publicity is deserved, and that’s before we’ve even mentioned ~~autonomous driving~~ driver-assist. Even the best of the competing mass-produced electric cars of the moment look inferior beside it.

Tesla famously build their battery packs from standard 18650 lithium-ion cells, but it’s safe to say that the pack in the Model S has little in common with your laptop battery. Fortunately for those of a curious nature, [Jehu Garcia] has posted a video showing the folks at EV West tearing down a Model S pack from a scrap car, so we can follow them through its construction.

The most obvious thing about this pack is its sheer size, this is a large item that takes up most of the space under the car. We’re shown a previous generation Tesla pack for comparison, that is much smaller. Eye-watering performance and range come at a price, and we’re seeing it here in front of us.

The standard of construction appears to be very high indeed, which makes sense as this is not merely a performance part but a safety critical one. Owners of mobile phones beset by fires will testify to this, and the Tesla’s capacity for conflagration or electrical hazard is proportionately larger. The chassis and outer cover are held together by a huge array of bolts and Torx screws, and as they comment, each one is marked as having been tightened to a particular torque setting.

Under the cover is a second cover that is glued down, this needs to be carefully pried off to reveal the modules and their cells. The coolant is drained, and the modules disconnected. This last task is particularly hazardous, as the pack delivers hundreds of volts DC at a very low impedance. Then each of the sixteen packs can be carefully removed. The packs each contain 444 cells, the pack voltage is 24 V, and the energy stored is 5.3 kWh.

The video is below the break. We can’t help noticing some of the rather tasty automotive objects of desire in their lot.

Continue reading “Tesla Model S Battery Pack Teardown” →

How To Put A Jag On Your School Roof

February 28, 2017 by Jenny List 33 Comments

Did you ever commit any pranks in your time at high school, college, or university? Maybe you moss-painted a rude word on the wall somewhere, or put a design in a sports field with herbicide, or even worse, slow-release fertiliser. [Roman Kozak] and his friends went far further than that last summer when they replicated some of the most famous student pranks; they put a Jaguar S type car on the roof of their school. And now the dust has settled, he’s posted an account of how they did it.

Of course, putting a car on the roof is a significant challenge, particularly when you only have the resources of a high-school student. Ensuring the roof was strong enough for a car, and then hiring a crane to do the deed, was beyond them. They therefore decided to take the wheels and outer body panels of a car and mount them on a wooden frame to give the appearance of a car.

They needed a statement vehicle and they didn’t have a huge budget, so it took them a while to spot a for-parts Jaguar S type which when it came into their possession they found only had a fault with its reverse gear. Some hard work removed the panels, and the rest of the car was taken for scrap.

Frenetic work as the term end approached gave them their frame, and a daring midnight raid was mounted to winch the parts to the roof with a pulley. The result was so popular with their classmates and teachers that they owned up to the prank rather than preserve their anonymity. We think these young scamps will go far.

This is definitely the first car-on-roof prank we’ve brought you on Hackaday, but it’s not the first to be done. [Roman] and his friends cited an MIT prank as their inspiration, but the daddy of car-on-roof stunts has to go to Cambridge University students in the 1950s. Their Austin might be a lot smaller than the MIT Chevy or [Roman]’s Jag, but they got it onto their roof in one piece as a full car rather than a facsimile of one.

Important note: The author would like to state for the record that she and her friends were somewhere else entirely and had solid alibis when in summer 1993 the logo of Hull University Union Technical Committee appeared in the lawn outside Hull University Union. We’re sure that commenters will be anxious to set their own records straight for posterity in a similar manner.

Audi Engineer Exposes Cheat Order

February 27, 2017 by Mike Szczys 88 Comments

In an interesting turn of events last week in a German court, evidence has materialized that engineers were ordered to cheat emissions testing when developing automotive parts.

Last Tuesday, Ulrich Weiß brought forward a document that alleges Audi Board of Director members were involved in ordering a cheat for diesel emissions. Weiß was the head of engine development for Audi, suspended in November of 2015 but continued to draw more than half a million dollars in salary before being fired ~~after~~ prior to last week’s court testimony.

Volkswagen Group is the parent company of Audi and this all seems to have happened while the VW diesel emissions testing scandal we’ve covered since 2015 was beginning to come to light. Weiß testified that he was asked to design a method of getting around strict emissions standards in Hong Kong even though Audi knew their diesel engines weren’t capable of doing so legitimately.

According to Weiß, he asked for a signed order. When he received that order he instructed his team to resist following it. We have not seen a copy of the letter, but the German tabloid newspaper Bild reports that the letter claims approval by four Audi board members and was signed by the head of powertrain development at the company.

Hackaday was unable to locate any other sources reporting on the letter other than the Bild article we have linked to (also the source used in the Forbes article above). Sources such as Die Welt reference only “internal papers”. If you know of other reporting on the topic please leave a comment about it below.