Quick And Dirty Immobilizer Hack Lets You Use Cheaper Dumb Keys

Car enthusiasts can find themselves in a pickle if they’re into cars from the 80s and 90s. These vehicles are much beloved by some, but one can find themselves having to fork out immense amounts of money for repairs and out-of-production parts. Once a car passes that 15 year milestone, suddenly manufacturer support can start to dry up. Even just getting a set of keys can be a problem.

Modern cars tend to use a small chip implanted in the key as a security measure. This chip functions similarly to an RFID chip, being energised by the car’s reader when the driver turns the key in the ignition. If the chip returns the right code, the computer allows the car to start. Getting a new key cut and recoded is expensive, particularly on older cars. Naturally though, there’s a way to hack around the problem.

The trick is to perform surgery on an existing good key, to extract the working chip inside. This chip can then be permanently affixed to the immobilizer’s antenna in the steering column. This allows the driver to use any properly cut “dumb” key to start the car, as the chip will always provide the right signal at startup. It takes some finesse to avoid damaging the delicate chip inside and to know where to look – but with a little work, it’s achievable by even the novice hacker.

It’s a simple hack that can save hundreds of dollars, and is a great way to keep your modern classic on the road for cheap. You can always take things a step further though, and CNC yourself a key from scratch if you’re so inclined.

Turning A Car Into A Computer Mouse

[William Osman] and [Simone Giertz] have graced our pages before, both with weird, wacky and wonderful hacks so it’s no surprise that when they got together they did so to turn Simone’s car into a computer mouse. It’s trickier than you might think.

They started by replacing the lens of an optical mouse with a lens normally used for a security camera. Surprisingly, when mounted to the car’s front bumper it worked! But it wasn’t ideal. The problem lies in that to move a mouse cursor sideways you have to move the mouse sideways. However, cars don’t move sideways, they turn by going in an arc. Move your mouse in an arc right now without giving it any sideways motion and see what happens. The mouse cursor on the screen moves vertically up or down the screen, but not left or right. So how to tell if the car is turning? For that, they added a magnetometer. The mouse then gives the distance the car moved and the magnetometer gives the heading, or angle. With some simple trigonometry, they calculate the car’s coordinates.

The mouse click is done using the car’s horn, but details are vague there.

And yes, using the carmouse is as fun as it sounds, though we still don’t recommend texting while driving using this technique. Watch them in the videos below as they write an email and drive a self-portrait of the car.

Continue reading “Turning A Car Into A Computer Mouse”

Salvaging Your Way To A Working Tesla Model S For $6500

If you possess modest technical abilities and the patience of a few dozen monks, with some skillful haggling you can land yourself some terrific bargains by salvaging and repairing. This is already a well-known ideology when it comes to sourcing things like electronic test gear, where for example a non working unit might be purchased from eBay and fixed for the price of a few passive components.

[Rich] from Car Guru has taken this to a whole new level by successfully salvaging a roadworthy Tesla Model S for $6500!

Sourcing and rebuilding a car is always a daunting project, in this case made even more challenging because the vehicle in subject is fairly recent, state of the art electric vehicle. The journey began by purchasing a black Tesla Model S, that [Rich] affectionately refers to as Delorean. This car had severe water damage rendering most of its electronics and mechanical fasteners unreliable, so [Rich’s] plan was to strip this car of all such parts, and sell what he could to recover the cost of his initial purchase. After selling the working modules of the otherwise drenched battery, motor and a few other bells and whistles his initial monetary investment was reduced to the mere investment of time.

With an essentially free but empty Tesla shell in his possession, [Rich] turned his attention to finding a suitable replacement for the insides. [Rich] mentions that Tesla refused to sell spare parts for such a project, so his only option was to purchase a few more wrecked vehicles. The most prominent of these wrecks was nicknamed Slim Shady. This one

The Donor

had an irreparable shell but with most electronics preserved, and would serve as the donation vehicle. After painstakingly transplanting all the required electronics and once again selling what he did not need, his net investment came to less than 10% of a new car!

Was all of the effort worth it? We certainly think it was! The car was deemed road worthy and even has functioning Super Charging capabilities which according to [Rich] are disabled by Tesla if such a Frankenstein build is detected.

At this point it would probably be instructive to ask [Rich] if he would do it again, but he is already at it, this time salvaging the faster self driving P86. We suggest you stay tuned.

[Thankyou to Enio Fernandes for sending in the tip]

Continue reading “Salvaging Your Way To A Working Tesla Model S For $6500”

Blackberry Eyes Up Car Anti-Virus Market

[Reuters] reports that BlackBerry is working with at least two car manufacturers to develop a remote malware scanner for vehicles, On finding something wrong the program would then tell drivers to pull over if they were in critical danger.

The service would be able to install over-the-air patches to idle cars and is in testing phase by Aston Martin and Range Rover. The service could be active as early as next year, making BlackBerry around $10 a month per vehicle.

Since the demise of BlackBerry in the mobile phone sector, they’ve been hard at work refocusing their attention on new emerging markets. Cars are already rolling computers, and now they’re becoming more and more networked with Bluetooth and Internet connections. This obviously leaves cars open to new types of attacks as demonstrated by [Charlie Miller] and [Chris Valasek]’s hack that uncovered vulnerabilities in Jeeps and led to a U.S. recall of 1.4 million cars.

BlackBerry seem to be hedging their bets on becoming the Kingpin of vehicle anti-virus. But do our cars really belong on the Internet in the first place?

Car Security Experts Dump All Their Research And Vulnerabilities Online

[Charlie Miller] and [Chris Valasek] Have just released all their research including (but not limited to) how they hacked a Jeep Cherokee after the newest firmware updates which were rolled out in response to their Hacking of a Cherokee in 2015.

FCA, the Corp that owns Jeep had to recall 1.5 million Cherokee’s to deal with the 2015 hack, issuing them all a patch. However the patch wasn’t all that great it actually gave [Charlie] and [Chris] even more control of the car than they had in the first place once exploited. The papers they have released are a goldmine for anyone interesting in hacking or even just messing around with cars via the CAN bus. It goes on to chronicle multiple hacks, from changing the speedometer to remotely controlling a car through CAN message injection. And this release isn’t limited to Jeep. The research covers a massive amount of topics on a number of different cars and models so if you want to do play around with your car this is the car hacking bible you have been waiting for.

Jeep are not too happy about the whole situation. The dump includes a lot of background for vehicles by multiple manufactureres. But the 2015 hack was prominent and has step by step instructions. Their statement on the matter is below.

Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.

We anticipate seeing an increasing number of security related releases and buzz as summer approaches. It is, after all, Network Security Theatre season.

Stealing Cars For 20 Bucks

[Yingtao Zeng], [Qing Yang], and [Jun Li], a.k.a. the [UnicornTeam], developed the cheapest way so far to hack a passive keyless entry system, as found on some cars: around $22 in parts, give or take a buck. But that’s not all, they manage to increase the previous known effective range of this type of attack from 100 m to around 320 m. They gave a talk at HITB Amsterdam, a couple of weeks ago, and shown their results.

The attack in its essence is not new, and it’s basically just creating a range extender for the keyfob.  One radio stays near the car, the other near the car key, and the two radios relay the signals coming from the car to the keyfob and vice-versa. This version of the hack stands out in that the [UnicornTeam] reverse engineered and decoded the keyless entry system signals, produced by NXP, so they can send the decoded signals via any channel of their choice. The only constraint, from what we could tell, it’s the transmission timeout. It all has to happen within 27 ms. You could almost pull this off over Internet instead of radio.

The actual keycode is not cracked, like in a HiTag2 attack. It’s not like hacking a rolling key keyfob either. The signals are just sniffed, decoded and relayed between the two devices.

A suggested fix from the researchers is to decrease this 27 ms timeout. If it is short enough, at least the distance for these types of attacks is reduced. Even if that could eventually mitigate or reduce the impact of an attack on new cars, old cars are still at risk.  We suggest that the passive keyless system is broken from the get-go: allowing the keyfob to open and start your car without any user interaction is asking for it. Are car drivers really so lazy that they can’t press a button to unlock their car? Anyway, if you’re stuck with one of these systems, it looks like the only sure fallback is the tinfoil hat. For the keyfob, of course.

[via Wired]

How Those Hackers Took Complete Control Of That Jeep

It was an overcast day with temperatures in the mid seventies – a perfect day to take your brand new Jeep Cherokee for a nice relaxing drive. You and your partner buckle in and find yourselves merging onto the freeway just a few minutes later.  You take in the new car smell as your partner fiddles with the central touch screen display.

“See if it has XM radio,” you ask as you play with the headlight controls.

Seconds later, a Taylor Swift song begins to play. You both sing along as the windows come down. “Life doesn’t get much better than this,” you think. Unfortunately, the fun would be short lived. It started with the windshield wipers coming on – the dry rubber-on-glass making a horrible screeching sound.

“Hey, what are you doing!”

“I didn’t do it….”

You verify the windshield wiper switch is in the OFF position. You switch it on and off a few times, but it has no effect. All of the sudden, the radio shuts off. An image of a skull and wrenches logo appears on the touchscreen. Rick Astley’s “Never Gonna Give You Up” begins blaring out of the speakers, and the four doors lock in perfect synchronization. The AC fans come on at max settings while at the same time, you feel the seat getting warmer as they too are set to max. The engine shuts off and the vehicle shifts into neutral. You hit the gas pedal, but nothing happens. Your brand new Jeep rolls to a halt on the side of the freeway, completely out of your control.

Sound like something out of a Hollywood movie? Think again.

[Charlie Miller], a security engineer for Twitter and [Chris Valasek], director for vehicle safety research at IOActive, were able to hack into a 2014 Jeep Cherokee via its wireless on-board entertainment system from their basement. A feature called UConnect, which allows the vehicle to connect to the internet via a cellular connection, has one of those things you might have heard of before – an IP address. Once the two hackers had this address, they had the ‘digital keys’ to the Jeep. From there, [Charlie] and [Chris] began to tinker with the various firmwares until they were able to gain access to the vehicle’s CAN bus. This gives them the ability to control many of the car’s functions, including (under the right conditions) the ability to kill the brakes and turn the steering wheel. You probably already have heard about the huge recall Chrysler issued in response to this vulnerability.

But up until this weekend we didn’t know exactly how it was done. [Charlie] and [Chris] documented their exploit in a 90 page white paper (PDF) and spoke at length during their DEF CON talk in Las Vegas. That video was just published last night and is embedded below. Take look and you’ll realize how much work they did to make all this happen. Pretty amazing.

Continue reading “How Those Hackers Took Complete Control Of That Jeep”