car security

5 Articles

Hacking Kia: Remotely Hijack A Car Using Only Its License Plate

September 27, 2024 by 55 Comments

These days everything needs to be connected to remote servers via the internet, whether it’s one’s TV, fridge or even that new car you just bought. A recently discovered (and already patched) vulnerability concerning Kia cars was a doozy in this regard, as a fairly straightforward series of steps allowed for any attacker to obtain the vehicle identification number (VIN) from the license plate, and from there become registered as the car’s owner on Kia’s network. The hack and the way it was discovered is described in great detail on [Sam Curry]’s website, along with the timeline of its discovery.

Notable is that this isn’t the first vulnerability discovered in Kia’s HTTP-based APIs, with [Sam] this time taking a poke at the dealer endpoints. To his surprise, he was able to register as a dealer and obtain a valid session ID using which he could then proceed to query Kia’s systems for a user’s registered email address and phone number.

With a specially crafted tool to automate the entire process, this information was then used to demote the car’s owner and register the attacker as the primary owner. After this the attacker was free to lock/unlock the doors, honk to his heart’s content, locate the car and start/stop the vehicle. The vulnerability affected all Kia cars made after 2013, with the victim having no indication of their vehicle having been hijacked in this manner. Aside from the doors randomly locking, the quaint honking and engine turning on/off at a whim, of course.

Perhaps the scariest part about this kind of vulnerability is that it could have allowed an attacker to identify a vulnerable parked car, gained access, before getting into the car, starting the engine and driving away. As long as these remote APIs allow for such levels of control, one might hope that one day car manufacturers will take security somewhat more serious, as this is only the latest in a seemingly endless series of amusingly terrifying security vulnerabilities that require nothing more than some bored hackers with HTTP query crafting tools to discover.

Continue reading “Hacking Kia: Remotely Hijack A Car Using Only Its License Plate”

Extracting SecOC Keys From A 2021 Toyota RAV4 Prime

March 8, 2024 by 7 Comments

With the recently introduced SecOC (Secure Onboard Communication) standard, car manufacturers seek to make the CAN bus networks that form the backbone of modern day cars more secure. This standard adds a MAC (message authentication code) to the CAN messages, which can be used to validate that these messages come from a genuine part of the car, and not from a car thief or some third-party peripheral.

To check that it isn’t possible to circumvent SecOC, [Willem Melching] and [Greg Hogan] got their hands on the power steering (EPS) unit of a Toyota RAV4 Prime, as one of the first cars to implement this new security standard.

The 2021 Toyota RAV4 Prime's power steering unit on the examination bench. (Credit: Willem Melching)
The 2021 Toyota RAV4 Prime’s power steering unit on the examination bench. (Credit: Willem Melching)

As noted by [Willem], the ultimate goal is to be able to run the open source driver assistance system openpilot on these SecOC-enabled cars, which would require either breaking SecOC, or following the official method of ‘rekeying’ the SecOC gateway.

After dumping the firmware of the EPS Renesas RH850/P1M-E MCU via a voltage fault injection, the AES-based encryption routines were identified, but no easy exploits found in the main application. This left the bootloader as the next target.

Ultimately they managed to reverse-engineer the bootloader to determine how the update procedure works, which enabled them to upload shellcode. This script then enabled them to extract the SecOC keys from RAM and send these over the CAN bus. With these keys the path is thus opened to allow any device to generate CAN messages with valid SecOC MACs, effectively breaking encryption. Naturally, there are many caveats with this discovery.

Continue reading “Extracting SecOC Keys From A 2021 Toyota RAV4 Prime”

Honda Headunit Reverse Engineering, And The Dismal State Of Infotainment Systems

June 27, 2023 by 47 Comments

These days the dozen or so ECUs in an average car are joined by an infotainment system of some type, which are typically a large touch screen on the dashboard (the headunit) and possibly a couple of auxiliary units for the rear seats. These infotainment systems run anything from QNX to (Yocto) Linux or more commonly these days some version of Android. As [Eric McDonald] discovered with his 2021 Honda Civic, its headunit runs an archaic Android dating back to roughly 2012.

While this offers intriguing options with gaining root access via decade-old exploits that the car manufacturer never fixed, as [Eric] notes, this is an advantage that anyone who can gain access to the car’s CAN buses via e.g. the headlights, a wireless access point, or even inject an exploit via ADB radio can use to their advantage. Essentially, these infotainment systems are massive attack surfaces with all of their wired and wireless interfaces, combined with outdated software that you as the vehicle owner are forbidden to meddle with by the manufacturer.

Naturally taking this ‘no’ as a challenge as any civilized citizen would, [Eric] set out to not only root the glorified Android tablet that Honda seeks to pass off as a ‘modern infotainment system’, but also reverse-engineer the system as far as possible and documenting the findings on GitHub. As [Eric] also explains in a Hacker News discussion, his dream is to not only have documentation available for infotainment systems in general as a community effort, but also provide open source alternatives that can be inspected by security researchers rather than being expected to lean on the ‘trust me bro’ security practices of the average car manufacturer.

Although a big ask considering how secretive car manufacturers are, this would seem to be an issue that we should tackle sooner rather than later, as more and more older cars turn into driving security exploits just waiting to happen.

Just In Case You Want To Charge Your Neighbor’s Tesla

April 8, 2022 by 67 Comments

Tesla vehicles have a charging port that is under a cover that only opens on command from a charging station. Well, maybe not only. [IfNotPike] reports that he was able to replay the 315MHz signal using a software defined radio and pop the port open on any Tesla he happened to be near.

Apparently, opening the charging port isn’t the end of the world since there isn’t much you can do with the charging port other than charging the car. At least, that we know of. If history shows anything, it is that anything you can get to will be exploited eventually.

Continue reading “Just In Case You Want To Charge Your Neighbor’s Tesla”

Blackberry Eyes Up Car Anti-Virus Market

May 19, 2017 by 73 Comments

[Reuters] reports that BlackBerry is working with at least two car manufacturers to develop a remote malware scanner for vehicles, On finding something wrong the program would then tell drivers to pull over if they were in critical danger.

The service would be able to install over-the-air patches to idle cars and is in testing phase by Aston Martin and Range Rover. The service could be active as early as next year, making BlackBerry around $10 a month per vehicle.

Since the demise of BlackBerry in the mobile phone sector, they’ve been hard at work refocusing their attention on new emerging markets. Cars are already rolling computers, and now they’re becoming more and more networked with Bluetooth and Internet connections. This obviously leaves cars open to new types of attacks as demonstrated by [Charlie Miller] and [Chris Valasek]’s hack that uncovered vulnerabilities in Jeeps and led to a U.S. recall of 1.4 million cars.

BlackBerry seem to be hedging their bets on becoming the Kingpin of vehicle anti-virus. But do our cars really belong on the Internet in the first place?