Extracting SecOC Keys From A 2021 Toyota RAV4 Prime

With the recently introduced SecOC (Secure Onboard Communication) standard, car manufacturers seek to make the CAN bus networks that form the backbone of modern day cars more secure. This standard adds a MAC (message authentication code) to the CAN messages, which can be used to validate that these messages come from a genuine part of the car, and not from a car thief or some third-party peripheral.

To check that it isn’t possible to circumvent SecOC, [Willem Melching] and [Greg Hogan] got their hands on the power steering (EPS) unit of a Toyota RAV4 Prime, as one of the first cars to implement this new security standard.

The 2021 Toyota RAV4 Prime's power steering unit on the examination bench. (Credit: Willem Melching)
The 2021 Toyota RAV4 Prime’s power steering unit on the examination bench. (Credit: Willem Melching)

As noted by [Willem], the ultimate goal is to be able to run the open source driver assistance system openpilot on these SecOC-enabled cars, which would require either breaking SecOC, or following the official method of ‘rekeying’ the SecOC gateway.

After dumping the firmware of the EPS Renesas RH850/P1M-E MCU via a voltage fault injection, the AES-based encryption routines were identified, but no easy exploits found in the main application. This left the bootloader as the next target.

Ultimately they managed to reverse-engineer the bootloader to determine how the update procedure works, which enabled them to upload shellcode. This script then enabled them to extract the SecOC keys from RAM and send these over the CAN bus. With these keys the path is thus opened to allow any device to generate CAN messages with valid SecOC MACs, effectively breaking encryption. Naturally, there are many caveats with this discovery.

Continue reading “Extracting SecOC Keys From A 2021 Toyota RAV4 Prime”

Honda Headunit Reverse Engineering, And The Dismal State Of Infotainment Systems

These days the dozen or so ECUs in an average car are joined by an infotainment system of some type, which are typically a large touch screen on the dashboard (the headunit) and possibly a couple of auxiliary units for the rear seats. These infotainment systems run anything from QNX to (Yocto) Linux or more commonly these days some version of Android. As [Eric McDonald] discovered with his 2021 Honda Civic, its headunit runs an archaic Android dating back to roughly 2012.

While this offers intriguing options with gaining root access via decade-old exploits that the car manufacturer never fixed, as [Eric] notes, this is an advantage that anyone who can gain access to the car’s CAN buses via e.g. the headlights, a wireless access point, or even inject an exploit via ADB radio can use to their advantage. Essentially, these infotainment systems are massive attack surfaces with all of their wired and wireless interfaces, combined with outdated software that you as the vehicle owner are forbidden to meddle with by the manufacturer.

Naturally taking this ‘no’ as a challenge as any civilized citizen would, [Eric] set out to not only root the glorified Android tablet that Honda seeks to pass off as a ‘modern infotainment system’, but also reverse-engineer the system as far as possible and documenting the findings on GitHub. As [Eric] also explains in a Hacker News discussion, his dream is to not only have documentation available for infotainment systems in general as a community effort, but also provide open source alternatives that can be inspected by security researchers rather than being expected to lean on the ‘trust me bro’ security practices of the average car manufacturer.

Although a big ask considering how secretive car manufacturers are, this would seem to be an issue that we should tackle sooner rather than later, as more and more older cars turn into driving security exploits just waiting to happen.

Just In Case You Want To Charge Your Neighbor’s Tesla

Tesla vehicles have a charging port that is under a cover that only opens on command from a charging station. Well, maybe not only. [IfNotPike] reports that he was able to replay the 315MHz signal using a software defined radio and pop the port open on any Tesla he happened to be near.

Apparently, opening the charging port isn’t the end of the world since there isn’t much you can do with the charging port other than charging the car. At least, that we know of. If history shows anything, it is that anything you can get to will be exploited eventually.

Continue reading “Just In Case You Want To Charge Your Neighbor’s Tesla”

Blackberry Eyes Up Car Anti-Virus Market

[Reuters] reports that BlackBerry is working with at least two car manufacturers to develop a remote malware scanner for vehicles, On finding something wrong the program would then tell drivers to pull over if they were in critical danger.

The service would be able to install over-the-air patches to idle cars and is in testing phase by Aston Martin and Range Rover. The service could be active as early as next year, making BlackBerry around $10 a month per vehicle.

Since the demise of BlackBerry in the mobile phone sector, they’ve been hard at work refocusing their attention on new emerging markets. Cars are already rolling computers, and now they’re becoming more and more networked with Bluetooth and Internet connections. This obviously leaves cars open to new types of attacks as demonstrated by [Charlie Miller] and [Chris Valasek]’s hack that uncovered vulnerabilities in Jeeps and led to a U.S. recall of 1.4 million cars.

BlackBerry seem to be hedging their bets on becoming the Kingpin of vehicle anti-virus. But do our cars really belong on the Internet in the first place?