New-Tech Europe | December 2016 | Didital Edition

allow traffic in from outside but they did allow one Sprint device to talk to another. So they bought a Sprint phone and could find vulnerable cars, get them to send their VIN, and find out what model they were. So they knew all the vulnerable cars but were limited to controlling the head unit. Charlies was tempted to hack into a Dodge Viper (a $100K+ car) and turn the radio up to full volume, but he resisted the temptation. But how could they really take control? Changing the radio channel is not much more than a prank. head unit subsystemsInside the head unit were two subsystems. One was an ARM-based OMAP system, the other was V850-based (you've probably never heard of this but I know from my VaST days that this is an NEC processor widely used in automotive). The ARM system, to which the radio was connected, couldn't access the CAN bus, only the V850 one. But it turns out that the ARM system can reflash the V850 one, and the code is not signed. Of course, if you try this and get it wrong, it bricks the whole head unit and you have to go back to the dealer to get it replaced. ("It's a real lemon, this car.") Eventually they got the brakes to work and so on. You might ask, as they did, why the head unit is connected to the CAN bus at all. But people like speed- compensated volume (it turns up the volume as the car goes faster). People like being able to use their iPhone to start the car and get it warmed up. Cars are only going to get more connected. The Wired article and video were made in the middle of this when they could control things like the radio and climate control, and also steering and brakes at low speed.

Figure 2.

Figure 3. ARM-based OMAP system

jeep head unit The Jeep had lots of computers. The big one in the middle of the dashboard is known as the head unit. When Charlie and Chris started, they thought it would take a year or two to find and exploit a vulnerability. But they found something in three weeks and it took five minutes to exploit it. It wasn't even really an exploit since they found an internet-facing interface that had a method called "execute". You gave it a command, it would execute it. Inside the head-unit, there was a cellular modem connected to the Sprint network. Sprint wouldn't

outside world in various ways such as WiFi for passengers, wireless tire pressure monitoring, OnStar. So there were lots of signals coming into the car from outside. But people also wanted features like automatic emergency braking (AEB), lane following, autoparking. These mean that there is a computer than can control the brakes and control the steering wheel. Adaptive cruise control means there is a computer that controls how fast you are going. Lots of features. Or, as they call features in the security world, targets.

42 l New-Tech Magazine Europe