New-Tech Europe | December 2016 | Digital Edition

Previous Page

Next Page

Page Background

outside world in various ways such

as WiFi for passengers, wireless tire

pressure monitoring, OnStar. So

there were lots of signals coming

into the car from outside. But people

also wanted features like automatic

emergency braking (AEB), lane

following, autoparking. These mean

that there is a computer than can

control the brakes and control the

steering wheel. Adaptive cruise

control means there is a computer

that controls how fast you are

going. Lots of features. Or, as they

call features in the security world,

targets.

jeep head unit

The Jeep had lots of computers.

The big one in the middle of the

dashboard is known as the head unit.

When Charlie and Chris started, they

thought it would take a year or two

to find and exploit a vulnerability. But

they found something in three weeks

and it took five minutes to exploit it.

It wasn't even really an exploit since

they found an internet-facing interface

that had a method called "execute".

You gave it a command, it would

execute it. Inside the head-unit, there

was a cellular modem connected to

the Sprint network. Sprint wouldn't

allow traffic in from outside but they

did allow one Sprint device to talk

to another. So they bought a Sprint

phone and could find vulnerable

cars, get them to send their VIN, and

find out what model they were. So

they knew all the vulnerable cars but

were limited to controlling the head

unit. Charlies was tempted to hack

into a Dodge Viper (a $100K+ car)

and turn the radio up to full volume,

but he resisted the temptation. But

how could they really take control?

Changing the radio channel is not

much more than a prank.

head unit subsystemsInside the

head unit were two subsystems. One

was an ARM-based OMAP system,

the other was V850-based (you've

probably never heard of this but I

know from my VaST days that this

is an NEC processor widely used

in automotive). The ARM system,

to which the radio was connected,

couldn't access the CAN bus, only

the V850 one. But it turns out that

the ARM system can reflash the V850

one, and the code is not signed.

Of course, if you try this and get

it wrong, it bricks the whole head

unit and you have to go back to the

dealer to get it replaced. ("It's a real

lemon, this car.") Eventually they got

the brakes to work and so on.

You might ask, as they did, why the

head unit is connected to the CAN

bus at all. But people like speed-

compensated volume (it turns up

the volume as the car goes faster).

People like being able to use their

iPhone to start the car and get it

warmed up. Cars are only going to

get more connected.

The Wired article and video were

made in the middle of this when they

could control things like the radio and

climate control, and also steering and

brakes at low speed.

Figure 2.

Figure 3. ARM-based OMAP system

42 l New-Tech Magazine Europe