![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0042.jpg)
outside world in various ways such
as WiFi for passengers, wireless tire
pressure monitoring, OnStar. So
there were lots of signals coming
into the car from outside. But people
also wanted features like automatic
emergency braking (AEB), lane
following, autoparking. These mean
that there is a computer than can
control the brakes and control the
steering wheel. Adaptive cruise
control means there is a computer
that controls how fast you are
going. Lots of features. Or, as they
call features in the security world,
targets.
jeep head unit
The Jeep had lots of computers.
The big one in the middle of the
dashboard is known as the head unit.
When Charlie and Chris started, they
thought it would take a year or two
to find and exploit a vulnerability. But
they found something in three weeks
and it took five minutes to exploit it.
It wasn't even really an exploit since
they found an internet-facing interface
that had a method called "execute".
You gave it a command, it would
execute it. Inside the head-unit, there
was a cellular modem connected to
the Sprint network. Sprint wouldn't
allow traffic in from outside but they
did allow one Sprint device to talk
to another. So they bought a Sprint
phone and could find vulnerable
cars, get them to send their VIN, and
find out what model they were. So
they knew all the vulnerable cars but
were limited to controlling the head
unit. Charlies was tempted to hack
into a Dodge Viper (a $100K+ car)
and turn the radio up to full volume,
but he resisted the temptation. But
how could they really take control?
Changing the radio channel is not
much more than a prank.
head unit subsystemsInside the
head unit were two subsystems. One
was an ARM-based OMAP system,
the other was V850-based (you've
probably never heard of this but I
know from my VaST days that this
is an NEC processor widely used
in automotive). The ARM system,
to which the radio was connected,
couldn't access the CAN bus, only
the V850 one. But it turns out that
the ARM system can reflash the V850
one, and the code is not signed.
Of course, if you try this and get
it wrong, it bricks the whole head
unit and you have to go back to the
dealer to get it replaced. ("It's a real
lemon, this car.") Eventually they got
the brakes to work and so on.
You might ask, as they did, why the
head unit is connected to the CAN
bus at all. But people like speed-
compensated volume (it turns up
the volume as the car goes faster).
People like being able to use their
iPhone to start the car and get it
warmed up. Cars are only going to
get more connected.
The Wired article and video were
made in the middle of this when they
could control things like the radio and
climate control, and also steering and
brakes at low speed.
Figure 2.
Figure 3. ARM-based OMAP system
42 l New-Tech Magazine Europe