Briefing speech:
For many of us, a car is one of the most expensive purchases we've ever made. In a world where everything is interconnected, it's only natural to want to remotely control your car: get reminders of where we've parked it, check to see if we forgot to lock the doors, or remotely start the engine to preheat or cool the interior depending on the time of year.
There are many manufacturers offering complementary alarm systems that provide these conveniences and peace of mind. But how much can we trust the providers of these systems that protect access to our cars in the digital domain? In this report, Jmaxxz will talk about what he discovered when he looked into one of these systems.
Jmaxxz is known for his work with smart home systems August Smart Lock (report at DEFCON 24 "Hacking from the back door" - "Backdooring The Frontdoor"). In recent years, IoT devices have been at the center of his attention. He participated in the sections "IoT village zero day" DEFCON 24 and DEFCON 25 and finally decided that it was time to explore the product of the aftermarket automotive market - a remote starter (hereinafter referred to as RC).
So, my name is J-Max, I am a programmer by profession and a hacker by vocation. I deal with everything related to locks, and throughout this conversation you will hear many statements that express only my opinion and have nothing to do with the opinion of my past, present and future employers. As you probably understood, we will talk about cars, namely remote starters and alarm systems. Let's start with the backstory, which is important in this context, because many consider such systems to be an unnecessary luxury.
So, where I live, it's pretty cold, and my friend has a condition called Raynaud's syndrome. From the cold, a spasm of the blood vessels of the hands occurs, the blood flow to the fingers is sharply reduced, there are signs of frostbite up to tissue necrosis. The slide shows how it usually looks.
Last November, I still hadn't decided what I was going to give her for Christmas. So she comes home from the airport upset because her car never warmed up on the way home. At that moment, I realized that I would give her a remote engine start system and began to look for the best option. It turned out that the market for remote starters is quite extensive, with many manufacturers not providing enough information about their product.
They do not tell you how to install the system and what tools to use to program the device. This is a problem for me because this is my machine, my remote start and I need to have access to these tools. So I searched a little more and found a company from Canada, Fortin, who make such starters and willingly provide all the necessary documentation. I settled on this product and started looking for a suitable remote control. The fact is that if you use a standard remote control with a remote starter, then its range of action will be limited to the range of the standard remote control. The aftermarket offers remotes that operate at a distance of half a mile to a mile and a half. According to consumer reviews, this is a publicity stunt, because in reality the distance is much less. That's the problem, because my friend has to start the car in the airport parking lot as soon as she gets off the plane, which is about half a mile.
So it would be great if she could just pull out her phone, open the app, and hit "Start Engine." I found a third party product called MyCar that is fully compatible with the Fortin starter. This is a small keychain with a sim card and a GPS receiver that you can put in your car and connect to the remote starter. Then, using the mobile application, you can remotely start the engine, unlock the locks, and the like.
I thought that this one would be great: right after the plane lands, my friend will be able to start the engine, and by the time she gets to the car, the cabin will already be warm.
So let's talk a little about how remote starters work. To do this, you first need to understand how a car engine starts. Until about the mid-nineties, a car starter was a traditional mechanical lock in a key-switch combination. You had to insert the key and turn it to complete the electrical circuit. Then locks marked "immobilizer" became popular in the United States. Sounds fancy, but it's just an electronic lock. So, you have a mechanical lock, which is the key to an electronic lock, which, in turn, is a transponder and contains some information that can be read. And until you open the electronic lock, your car will not start. On the right side of the slide, you see 2 keys: the left one is for the immobilizer, and the right one is for the regular ignition lock. It simply actuates the mechanical components of the lock while the left key unlocks the electronic lock, which will start the car's engine.
Why am I talking about this? Remote start works through the immobilizer. On the next slide, you see a diagram of connecting the Fortin EVO One device to the immobilizer - at the bottom left you see a pair of contacts labeled as IMO. At the top right of the diagram, you see two lines: CAN LOW and CAN HIGH. These are pins for connecting to the car CAN bus. The reason why remote starters are connected to the CAN bus is to reduce installation costs because fewer connections are used during installation. If the remote starter can read data from the CAN bus or send commands via the CAN bus, this reduces the installation time of the remote engine start system.
At the top left of the diagram, there is a whole bunch of GPIOs that are related to controlling or reading information about the machine. For example, you want the headlights to flash or the horn to sound when you press the lock button. Things like this can be controlled with these GPIOs. On the bottom left of the diagram, you see a large, clunky connector - this is the interface that bypasses the mechanical lock. That is, you do not need to insert and turn the key in the ignition, because this interface provides a direct interaction of the relay of the remote starter system with an electric lock.
The following slides show the installation steps for the remote starter. It basically consists of removing the steering column cover, installing and connecting the DC unit. It looks pretty intimidating, but it's easy to do.
The remote control itself connects to what Fortin calls a data link. The system uses a proprietary physical data transfer protocol UART - a universal asynchronous transmitter that communicates at a speed of 9600 baud. The Fortin remote starter simply connects via the UART bus to the two remotes you see on the slide.
After installing the DC, I thought about how such devices can affect the safety of the car. Obviously, the DS must bypass the immobilizer, so how safe is this in terms of the possibility of stealing or intercepting control of the car? This applies not only to data transmission over the cellular network, but also to the remote start signal itself. So I started searching the Internet for information from the manufacturer on the data transfer protocol used and ended up on forums where people write that Fortin refuses to provide this protocol. One of the reasons: βWe do not distribute such information because the EVO is not a toy for amateurs, it is intended for use by professionals.
Being somewhat of a professional, I decided to build my own machine on the desktop. I got hold of a second EVO system unit, assembled a circuit board that was a car, added switches to simulate ignition, a button for the brake pedal, and a whole bunch of LEDs to show various states.
Putting it all together, I hooked up the FTI data link monitoring device and started collecting that data. At first, it looks something like the one shown on the slide, and it's not entirely clear what's going on here. But looking closely, we can say that there is definitely some kind of structure here.
Please note that whenever I press a button on my remote control, the message that the antenna sends to my DS always starts with 0C and ends with 0D. So if we just divide what we get, assuming that 0C is the beginning and 0D is the end, then we end up with something like this.
Some structure is already clearly visible here, so you can find out what is happening. By taking the time to track which message appears when a certain button is clicked, I was able to compile a table of commands, each corresponding to a specific action. That is, when you press a button on the remote control, the antenna sends a command to the remote start module that looks like this.
Here's what a typical team structure looks like.
When you press a button on the remote control, the antenna sends such a command to the remote starter. It wakes up with byte 0C, followed by 2 bytes, which I think represents the transfer direction. This is interesting, since the UART already has a signal receive-transmit direction, so I marked these bytes as "garbage", just consider them a constant. This is followed by a single byte indicating the command the user would like to execute. This can be locking doors or opening them, turning off the alarm, etc. In general, everything you want to do remotely is related to this command. The payload FF FF F1 is an address, or identifier, that identifies the remote antenna from which the message originated. If the DS block does not recognize the identifier, the command is ignored. If the DS receives the identifier, a multi-stage procedure begins, which includes checking the presence of the key in the ignition, turning the engine on or off, depressing the brake pedal, etc. In fact, this process does not really matter, it's just that the device is studying the ID at this moment.
At the end of the message is a byte with a checksum and a byte indicating the end of the command. Now that we understand how the protocol works, what can we do about it? I have a couple of videos on the topic. Unfortunately, for some reason the video goes without sound, so I will tell you what is happening on the screen. To the left of the steering column on the dashboard cover is a white box that contains electronics with Particle.IO firmware that understands the Fortin protocol. The wire with the blue tip is the antenna. This thing allows me to interact with the remote starter box from the cab of the car and see on the laptop screen what is happening.
So, I send the unlock command to the car, but it doesn't work because the DS doesn't know about this antenna. As I already mentioned, this is just a UART, the property of which is to support the so-called two-way communication 2-way communication, thanks to which you can remotely receive information about the state of the car. For example, if the engine was physically started or stopped, the DS unit will send a corresponding message to the remote control antenna. In this case, the message will contain the address of this very antenna.
The problem is that the communication is over the UART protocol, and anyone who connects to the UART bus can see the address where this message is sent, so my firmware has the ability to clone the address of an existing antenna, which I do with the corresponding command.
To generate a message, just open the car door. As you can see, the DS sends a message to the antenna that the door was open, and the alarm immediately turns on.
To turn off the alarm, I send the "unlock" command, after which the alarm sound is turned off and the car is unlocked. You'll have to take my word for it, as we weren't able to run this video with sound. Let's try to play the video again.
Well, the sound appeared (approx. translator: the same video with sound is played on the screen). So, you have seen how I sent the command to DS and turned on the alarm, all without a key. Now let's try to start the car in the same way, for this we will watch the following video.
Usually, just typing "start" and trying to start the engine won't work. The reason is that this is a manual transmission vehicle and for such vehicles the remote starter systems have a special procedure. In this case, you must press the remote starter button while the key is in the ignition and the engine is running. Then you can remove the key, get out of the car, close the door, after which the DS will turn off the engine and lock the door. This is done so that the car does not react to remote engine start while driving, because it is dangerous. However, this is not a complete security feature. It's pretty easy to prove this by looking at the EVO remote starter box. You see this yellow wire in a loop, which is designed to work with a manual transmission. If it is cut, this block can be used for a car with an automatic transmission. This design of the block allows you not to apply any special settings when installing DS in cars with different types of transmission.
So, the system didn't respond to the "start" command, so I'm going to put this block back in place and just cut this wire to break the connection. Now, if you repeat the βstartβ command, an audible signal will sound and the status indicators of the carβs systems will light up on the instrument panel, as it happens when the key is inserted into the lock.
At the moment we have a car that we can start remotely without a key in the ignition, but the DS module is not all we need. Under normal circumstances, you still wonβt be able to drive away in a remotely started car, but letβs try to do it anyway.
To disable the steering wheel lock, you must insert a regular key into the ignition lock, in which there is no transponder. As you can see, it is enough to turn the key to the position preceding the start of the engine, and the steering wheel of the Subaru Impreza starts to rotate completely freely.
However, if you do not have any key, then when you press the brake pedal, the car will stall. It is quite easy to get around this limitation. You need to find out how the car tells the remote starter that the brake is applied. You can see several multi-colored ports on the back of the EVO module case - the cable from the CAN bus will be connected here. It is enough to simply pull this cable out of the DC unit after the car is remotely started, and it will not respond to pressing the brake pedal. Since this unit is located under the steering column cover, I give the βstartβ command through my laptop, the car starts, I open the door, get out of the car and remove the CAN bus connector from the EVO unit. As you can see, the car's engine is running, but we still don't have any key in the ignition.
Now, if you press the brake pedal, nothing will happen, because EVO does not know that it was pressed. After that, I can get behind the wheel, apply the brakes, move the gear stick to the "Drive" position, and the car will go. All this is done without any key.
21:40
Some ads π
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, , a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper in Equinix Tier IV data center in Amsterdam? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com