> Another way would be to remove the head unit from a vehicle, but I'm not wealthy enough to void the warranty on a car
Taking something apart does not void the warranty!
In fact it is illegal in the US for companies to arbitrarily deny the warranty unless they can prove that the user actually broke the item, taking apart ≠ breaking.
My 5th gen Camaro's head unit came out easily (assuming you're not horrified at the idea of removing the center console). There are lots of plastic clips and tabs and a few screws, but nothing broke and it's all reversible. Due to the poor quality of most aftermarket head unit enclosures for my car, I've had to do it more than once.
In a modern tightly integrated vehicle, taking apart the dash enough to remove the whole integrated head-unit is a real pain in the ass. If you can buy a unit for $200 on ebay and test it on a bench, the author probably considers that to be a good use of their time, nevermind the plastic fasteners.
If I were to try to take apart the dash of my car I'd guess I would be looking at a 6 hour project minimum.
Which is sleazy af. I really wish I could get behind tsla, but they persist with bold lies and consumer toxic behavior. Why cant this guy let the tech speak for itself?
You’re well within your right to buy a Tesla, modify it to the moon and back, and use it independently however you want. I hate Tesla as a company and I’m a strong supporter of these rights, but I stop at claiming that businesses have an obligation to continue supporting a product with unknown arbitrary modifications.
To the extent that a product is designed to only operate efficiently (or at all) with continued access to manufacturer services, it’s probably a bad idea to disqualify yourself from that access. But there are only two ways to solve that, either A) disallow the sale of products that rely on first-party services, or B) requiring manufacturers to uphold their end of the services contract while you do god-knows-what with your end of it (the product). Neither of these is the clear moral high ground that hacker types seem to think they achieve in this argument.
If Tesla (or any other company) can show that your modifications actually affect their ability to provide the services as designed, then sure, they shouldn't be required to provide them. But as long as the modifications I make don't actually affect the car's ability to operate, I don't see any reason why that should allow them to deactivate unrelated services.
There is also more important things at stake that make it very shortsighted and petty on Tesla's part to deny service.
Microsoft understands this which is why they offer updates to known pirated versions of their software.
Making things difficult for a few pirates is less important to them that making sure things stay secure. They also don't want a bunch of windows systems out there, slow due to viruses mucking up their reputation.
Revoking access to the charge station somewhat make sense. There is a lot of power involved and if you modify the wrong stuff, things can go spectacularly badly.
Also, if a modified Tesla catches on fire at a charging station, do you think the headlines will mention that it was modified or will it just be “Tesla catches fire and blows up at supercharger”
So what, if the tires don't have enough tread should the car refuse to move until it's towed to an authorized Tesla service center? Bad tires can be as dangerous as self-driving bugs, this sounds far too safety-critical to allow owners to muck about with.
This mindset is honestly frightening, I like to actually own the products that I have purchased.
This mindset is honestly frightening, I like to actually own the products that I have purchased.
Sure, but sometimes your ability to customise a product to do whatever you want with it can also affect others, and at that point your rights and theirs have to be balanced.
My go-to example of this is modern communication devices like phones and tablets. There are obvious concerns about security and privacy with such devices, and obvious arguments in favour of the hardware design and software running on them being open to audit and verification so owners know their device isn't quietly betraying them. Those naturally lead to suggestions that all firmware should be open to owner modification, black boxes should not exist, etc.
What a lot of people don't realise is that if you let some idiot who doesn't know what he's doing mess around with the firmware driving the actual radio components in those devices, it's entirely possible for just a single device to cause widespread disruption that could interfere with the operation of numerous other devices in the area, with obvious implications for safety, security, and general quality of life for everyone else affected.
Even fewer people realise that the technology for isolating a rogue unit (which exist anyway from time to time due to things like hardware failure, manufacturing defects or software bugs) is very limited in its capabilities, because unfortunately the laws of physics still take precedence over whatever laws or regulations we choose to create as a society. In other words, not only can one rogue device cause chaos, it can cause chaos for an extended period because even the professionals operating the network have limited powers to do anything about it quickly.
To finish by returning to your own analogy, sure, I would have concerns about a car refusing to move until it's towed to a service centre authorised by the manufacturer if its tyres didn't have enough tread. That's obviously a form of lock-in that isn't in the owner's interests. However, I would have fewer concerns about a car refusing to move if its tyres didn't have enough tread to be safe until the problem was fixed, as long as any suitable method that made the car safe would immediately remove that block.
If by "people" you mean the owner of the car, of course they should be able to do whatever they want with it. If they modify something and it ends up hurting someone, they're liable for it. It's not that different from modifying an older car.
> It's not that different from modifying an older car.
There's a huge practical difference between gearheads modifying the physical parts of their cars and a world where any Tesla buyer could as easily tweak engine, breaking etc. performance as they could download an app or re-flash their phone. You'd have idiots who'd otherwise never bothered to modify their cars dying as a result of trying to rice up their ride.
It's the same situation as RC planes and drones. The RC community had a natural selection bias for decades and wasn't worth regulating, then drones became available on the mass-market resulting in a bunch of idiocy that regulators needed to scramble to keep up with.
I think car manufacturers are rightly paranoid about that. There's a lot of profoundly stupid and unsafe stuff you could trivially do with a Tesla if you had access to the software, and if it was easy to install those sorts of things people would do so en masse.
It's widely accepted that if I modify my vehicle mechanically causing to to become unsafe, it is my fault. Not news, at least for 100 years. Driving assistance software has not yet earned the same presumption of initial safety.
Its also more technically feasible to prevent modification, and speaking as a fellow road user, I think I'd rather you run with stock firmware.
If they modify something and it ends up hurting someone, they're liable for it.
Until the courts can provide adequate compensation to the family of someone was was killed or to a crash victim who received life-changing injuries, I don't think that's going to be a compelling argument in this sort of situation.
Honestly I think they’d be safer if the owners had control of the firmware.
Tesla has pushed updates which were broken in obvious ways that have killed people. It’s certainly possible to have a company like Tesla develop firmware in a safe way so that restricting what can run on the cars makes sense but that’s not what’s going on right now.
Thanks! I wish there was a service I could pay for where I could ask lawyers vague security-research related questions like this. Right now I wouldn't even know where to begin looking for a lawyer that would be an authority on this type of stuff. If I found that person, I'm also not sure I could afford their time.
I was surprised to see him give up at having to bruteforce the password for root on ssh. That's how the community got into Mazdas, at least the 2015 I had anyway. The password was simple, jci, presumably because it was designed by Johnson Control Istruments.
You think a company is going to heavily lock down an embedded system they don't expect anyone to try to access, or are they going to make the password easy so that all the techs and engineers can remember it?
1. I believe Harman had a previous device hacked back around 2014 due to a weak shadow hash. My guess was that they learned their lesson and made the password more complex. An easy way to test would be to diff the latest shadow file in the updated Subaru images (assuming they exist) -- if it changed, you may be right, if not, I'd still wager it is strong enough.
I don't like the idea of a backdoor like that available, but it is what it is.
2. The QNX6 hashing mechanism, to the best of my knowledge, isn't fully understood. Upstream changes to JTR seem to indicate that it has some form of bug in it or isn't fully reverse-engineered. That, along with having to spend presumably a large amount of time learning about contributing to hashcat & gpu programming, made this seem like a potential dead end without massive time investment.
So, is it possible it is crackable? Almost certainly, but I'm one guy doing this and you have to spend your time carefully in these ventures.
Thanks for thr reply! That all makes sense. With the Mazda, I don't think anyone bothered to try to go as far as you did with the software because it was so easy to get wifi turned on, connect, and then let your device try short password after password (and at just three lowercase letters, the result came fast).
Given the reet of the work and your first point, it does seem like yours is the smart choice in this case. I was just surprised you didn't tey bruteforcing via ssh at first.
Thanks for the awesome article by the way! My Mazda got totalled last month, and I got a new 2019 Honda Fit I haven't gotten around to messing with yet. This gives some great ideas for how to proceed.
I have a 2080Ti at home I can throw at it for a few days, if you're willing to share the hashes with me? I'm the same username on reddit if you're interested in DM-ing me.
They also had an authorized_keys file so it doesn't seem a stretch that the password login is some device-specific autogenerated value since the engineers would just use PubKey auth.
Do cars even come without 'smart' options nowadays? As in, is it possible to buy a new basic trim car with a traditional radio/without a screen? That can be removed or replaced?
I just wonder if this 'smart tech' will become like when you find a CD changer in the trunk of a car. Except these smart dashes won't be easily removable/swappable like an old cassette deck.
>Do cars even come without 'smart' options nowadays?
This will be much harder to find on new cars in the US. As our May 2018, all new cars are required to have backup cameras (https://en.m.wikipedia.org/wiki/Backup_camera#Mandates). Now that a screen is required, it's harder to financially justify putting in a head unit that includes physical dials. Instead we're stuck with crap like "find the button for volume on the screen, then tap it 15 times to adequately adjust it". I'm hanging on to my 2011 Honda Civic for the foreseeable future, and pray the UI won't suck on newer vehicles or find a basic trim 2016-2018 that doesn't do everything on the screen.
I appreciate the safety aspect, but hate the UI of every car I've interacted with.
Any recommendations for cars whose UI doesn't suck?
Even though my 2019 Subaru is covered in screens, it also has physical knobs and buttons for the volume, air conditioning, and changing between radio station presets. I usually find that I don't have to touch the touchscreen on an average car trip.
In the economy space, my vote is for the most recent stuff from Hyundai/Kia. Not the world's greatest system but the latest stuff is very responsive (i.e. no UI lag) and their implementation of CarPlay/Android Auto is fairly bulletproof. (Good quality touchscreen, well positioned for finger input, doesn't do anything too stupid to make CP/AA frustrating.)
In the premium space, BMW has always maintained a medium-high bar with recent iterations of iDrive. (There have been many revisions and trim variations of their system, but approximate rule of thumb for acceptable tech is 8+ inch screen, 2013 onwards.) It's not going to wow a UI nerd, but if you plan to own the car for multiple years, it's slick and effortless once you're familiar with it—especially as almost any menu item anywhere in the system can be programmed to one of the 8 or so preset buttons on the dashboard.
I therefore have dedicated buttons in my car for "Call my wife", "Trip computer details", "Open destination address book", "Spoken directions on/off", and "Begin navigating to home." And if you think that will get too complicated too quickly, BMW thought of that: each preset button has a capacitive sensor in them so if you place your finger on the button without pressing, the screen will remind you what that button is programmed to do. It's nice.
My 2015 Toyota Corolla has a screen for the backup camera, but it also has physical buttons. The digital and physical interfaces are pretty good. Because it's a Toyota, it will probably be reliable for a very long time, and because it's a Corolla, there will probably always be parts available.
If for some reason you get a trim level that does not have cruise control, it's easy to add: drill a hole in the steering console, mount the lever, and plug it in. The car is already programmed with the feature.
>Any recommendations for cars whose UI doesn't suck?
Get a steering wheel with controls on it if the manufacturer doesn't offer physical buttons on the head unit. I'd be super surprised if you couldn't put a higher trim Civic's steering wheel on a lower trim Civic. Look for part outs from totaled cars (the sport and SI trims are good places to look - kids drive them irresponsibly, and they have high end tech that is usually salvageable when the body gets totaled).
I'm fairly happy with my Subaru Impreza - it has the head unit described in this post. The physical knobs and seek buttons make up for the dusty, stragnely-sensitive-sometimes, strangely-unsensitive-other-times screen.
Current Mazdas don't have a very complicated UI on their screens, and it's completely operable with the jogdial and buttons on the center console. In fact, the touchscreen switches off in software once the car is in motion.
The UI also doesn't control anything except the radio, navigation, and some system settings. All the climate controls are on separate knobs or buttons (I actually liked the physical dials for fan/temp on my old Mazda 3 Sport, the Tourings and above changed to electronic buttons and it's not as intuitive as the dials).
Any recommendations for cars whose UI doesn't suck?
Anything before the late 90s? Buying an old car and then installing your own backup camera would be one possible way to get the useful features but not the annoyances.
I've considered that. When I buy my best next car (hopefully 3+ years from now), I'd like to upgrade the model year for the marginal gain in safety. 2015 or so might be my target year.
Of course. A basic model of a Dacia Sandero or Duster comes with a basic FM radio and nothing else. In some markets the same can be said about more upmarket brands like VW - a new polo cannot be specced with a basic FM radio and no smart features in the UK for instance, but in Germany or Poland it can.
And in a lot of modern cars the head unit is replaceable even if the manufacturer didn't envision it as such because of course the market has produced replacements anyway - like on Mercedes cars the entire head unit can be replaced by a custom one with a larger screen and running Android while not losing any of the factory functionality. On Nissan's you usually get a full dash replacement for custom radios. Quick search in AliExpress uncovers custom head units for nearly any car in existence.
>A basic model of a Dacia Sandero or Duster comes with a basic FM radio and nothing else.
Wrong. The basic model of a Dacia Duster doesn't even come with a radio. You need to upgrade from the Access (base) trim level to the Essential trim level to get a headunit.
I'm not sure what you mean though. Like.....the throttle control is almost guaranteed to be digital, the dials use digital information bus to update speed and rpm even if they use analog dials......you cannot buy a car with a complexity of a Fiat Cinquecento anymore, yes, but I'm not sure if that's a bad thing.
Depending on where you live new cars might well be required to have ‘safety’/tracking features so emergency services can be automatically reached if you are in an accident. Or if the police want to effortlessly and invisibly track you, of course.
It doesn't look like it. The cheapest new car I just looked at was a Hyundai Accent for $14k and it came with a touch screen infotainment system. Even a manual 2019 Nissan Versa for $13.4k has one. Seems like it's the new norm, like how radio became the norm in cars after some time. I bet people were complaining about that in the same way you are now.
So will the car? I think i need to emphasize the context.
I’m responding to “Seems like it's the new norm, like how radio became the norm in cars after some time. I bet people were complaining about that in the same way you are now.”
In 1975, there was no danger your radio would become obsolete or outdated at anywhere near the speed that an awful touchscreen tablet built into your car in 2020 will. So, I’m not referring to buying a car now with an AM/FM radio. I’m not sure what one would use that for other than as an AUX input.
What makes a touchscreen obsolete? Sure, the UI will look old-fashioned in a few years, but so will the rest of the car. In both cases, they will still perform the functions they were designed to do.
The touchscreen is not the part I’m expecting to become obsolete (?).
Many of the devices in cars currently have bugs, poor interface, slow performance, and are generally inferior to modern phones. So, continuing to perform as they do now is not a relief.
It’s like having a phone from 2014 built into ... uh, your car. I’ve upgraded my real phones and tablets 3-4 times since then, despite that the old ones still functioned same as they did when new.
One example is that it’s difficult to pair iPhones with some cars from a few years ago. What happens when software updates make me unable to connect to the Bluetooth in my car? I doubt that Ford or GM is going to release a timely update.
You might ask: why do people upgrade computing devices that still function?
They're starting to put cars on the same obsolescence train as consumer electronics. This is on a device that costs a helluva lot more. I suppose that EVs have the same issue.
The parts situation is going to be interesting. Lacking standardized design and only a limited number of years of guaranteed (and high cost) replacements, it should be interesting in a decade. Cars a tough environment and I'm afraid that wrecking yards will see a lot of usage in terms of both cars become obsolete/unfixable and as sources of spare parts.
It's interesting that the original sin of pushing towards this situation is the mandatory backup camera. Once the screen and a tolerably fast embedded system get installed, cost reduction leads you to a monolithic place for car controls. The modern fascination with cell phones probably helps the population go along.
Right, what I’m trying to say is that the obsolescence schedule of tablets and the rate of development does not match hardware like cars refrigerators well. Large physical items like that with other primary purposes should last a decade or two, at least.
I would think the best solution for this is to have swappable, upgradable tablets. Maybe basic operations built in, and a dock for a tablet that you could change whenever.
For any of this to function well, the manufacturers either have to work closely with competent consumer software companies, or become one themselves. It reminds me of the situation where cell phone carriers are expected to update the ROM on your old android phone, and often don’t do so regularly, because they’re not competent software or hardware companies.
If you did this to your car, what would you do to this system now that you have gained access? Install Android? I'm trying to think of a practical reason to actually do this to my WRX as Starlink is not an enjoyable platform.
I have a 2015 Impreza and find the built in UI cumbersome and annoying. It has a few bugs where it can get stuck on a specific menu and it also doesn’t update the song that’s playing via Bluetooth from Spotify etc.
I feel like there are a ton of nice improvements to be had from the 2015 version if they could be figured out:
1. Better Spotify integration with album cover display, playlist scroll
2. Mirror google maps to the display
3. Show any push notifications that come in via your phone
4. Display engine diagnostic info when check engine light is on
5. Display a nice background image when not in use
These are just a few features I’d personally love to see, not sure if any are at all feasible.
>Subaru will have updates for head units affected by this flaw in the coming weeks.
Wow, this is so cool! I've been getting emails from Subaru to update my headunit. No idea that I'd see it getting detailed on github and hacker news.
>Harman and Subaru should not assume that the biggest flaw is releasing update files. Letting customers update their own head units is wonderful, and it lets security researchers find flaws and report them.
Yes!! Good good, I have to coordinate with a "Service Technician," drop my car off, have it sit around for a couple of hours, then get it back for something that would take me 20 minutes to do.
I’ve seen techniques used to reverse text that has been blurred with a fair degree of success, but that text was still easily readable in spite of being blurred. Which is weird because they must have looked at it while performing the transformation and thought “I can still read this”.
Anyhow, the hack itself is impressive. I tip my hat to them.
Sure, of course, but requiring a serial connection through a physical cable is still a less useful attack vector than ssh over wifi, which is what I gathered from the grandfather post - but not the article.
Wonderful write-up, but I find it sad that this is handled as a vulnerability, while it is really a way for users to liberate their device and make it do what they want to do.
I agree, but I don't have a consulting-firm/reputation/team of lawyers etc. to hide behind. Reporting flaws to companies related to embedded is often still scary today.
The point of this is that hey, this isn't actually that hard if you're willing to put in the time. If you're moderately talented, you can probably learn it too!
As opposed to the standard exploit write-up/security conference circuit thing, where a lot of the details are kept secret and it seems like the entire point is to make other people think you're cool instead of teaching something. :)
Getting things patched is awful. A reasonably simple thing I'd like is to secure myself against meddling by Subaru. That includes updates I don't agree with and tracking of my vehicle.
Disabling the network connection would pretty much stop the tracking. Alternately, disabling GPS would work. Anybody worried about both stored data and about cellular companies reporting tower locations would need to disable both.
Undesired updates can mostly be stopped by disabling the network connection. Dealer service could be trouble; they might do an update without asking for my permission. Scrambling the crypto keys would probably stop the dealer service people from making updates.
Some of the above would also be needed to keep Subaru from uploading camera data taken in my garage. As it is now, Subaru could be watching me in my house!
My car’s head unit runs that QNX thing. The firmware is authenticated with a few 512-bit RSA keys, easily cracked. The applications were written as flash and Java applets. This car isn’t 5 years old.
I've always wondered about how CarPlay worked with random OEM units like these, each running their own RTOS and having different binaries and libraries available. I'm assuming Apple would want to write in Objective-C which isn't really known for embedded support?
Now I just wish I could have the EyeSight on my Subaru Forrester hacked so that the adaptive cruise control doesn't go off after three seconds of being at a full stop.
Pro tip: hit the speed up or down button any time in that three second window to buy yourself another 7 seconds of activation. Annoying, but potentially hackable!
Wouldn't it be lovely if we had some kind of digital consumer rights bill that required all computerized devices to have some method for the end user to gain root access?
Oh make me jump through hoops. Make me send a registration card with my name, address, and ten cereal box tops if you want. I'm just tired of having to make purchasing decisions not on the basis of what devices have the best specs, but which ones are the least hostile to me actually owning the slab of glass and plastic I blew an entire paycheck on.
Ah I see, missed that the first time around. Another thing I’m wondering after processing this: did you ever try to ssh as the dm or daemon user after seeing the passwd file originally in ifs-subaru-gen3.raw?
P.S. Thank you for writing this! It’s super interesting snd very easy to follow. I’ve shared it with friends both for the content and also as an example of excellent technical writing.
Sort of an aside, but I do sort of wonder what goes into the decision to go with Freescale/QNX as opposed to allwinner/rockchip/MTK and Android in this application. Surely the cost would be similar or less, and the performance could potentially be better?
Freescale and Motorola before it have had a long history of supplying microcontrollers for automotive applications. I'm not sure the other companies even have the extended temperature range components which are required for automotive use.
On a related note, SpaceX's Dragon apparently can apparently be SSH'd into according to an engineer I spoke with.
Hopefully the connection is well secured.
There in lies the issue with forums which allow voting without comment on other comments.
I'm personally preferential to the 2channel/2chan/4chan system of no votes and no tree threading. But if there's a voting system, I see no problem letting it represent the readerships preferences for topical jokes.
/Off topic
As for the actual article in question, thinks look solid. There isn't much to add beyond the presented material. Harman did a decent but not perfect job from the outset, you need serial port access for this to work, and they were responsive about fixing the exploit.
Without a voting system, then people would have to wade through low effort noise like yours just to find the good contributions. The system works great. In fact, people need to have showdead=true just to see your epic "shots fired" comment now.
Taking something apart does not void the warranty!
In fact it is illegal in the US for companies to arbitrarily deny the warranty unless they can prove that the user actually broke the item, taking apart ≠ breaking.
Magnuson–Moss Warranty Act (P.L. 93-637)