TECHNICAL WHITE PAPER Remote Exploitation of an Unaltered Passenger Vehicle Chris Valasek, Director of Vehicle Security Research for IOActive [email protected] Charlie Miller, Security Researcher for Twitter [email protected] Copyright ©2015. All Rights Reserved.- 1 - Contents Introduction ............................................................................................................................ 5 Target – 2014 Jeep Cherokee ............................................................................................... 7 Network Architecture .......................................................................................................... 8 Cyber Physical Features .................................................................................................. 10 Adaptive Cruise Control (ACC) ..................................................................................... 10 Forward Collision Warning Plus (FCW+) ...................................................................... 10 Lane Departure Warning (LDW+) ................................................................................. 11 Park Assist System (PAM) ............................................................................................ 12 Remote Attack Surface ..................................................................................................... 13 Passive Anti-Theft System (PATS) ............................................................................... 13 Tire Pressure Monitoring System (TPMS) .................................................................... 14 Remote Keyless Entry/Start (RKE) ............................................................................... 15 Bluetooth ....................................................................................................................... 16 Radio Data System ....................................................................................................... 16 Wi-Fi ............................................................................................................................. 18 Telematics/Internet/Apps .............................................................................................. 19 Uconnect System ................................................................................................................. 20 QNX Environment............................................................................................................. 20 File System and Services ................................................................................................. 20 IFS ................................................................................................................................ 21 ETFS ............................................................................................................................. 23 MMC ............................................................................................................................. 23 PPS ............................................................................................................................... 23 Wi-Fi ................................................................................................................................. 25 Encryption ..................................................................................................................... 25 Open ports .................................................................................................................... 27 D-Bus Services ................................................................................................................. 29 Overview ....................................................................................................................... 29 Cellular ............................................................................................................................. 32 CAN Connectivity ............................................................................................................. 33 Jailbreaking Uconnect .......................................................................................................... 34 Any Version ...................................................................................................................... 34 Version 14_05_03 ............................................................................................................ 36 Update Mode .................................................................................................................... 37 Normal Mode .................................................................................................................... 37 Copyright ©2015. IOActive, Inc. [2] Exploiting the D-Bus Service ................................................................................................ 38 Gaining Code Execution ................................................................................................... 38 Uconnect attack payloads .................................................................................................... 39 GPS .................................................................................................................................. 39 HVAC ............................................................................................................................... 40 Radio Volume ................................................................................................................... 40 Bass ................................................................................................................................. 41 Radio Station (FM) ........................................................................................................... 41 Display .............................................................................................................................. 41 Change display to Picture ............................................................................................. 41 Knobs ............................................................................................................................... 42 Cellular Exploitation ............................................................................................................. 42 Network Settings .............................................................................................................. 43 Femtocell .......................................................................................................................... 44 Cellular Access ................................................................................................................. 45 Scanning for vulnerable vehicles ......................................................................................... 46 Scanning results ............................................................................................................... 47 Estimating the number of vulnerable vehicles .................................................................. 47 Vehicle Worm ................................................................................................................... 48 V850..................................................................................................................................... 48 Modes ............................................................................................................................... 48 Updating the V850 ............................................................................................................ 48 Reverse Engineering IOC ................................................................................................. 50 Flashing the v850 without USB ........................................................................................ 64 SPI Communications............................................................................................................ 67 SPI message protocol ...................................................................................................... 67 Getting V850 version information ..................................................................................... 68 V850 compile date ............................................................................................................ 68 V850 vulnerabilities in firmware ........................................................................................ 69 Sending CAN messages through the V850 chip .............................................................. 70 The entire exploit chain ........................................................................................................ 71 Identify target .................................................................................................................... 71 Exploit the OMAP chip of the head unit ............................................................................ 71 Control the Uconnect System ........................................................................................... 71 Flash the v850 with modified firmware ............................................................................. 71 Perform cyber physical actions ......................................................................................... 72 Cyber Physical Internals ...................................................................................................... 72 Copyright