DEFCON Conference 27. Your car is my car. Part 1

Performance Briefing:

For many of us, a car is one of the most expensive purchases we have ever made. In a world where all things are interconnected, it’s quite natural to want to remotely control your car: get reminders where we parked it, check if you forgot to lock the doors or remotely start the engine in order to preheat or cool the interior depending on the time of year.

There are many manufacturers offering optional alarm systems that provide these amenities and peace of mind. But how much can we trust the suppliers of these systems that protect access to our cars in the digital domain? In this report, Jmaxxz will talk about what he discovered when he looked into one of these systems.

Jmaxxz is known for his work with August Smart Lock smart home systems (DEFCON 24 report, “Hacking from the back door” - “Backdooring The Frontdoor”). In recent years, the focus of his attention has been on devices for the Internet of things. He participated in the “IoT village zero day” sections of DEFCON 24 and DEFCON 25 and finally decided that it was time to research the product of the secondary automotive market - remote starter (hereinafter referred to as DS).



So, my name is J-Max, I am a programmer by profession and a hacker by vocation. I do everything related to castles, and during this conversation you will hear many statements that express my opinion exclusively and are not related to the opinion of my past, present and future employers. As you probably understood, this will be about cars, namely about remote starters and alarm systems. Let's start with the background, which is important in this context, because many people consider such systems to be unnecessary luxury.
So, where I live is pretty cold, and my friend suffers from a disease called Raynaud’s syndrome. From the cold, a spasm of the blood vessels of the hands occurs, the blood flow to the fingers decreases sharply, there are signs of frostbite up to tissue necrosis. The slide shows how it usually looks.



Last November, I still did not decide what to give her for Christmas. And so she returns home upset from the airport, because her car did not warm up on the way home. At this moment, I realized that I would give her a remote engine start system and began to look for the best option. It turned out that the market for remote starters is quite extensive, and many manufacturers do not provide sufficient information about their product.

They do not tell how to install the system and what tools to use to program the device. This is a problem for me, because it is my car, my remote start, and I must have access to these tools. So I searched a little more and found a company from Canada, Fortin, which produces such starters and willingly provides all the necessary documentation. I settled on this product and set about searching for a suitable remote control. The fact is that if you use a standard remote control with a remote starter, then its range of action will be limited to the range of the standard remote control. On the secondary market, remotes are offered that operate at a distance of half a mile to one and a half miles. According to consumer reviews, this is an advertising move, because in reality the distance is much smaller. This is the problembecause my friend needs to start the engine of the car parked in the airport parking lot as soon as she gets off the plane, which is about half a mile.



Therefore, it would be great if she could just pull out her phone, open the application and click “Start Engine”. I found a third-party product called MyCar that is fully compatible with Fortin starter. This is a small keychain with a SIM card and a GPS receiver, which you can put in the car and connect to a remote starter. Then, using a mobile application, you can remotely start the engine, unlock locks and the like.



I thought that this would be wonderful: right after the plane lands, my girlfriend will be able to start the engine, and by the time she gets to the car, the cabin will already be warm.

So, let's talk a little bit about how remote starters work. To do this, you first need to understand how the car engine starts. Until about the mid-nineties, a car starter was a traditional mechanical lock in a key-switch connection. You had to insert a key and turn it to close the electrical circuit. Then, in the United States, locks marked "immobilizer" became popular. It sounds complicated, but it's just an electronic lock. So, you have a mechanical lock, which is the key to the electronic lock, which, in turn, is a transponder and contains some information that can be read. And until you open the electronic lock, your car will not start. On the right side of the slide you see 2 keys: left for the immobilizer, and right for the usual ignition switch.It simply activates the mechanical components of the lock, while the left key unlocks the electronic lock, which starts the car’s engine.



Why am I talking about this? Remote start works through an immobilizer. On the next slide, you see the connection diagram of the Fortin EVO One device to the immobilizer - at the bottom left you see a pair of contacts designated as IMO. At the top right of the diagram you see two lines: CAN LOW and CAN HIGH. These are the contacts for connecting to the CAN bus. The reason remote starters are connected to the CAN bus is because installation costs are reduced because fewer connections are used during installation. If the remote starter can read data from the CAN bus or send commands via the CAN bus, this reduces the installation time of the remote engine start system.

At the top left of the diagram there is a whole bunch of GPIOs that are related to managing or reading machine information. For example, you want the headlights to flash or a beep to sound when you press the lock button. Such things can be controlled using these GPIOs. From the bottom left of the circuit you see a large clumsy connector - this is an interface that provides a bypass of a mechanical lock. That is, you do not need to insert and turn the key into the ignition switch, because this interface provides direct interaction of the remote starter system relay with the electric lock.



The following slides show the steps for installing a remote starter. Basically, it consists of removing the steering column cover, installing and connecting the DS unit. It looks pretty scary, but simple.



The remote control itself connects to what Fortin calls a data channel. The system uses the proprietary physical data transfer protocol UART - a universal asynchronous transmitter that exchanges data at a speed of 9600 baud. The Fortin Remote Starter simply connects through the UART bus to the two remotes you see on the slide.



Having installed DS, I thought about how such devices can affect car safety. Obviously, the DS should bypass the immobilizer, so how safe is it in terms of the possibility of theft or interception of machine control? This applies not only to data transmission over a cellular network, but also to the remote start signal itself. So I began to search the manufacturer’s information on the Internet for the data transfer protocol used on the Internet and got into forums where people write that Fortin refuses to provide this protocol. One of the reasons: “we do not disseminate such information, because EVO is not a toy for fans, it is intended for use by professionals.



Being somewhat professional, I decided to build my own machine on the desktop. I got the second EVO system unit, assembled the circuit board, which was a car, added switches to simulate the ignition, a button for the brake pedal and a whole bunch of LEDs to display various conditions.



Combining all this, I connected the FTI device to monitor the data channel and began to collect this data. At first, it looks something like the one shown on the slide, and it is not entirely clear what is happening here. But taking a closer look, we can say that there is definitely some kind of structure here.



Please note that whenever I press a button on my remote control, the message that the antenna sends to my DS always starts at 0C and ends at 0D. So if we simply separate what we get, assuming 0C is the beginning and 0D the end, then we end up with something like this.



Some structure is already clearly visible here, so you can find out what is happening. Having spent time tracking what message appears after pressing a certain button, I was able to compile a table of commands, each of which corresponds to a specific action. That is, when you press the button on the remote control, the antenna sends a command to the remote start module, which looks like this.



This is what a typical team structure looks like.



When you press the button on the remote control, the antenna sends such a command to the remote starter. It wakes up byte 0C, followed by 2 bytes, which, I think, represent the direction of transmission. This is interesting, since UART already has a signal transmission / reception direction, so I marked these bytes as “garbage”, just consider them a constant. This is followed by a single byte indicating the command that the user would like to execute. This can be a lock of doors or their opening, disabling the alarm, etc. In general, everything you want to do remotely is related to this command. FF payload FF F1 is the address, or identifier, that identifies the remote antenna from which the message came. If the DS unit does not recognize the identifier, the command is ignored. If the DS accepts the identifier,a multi-stage procedure begins, which includes checking the key in the ignition, turning the engine on or off, pressing the brake pedal, etc. In fact, this process does not matter much, just the device at this moment is studying the ID.

At the end of the message is a byte with a checksum and a byte indicating the end of the command. Now that we understand how the protocol works, what can we do about it? I have a couple of videos on the topic. Unfortunately, the video for some reason goes without sound, so I will tell you what is happening on the screen. To the left of the steering column on the instrument panel cover is a white box that contains electronics with Particle.IO firmware that understands the Fortin protocol. A blue-tipped wire is an antenna. This thing allows me to interact with the remote starter unit from the car cab and see on the laptop screen what is happening.



So, I send the lock unlock command to the car, but it does not work, because the DS does not know about this antenna. As I already mentioned, this is simply UART, the property of which is the support of the so-called two-way communication, so that you can remotely receive information about the state of the car. For example, if the engine was physically started or stopped, the DS unit will send a corresponding message to the remote control antenna. In this case, the message will contain the address of this antenna itself.



The problem is that the communication is carried out via the UART protocol, and anyone who connects to the UART bus can see the address where this message is sent, so that in my firmware it is possible to clone the address of an existing antenna, which I do with the corresponding command.



To generate a message, just open the car door. As you can see, the DS sends a message to the antenna that the door was open, and the alarm immediately turns on.



To turn off the alarm, I send the “unlock” command, after which the alarm sound is turned off and the car is unlocked. You will have to take my word for it, because we were not able to run this video with sound. Let's try to play the video again.



Well, the sound appeared (approx. Translator: the same video with soundtrack is played on the screen). So, you saw how I sent the DS command and turned on the alarm, and all this without a key. Now let's try to start the car in the same way, for this we will see the following video.

Usually, just typing the “start” command and trying to start the engine will not work. The reason is that this is a car with a manual gearbox, and for such cars, remote starter systems have a special procedure. In this case, you must press the remote starter button while the key is in the ignition and the engine is started. Then you can remove the key, get out of the car, close the door, after which the DS will turn off the engine and lock the door. This is done so that the car does not react to the engine starting remotely while driving, because it is dangerous. However, this is not a complete security feature. Proving this is quite simple if you look at the EVO block of the remote starter. You see this yellow wire in the form of a loop, which is designed to work with a mechanical transmission.If you trim it, this unit can be used for a car with an automatic transmission. This design of the unit allows you to not apply any special settings when installing the DS in cars with different types of transmission.



So, the system did not respond to the “start” command, so I'm going to put this block back in place and just cut this wire to break the connection. Now, if you repeat the “start” command, an audible signal will sound and the vehicle system status indicators will light up on the instrument panel, as happens when the key is inserted into the lock.



At the moment, we have a car that we can start remotely without a key in the ignition, but the DS module is not all we need. Under normal circumstances, you still won’t be able to leave the vehicle remotely, however, let's try to do it all the same.

To disable the steering wheel lock, you must insert a conventional key into the ignition switch, in which there is no transponder. As you can see, just switch the key to the position preceding the start of the engine, and the Subaru Impreza steering wheel starts to rotate completely freely.

However, if you do not have any key, then when you press the brake pedal, the car will stall. Getting around this limitation is easy enough. Find out how the car tells the remote starter that the brake is applied. You see several multi-colored ports in the rear of the EVO module case - a cable from the CAN bus will be connected here. It is enough to simply pull this cable out of the DS unit after the car is remotely started, and it will not respond to pressing the brake pedal. Since this unit is located under the steering column cover, I give the “start” command through my laptop, the car starts, I open the door, get out of the car and remove the CAN bus connector from the EVO block. As you can see, the car’s engine is running, while we still do not have any key in the ignition.

Now, if you press the brake pedal, nothing will happen, because the EVO does not know that it has been pressed. After that, I can get behind the wheel, press the brake, put the gear knob in the “Drive” position, and the car will go. All this is done without any clue.

21:40

DEFCON Conference 27. Your car is my car. Part 2

A bit of advertising :)

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to your friends cloud-based VPS for developers from $ 4.99 , a unique analog of entry-level servers that was invented by us for you: The whole truth about VPS (KVM) E5-2697 v3 (6 Cores) 10GB DDR4 480GB SSD 1Gbps from $ 19 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

Dell R730xd 2 times cheaper at the Equinix Tier IV data center in Amsterdam? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 2.6GHz 14C 64GB DDR4 4x960GB SSD 1Gbps 100 TV from $ 199 in the Netherlands!Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $ 99! Read about How to Build Infrastructure Bldg. class c using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?