
Jailbreaking Subaru StarLink - lelf
https://github.com/sgayou/subaru-starlink-research/blob/master/doc/README.md
======
RandomBacon
> Another way would be to remove the head unit from a vehicle, but I'm not
> wealthy enough to void the warranty on a car

Taking something apart does not void the warranty!

In fact it is illegal in the US for companies to arbitrarily deny the warranty
unless they can prove that the user actually broke the item, taking apart ≠
breaking.

Magnuson–Moss Warranty Act (P.L. 93-637)

~~~
Dextro
The author actually expanded a little bit on that by mentioning he doesn't
know of any head units that will come out without plastic tabs breaking.

While you wouldn't fully void your warranty the dealer/manufacturer would be
under no obligation to replace parts you broke.

~~~
walrus01
In a modern tightly integrated vehicle, taking apart the dash enough to remove
the whole integrated head-unit is a real pain in the ass. If you can buy a
unit for $200 on ebay and test it on a bench, the author probably considers
that to be a good use of their time, nevermind the plastic fasteners.

If I were to try to take apart the dash of my car I'd guess I would be looking
at a 6 hour project minimum.

~~~
londons_explore
Not only that - if the project takes 6 months, your day-to-day car ends up
without a head unit for that long...

------
thisismyaccoun7
I was surprised to see him give up at having to bruteforce the password for
root on ssh. That's how the community got into Mazdas, at least the 2015 I had
anyway. The password was simple, jci, presumably because it was designed by
_J_ ohnson _C_ ontrol _I_ struments.

You think a company is going to heavily lock down an embedded system they
don't expect anyone to try to access, or are they going to make the password
easy so that all the techs and engineers can remember it?

~~~
bdelay
Two reasons I didn't do that:

1\. I believe Harman had a previous device hacked back around 2014 due to a
weak shadow hash. My guess was that they learned their lesson and made the
password more complex. An easy way to test would be to diff the latest shadow
file in the updated Subaru images (assuming they exist) -- if it changed, you
may be right, if not, I'd still wager it is strong enough.

I don't like the idea of a backdoor like that available, but it is what it is.

2\. The QNX6 hashing mechanism, to the best of my knowledge, isn't fully
understood. Upstream changes to JTR seem to indicate that it has some form of
bug in it or isn't fully reverse-engineered. That, along with having to spend
presumably a large amount of time learning about contributing to hashcat & gpu
programming, made this seem like a potential dead end without massive time
investment.

So, is it possible it is crackable? Almost certainly, but I'm one guy doing
this and you have to spend your time carefully in these ventures.

~~~
tyingq
Hashcat appears to have added support in the past month:
[https://github.com/hashcat/hashcat/commit/87c24200da61ab5ca2...](https://github.com/hashcat/hashcat/commit/87c24200da61ab5ca251b5e07af70ae6cd04297f)

~~~
bdelay
Okay, that's really cool. Tempted to see if I can get some AWS credits or
spend a bit of cash and throw an 8xGPU instance at this for a few days...

~~~
Daneel_
I have a 2080Ti at home I can throw at it for a few days, if you're willing to
share the hashes with me? I'm the same username on reddit if you're interested
in DM-ing me.

------
dugditches
Do cars even come without 'smart' options nowadays? As in, is it possible to
buy a new basic trim car with a traditional radio/without a screen? That can
be removed or replaced?

I just wonder if this 'smart tech' will become like when you find a CD changer
in the trunk of a car. Except these smart dashes won't be easily
removable/swappable like an old cassette deck.

~~~
froindt
>Do cars even come without 'smart' options nowadays?

This will be much harder to find on new cars in the US. As our May 2018, all
new cars are required to have backup cameras
([https://en.m.wikipedia.org/wiki/Backup_camera#Mandates](https://en.m.wikipedia.org/wiki/Backup_camera#Mandates)).
Now that a screen is required, it's harder to financially justify putting in a
head unit that includes physical dials. Instead we're stuck with crap like
"find the button for volume on the screen, then tap it 15 times to adequately
adjust it". I'm hanging on to my 2011 Honda Civic for the foreseeable future,
and pray the UI won't suck on newer vehicles or find a basic trim 2016-2018
that doesn't do everything on the screen.

I appreciate the safety aspect, but hate the UI of every car I've interacted
with.

Any recommendations for cars whose UI doesn't suck?

~~~
userbinator
_Any recommendations for cars whose UI doesn 't suck?_

Anything before the late 90s? Buying an old car and then installing your own
backup camera would be one possible way to get the useful features but not the
annoyances.

~~~
froindt
I've considered that. When I buy my best next car (hopefully 3+ years from
now), I'd like to upgrade the model year for the marginal gain in safety. 2015
or so might be my target year.

------
helsinki
If you did this to your car, what would you do to this system now that you
have gained access? Install Android? I'm trying to think of a practical reason
to actually do this to my WRX as Starlink is not an enjoyable platform.

~~~
bdickason
I have a 2015 Impreza and find the built in UI cumbersome and annoying. It has
a few bugs where it can get stuck on a specific menu and it also doesn’t
update the song that’s playing via Bluetooth from Spotify etc.

I feel like there are a ton of nice improvements to be had from the 2015
version if they could be figured out: 1\. Better Spotify integration with
album cover display, playlist scroll 2\. Mirror google maps to the display 3\.
Show any push notifications that come in via your phone 4\. Display engine
diagnostic info when check engine light is on 5\. Display a nice background
image when not in use

These are just a few features I’d personally love to see, not sure if any are
at all feasible.

------
hoorayimhelping
>Subaru will have updates for head units affected by this flaw in the coming
weeks.

Wow, this is so cool! I've been getting emails from Subaru to update my
headunit. No idea that I'd see it getting detailed on github and hacker news.

>Harman and Subaru should not assume that the biggest flaw is releasing update
files. Letting customers update their own head units is wonderful, and it lets
security researchers find flaws and report them.

Yes!! Good good, I have to coordinate with a "Service Technician," drop my car
off, have it sit around for a couple of hours, then get it back for something
that would take me 20 minutes to do.

------
lykr0n
79656168267468697326697363277420746865207265618(C?)286845792E2E2E2E...?

Don't blur information- block it out.

~~~
charliesome
It looks like the author anticipated that someone would try to unblur the key
and left a little easter egg there :)

    
    
        >> "7965616820746869732069736E277420746865207265616C206B65792E2E2E2E".scan(/../).map { |x| x.to_i(16).chr }.join
        => "yeah this isn't the real key...."

~~~
richjdsmith
This is awesome and absolutely hilarious!

------
thomasfedb
Nice to see that the response from Subaru and Harman was to agree that it was
broken and to fix it.

------
atemerev
Looks reasonably secure! I expected some horrifying engineering mistake, but
the system looks well-designed by modern standards.

~~~
tinus_hn
It allows ssh login to system accounts without passwords, that seems like a
pretty big mistake.

~~~
jmartinpetersen
From what did you conclude this? I read it as if it allowed login over serial
for those accounts, he didn't mention ssh in that context.

~~~
solarkraft
Still, unprotected accounts seem like a pretty insecure idea to me. That's how
our "attacker" got themselves in.

Of course in a free world physical access to a device you own would mean that
you can modify its behavior ("hack" the software).

~~~
jmartinpetersen
Sure, of course, but requiring a serial connection through a physical cable is
still a less useful attack vector than ssh over wifi, which is what I gathered
from the grandfather post - but not the article.

------
solarkraft
Wonderful write-up, but I find it sad that this is handled as a vulnerability,
while it is really a way for users to liberate their device and make it do
what _they_ want to do.

~~~
bdelay
I agree, but I don't have a consulting-firm/reputation/team of lawyers etc. to
hide behind. Reporting flaws to companies related to embedded is often still
scary today.

The point of this is that hey, this isn't actually that hard _if_ you're
willing to put in the time. If you're moderately talented, you can probably
learn it too!

As opposed to the standard exploit write-up/security conference circuit thing,
where a lot of the details are kept secret and it seems like the entire point
is to make other people think you're cool instead of teaching something. :)

~~~
burfog
Getting things patched is awful. A reasonably simple thing I'd like is to
secure myself against meddling by Subaru. That includes updates I don't agree
with and tracking of my vehicle.

Disabling the network connection would pretty much stop the tracking.
Alternately, disabling GPS would work. Anybody worried about both stored data
and about cellular companies reporting tower locations would need to disable
both.

Undesired updates can mostly be stopped by disabling the network connection.
Dealer service could be trouble; they might do an update without asking for my
permission. Scrambling the crypto keys would probably stop the dealer service
people from making updates.

Some of the above would also be needed to keep Subaru from uploading camera
data taken in my garage. As it is now, Subaru could be watching me in my
house!

So, take the above as the high-priority goals.

------
jhfdbkofdcho
My car’s head unit runs that QNX thing. The firmware is authenticated with a
few 512-bit RSA keys, easily cracked. The applications were written as flash
and Java applets. This car isn’t 5 years old.

------
morpheuskafka
I've always wondered about how CarPlay worked with random OEM units like
these, each running their own RTOS and having different binaries and libraries
available. I'm assuming Apple would want to write in Objective-C which isn't
really known for embedded support?

------
dwighttk
Has anyone done this on a Tesla? Seems like free battery capacity is quite the
carrot for that effort.

~~~
bdelay
Not sure. Have an extra Tesla you can send me?

~~~
dwighttk
Yes. You will need to pick it up in orbit though.

------
j_m_b
Now I just wish I could have the EyeSight on my Subaru Forrester hacked so
that the adaptive cruise control doesn't go off after three seconds of being
at a full stop.

~~~
dpnvektor
Pro tip: hit the speed up or down button any time in that three second window
to buy yourself another 7 seconds of activation. Annoying, but potentially
hackable!

------
Causality1
Wouldn't it be lovely if we had some kind of digital consumer rights bill that
required all computerized devices to have some method for the end user to gain
root access?

~~~
mathieuh
Security and ease of use are kind of orthogonal

I’m not saying this shouldn’t be a thing, but it requires more thought that
just giving users root

~~~
Causality1
Oh make me jump through hoops. Make me send a registration card with my name,
address, and ten cereal box tops if you want. I'm just tired of having to make
purchasing decisions not on the basis of what devices have the best specs, but
which ones are the least hostile to me actually owning the slab of glass and
plastic I blew an entire paycheck on.

------
mrfusion
Offshoot topic. Is this a trademark issue for spacex’s new system? I didn’t
realize there was an existing product with the same name.

~~~
bpicolo
Different trademark classes

[https://en.wikipedia.org/wiki/International_(Nice)_Classific...](https://en.wikipedia.org/wiki/International_\(Nice\)_Classification_of_Goods_and_Services)

------
usmannk
Question to the author (hopefully you’re still around!): why do you think the
dat files weren’t included in the signed iso?

~~~
bdelay
See the Note from Harman section.

Hence, as the check wasn't working, I never ran into the check. Dat file
signatures may very well be in the header or stored somewhere else.

~~~
usmannk
Ah I see, missed that the first time around. Another thing I’m wondering after
processing this: did you ever try to ssh as the dm or daemon user after seeing
the passwd file originally in ifs-subaru-gen3.raw?

P.S. Thank you for writing this! It’s super interesting snd very easy to
follow. I’ve shared it with friends both for the content and also as an
example of excellent technical writing.

------
chendragon
Sort of an aside, but I do sort of wonder what goes into the decision to go
with Freescale/QNX as opposed to allwinner/rockchip/MTK and Android in this
application. Surely the cost would be similar or less, and the performance
could potentially be better?

~~~
userbinator
Freescale and Motorola before it have had a long history of supplying
microcontrollers for automotive applications. I'm not sure the other companies
even have the extended temperature range components which are required for
automotive use.

------
inamberclad
On a related note, SpaceX's Dragon apparently can apparently be SSH'd into
according to an engineer I spoke with. Hopefully the connection is well
secured.

------
segmondy
very exciting read, when you say "vehicles internal network" do you mean the
CAN bus? :-O

