back to article It’s 2017 and Hayes AT modem commands can hack luxury cars

A bunch of mid-age Ford, Infiniti, Nissan and BMW vehicles are carrying around a vulnerable chipset from Infineon that America's ICS-CERT reckons is easy to exploit. The BMWs went on sale between 2009 and 2010, the affected Infiniti models were built between 2013 and 2015 and there's a chance Nissan Leafs manufactured between …

  1. Pascal Monett Silver badge

    The one domain where IoT shit cannot linger long

    Babyminders, stuffed toys, surveillance cameras, nobody's life is in danger when these things get taken over. Cars are a different matter though, and it is reassuring to see reaction from the car makers.

    Goes to demonstrate, though, that car makers do not have sufficient security controls in place to avoid this kind of thing before churning out hundreds of vulnerable vehicles. Of course, no amount of checking will find everything.

    I guess they'll just have to design their components to not accept any outside commands not included in a whitelist, implement strict parameter size and content controls and, most importantly, separate the control bus from the infotainment bus. I'll wager that these three things would seriously cut down on hijacking possibilities.

    1. Afernie
      Facepalm

      Re: The one domain where IoT shit cannot linger long

      "Babyminders, stuffed toys, surveillance cameras, nobody's life is in danger when these things get taken over."

      You appear to be limiting your assessment of the possibilities.

      Police officer. "We're very sorry for your loss sir. We think they used the cameras to establish that your wife was home alone..."

      1. 2460 Something

        Re: The one domain where IoT shit cannot linger long

        One of the main concerns of the very easy to hack smart meters is that you can easily tell a households habits, and hence when they are not in.

        Security should be the number one concern of any IT appliance, unfortunately it generally feels to be last minute, rushed and under-appreciated.

        1. Afernie

          Re: The one domain where IoT shit cannot linger long

          "Security should be the number one concern of any IT appliance, unfortunately it generally feels to be last minute, rushed and under-appreciated."

          Along with the sheer lack of interest in actually providing security fixes thanks to perception of these devices as disposable commodity items.

      2. Anonymous Coward
        Anonymous Coward

        Re: The one domain where IoT shit cannot linger long

        Unless a house has all the windows blacked out and is connected to a network of underground tunnels it's usually very easy to work out who is at home simply by watching it from a nearby public place. So although these security problems should be fixed they're not really much to worry about in practice for most people. Which is why they often don't get fixed: most people don't care.

        1. Anonymous Coward
          Anonymous Coward

          Re: The one domain where IoT shit cannot linger long

          No need to watch the house in 2017, it would be pretty simple to make a camera that takes 1fps 'video' and occasionally squirts it out via LTE that runs for a week off a battery. Stick it to a handy pole or tree at 3am and you don't have to worry about someone reporting to the cops about the creepy guy parked on the street in a van in your neighborhood.

          1. This post has been deleted by its author

      3. Pascal Monett Silver badge

        @Afernie

        I accept your scenario completely, but it still means that "they" checked out the house with cameras, then came to the house, broke into it, and did their nefarious deed. "They" did, not the camera. The camera was an accessory.

        In the case of cars, you can get hacked, drive along obliviously, then suddenly have your car swerve into a tree, a wall or an oncoming bus.

        The car, not the camera. That is the level of difference I am outlining.

    2. Orv Silver badge

      Re: The one domain where IoT shit cannot linger long

      A lot of the problem here, I think, is re-using chipsets intended for cheap, disposable things in a vehicle, where the expected life can exceed 20 years instead of 2. But there isn't a great solution -- it's not really practical for every carmaker to develop their own cellular chipset in-house, and if they tried it would quite likely be worse than what the baseband chipset manufacturers already have.

      1. Anonymous Coward
        Anonymous Coward

        Re: The one domain where IoT shit cannot linger long

        The chips weren't "designed for cheap disposable things"...where do you get that idea? It isn't as though companies have one line of cellular chips intended for phones, and a second one for cars.

        Don't shift the blame, the car companies need to start caring about security, and that includes insuring they update cellular chip's baseband firmware. Though the REALLY big blunder is giving the cellular chip access to the CAN bus. That's just stupid! Read only access sure, but there is no reason for it to have any ability to change anything in a car. If they did that the worst thing this exploit might be able to do is fuck with your radio presets or give your Nav system maps for Siberia instead of Seattle.

        1. Orv Silver badge

          Re: The one domain where IoT shit cannot linger long

          "It isn't as though companies have one line of cellular chips intended for phones, and a second one for cars."

          That's my point. When you look at the exploits for these baseband chips, it's pretty clear they have all the sloppy development practices you would expect for throwaway tech like phones. They weren't developed with the kind of discipline that should be used for something mission-critical. But they're what's available on a commodity basis, so they're what gets used.

          Firmware updates are important, sure. But what're the odds that the companies that make these chips are going to keep patching vulnerabilities for the life of a vehicle? My car came out the same year as Android Honeycomb. Try getting patches for your Honeycomb phone now.

  2. David Roberts

    Missing words

    Issue a recall.

    Even then I bet most cars from 2010 never see a main dealer or are checked for recalls.

    1. Martin hepworth

      Re: Missing words

      In the Uk they are done through the DVLA to the registered owner - ie the Takata airbag recall got my 2008 car recalled late last year. But even with that central register its a still problem, and even more so in the IoT world where things never get patches even from large well known manufacturers

    2. Nolveys
      Windows

      Re: Missing words

      Even then I bet most cars from 2010 never see a main dealer or are checked for recalls.

      That describes the Ford Car Of The Year For 2010. I doubt many of those make it back to the dealership, though there are still a lot of them on the road.

  3. joeldillon

    It's absolutely standard for mobile phones to talk to the baseband processor using the Hayes command set, even today. Nothing that archaic about it I'm afraid!

  4. cd / && rm -rf *

    AT+HACKED

    1. kmac499

      More Like AT+WTF???

  5. Hairy Spod

    Bring on the self driving cars steered deliberately into a ditch or onto a level crossing

    1. phuzz Silver badge
      Pint

      Given the idiocy human drivers get up to, you could probably hack one or two percent a year and still be safer than letting some people behind the wheel.

  6. John Smith 19 Gold badge
    WTF?

    The Hayes modem command set.

    The gift that just keeps giving.

    Seriously my first thought was "This is still a thing in 2017"

    But

    It's been around for decades, it's core is well understood, it's easy to extend and anyone wanting to replace it would have the uphill battle of getting everyone to use their language instead.

    What did surprise me is it's even used inside mobile phones between chips. Who would know what was used inside those, and who would care?

    1. Alan W. Rateliff, II

      Re: The Hayes modem command set.

      From what I can tell from some SonyEricsson developer guides the AT command set is also used between phones and Bluetooth devices to set up indicator updates (charge, signal strength, etc.) even pop-up a notice on your phone when a device's battery is going flat, among other things like currently playing media file information.

      I have also read documentation on SMS sending devices which use AT commands, hell even 802.11 "wifi" modems communicate with the host computer via AT commands and the chips are being used to make wireless interfaces for old computers like the Commodore 64. Have to wonder if these would be susceptible to the old "+++ATH0" trick we used to knock people off-line in the old dial-up days*: imagine including a reference to http://theregister.com/+++ath0.jpg in a web page.

      Considering that my old SE phone works with the latest 2017 in-car media computers, none of this surprises me but is rather interesting. Makes me wonder if there are any other devices which use the AT command set which may be vulnerable to buffer mishandling of commands or results (AIO and fax machines, in-car computers over Bluetooth, computer fax modems, regular old modems, alarm systems or critical monitoring systems with cellular modems, and so on.)

      * that is, against modems which did not implement the Hayes standard escape wait time before entering command mode.

      1. Jamie Jones Silver badge
        Happy

        Re: The Hayes modem command set.

        imagine including a reference to a http://theregister.com/+/++ath0.jpg in a web page.

        *clicks*

        NO CARRIER

        You bastard!

        1. TheElder

          Re: NO CARRIER now working

          +++ath0

  7. Duvelhedz
    FAIL

    Old Vunerabilty

    This was a bug used to unlock the iPhone 3G/3GS by flashing the iPad baseband to in back in 2011. So it has taken until now for the bug to be reported?

    1. Anonymous Coward
      Anonymous Coward

      Re: Old Vunerabilty

      Probably because it took that long for someone to realize the same cellular chip used in the 3G/3GS was also used in some cars.

  8. Christian Berger

    The second bug is _much_ more relevant

    If you have physical access to such a device you essentially have won. That's not news.

    The news is that they found a bug in the baseband chipset firmware. And that's relevant as there is code reuse, so it's likely that bug still is in modern devices. After all, even your shiny new LTE baseband still has to implement UMTS (with lots of ASN.1) and GSM.

    On that 2G device that may not really matter, as the interface is rather simple, however many 3G and 4G basebands connect via more complex interfaces. The 4G baseband in many laptops, for example, can pose as a keyboard and a disc, which makes exploitation possible in a very stable way. Just pop in a disc and handle the popup.

  9. Roland6 Silver badge

    "In IT terms a 2009 product is close to end-of-life" - Does not compute!

    Love to know the rationale for this statement; having worked on IT 'products' with an intended operational life measured in decades...

    My 1980's Hayes modem (RS232C DB25 connection) probably has many more years of life in it, but I'm pushed to find uses for it (and am loath to simply chuck it in the recycling)...

    Yes, your 2009 (and earlier) product may not be as fast and secure as today's model or even supported, but that doesn't make it end-of-life, just slower and less secure than it's modern replacement.

    An IT product only really goes end-of-life when either the underlying hardware begins to fail or it is no longer compatible with its intended operational environment ie. it becomes obsolete.

    1. Afernie

      Re: "In IT terms a 2009 product is close to end-of-life" - Does not compute!

      "Love to know the rationale for this statement; having worked on IT 'products' with an intended operational life measured in decades..."

      Try sticking Windows 7 on this year's Ultrabooks and let us know how you get on. You've worked on products with a intended operational life measured in decades - but most businesses now work with hardware with an intended operational life measured in single-digit numbers of years.. The key word in each case is "intended."

      1. Roland6 Silver badge

        Re: "In IT terms a 2009 product is close to end-of-life" - Does not compute!

        >Try sticking Windows 7 on this year's Ultrabooks and let us know how you get on.

        That was my last point about obsolescence!

        Windows 7 runs just fine on the hardware designed for Windows 7 and is still useable for business - even with hardware purchased in 2009; just like a 2009 BMW.

        >but most businesses now work with hardware with an intended operational life measured in single-digit numbers of years..

        That, as we know, is more a consequence of factors such as rapid software and hardware evolution, cost of integration and deployment, ease of asset management and finance. Whilst it may be some years before we see double digit operational life, the trend since circa 2007 has been for longer operational life - where the main factor is the support lifecycle of software, something MS is pushing against as they start to withdraw support for Intel chipsets, which were supported by early versions of Win10 (2015).

      2. Alan W. Rateliff, II

        Re: "In IT terms a 2009 product is close to end-of-life" - Does not compute!

        You've worked on products with a intended operational life measured in decades - but most businesses now work with hardware with an intended operational life measured in single-digit numbers of years.. The key word in each case is "intended."

        Okay, sure, but the keyword is "IT".

        The general IT reference cannot be limited to just within the past decade. Not that long ago I found an old 2400 bps modem in one of those street-side billboards. Within the past few years I had been working with a company to install new radios with built-in IP routers for ACARS uplinks which were being handled by 9600 bps lease-circuit modems and radios which my grandfather might have sold when he was a teen.

        I suspect these new radios will not get a couple of decades of service while still providing the same intended purposes of the original radio and computer stack.

    2. Anonymous Coward
      Anonymous Coward

      Re: "In IT terms a 2009 product is close to end-of-life" - Does not compute!

      In IT EOL is used to indicate it is no longer supported, practical to use or generally available.

      "My 1980's Hayes modem (RS232C DB25 connection) probably has many more years of life in it, but I'm pushed to find uses for it"

      Hence it is regarded as EOL. You can't update it, you need special adapters to connect to it, the drivers may no longer be available for it. Doesn't mean it is physically broken or impossible to use.

      Forced upgrades or replacements to perfectly good hardware or software due to it being declared EOL is a regular occurrence for anyone working in IT.

  10. Mike 16

    EOL

    While I have "fun" using computers from the last millenium, the vendors (of both software and hardware) do seem to be hell-bent to make the "Clean Cup, move down" moment at 5 years or less. Yes, you _can_ run _a_ browser on _a_ laptop from 2009, but good luck using any of the "modern" websites if you do. And then there's the "You can connect to your new iPhone, _or_ run Adobe Creative Suite" aspect of OS updates from a certain vendor.

    But the reason I came here is that I just read, on another site which will not be named, that the patents on the 80486 have expired, and the Pentium patents are doomed soon. I recalled that (cough) some major OS suppliers are dropping 486 support. Can it be that they don't want to deal with a flurry of "almost a 486" CPUs, each with their own quirks?

    1. Orv Silver badge

      Re: EOL

      Could be, but I suspect it's more likely they don't want to have to go through the bother of testing each new build against hardware that's not been in production for at least a decade, and hasn't been supported by new Windows releases for even longer. Not to mention having to turn off later optimizations at compile time, or compromise performance on current systems. You have to have a cutoff somewhere, and often stuff out on the skinny tail of the bell curve just isn't worth the effort.

    2. Peter Gathercole Silver badge

      Re: EOL @Mike 16

      I'm currently running Ubuntu on laptops from before 2009, and they still work just fine.

      The only real problem I'm having is that most videos from places like YouTube tax the processor a bit, but avoiding video, things work OK.

      There is a lowest-spec that us usable, and I would say that 2GHz processor, 2GB memory and some graphics assist is currently where it is at the moment for x86 processors, especially if you run Linux. I actually have a desktop with a 2.13GHz Pentium Dual Core (the last Pentium before the Core processors came along), with 2GB of memory and a Nvidia GeForce 720 on-board graphics which is perfectly usable running Windows 7.

      Strangely, ARM devices appear to be able to work just as well or better at much slower clock speeds!

    3. katrinab Silver badge

      Re: EOL

      Which suppliers are dropping support for 486 chips?

      Microsoft dropped support for them with Windows 2000 and ME

      Apple never supported them, they were using PowerPC chips back then

  11. Anonymous Coward
    Anonymous Coward

    I missed something

    This article never mentioned what you can DO once the vuln is exploited.

    1. Alan W. Rateliff, II

      Re: I missed something

      That is left to the imagination of the reader or anyone with the motivation to try it.

  12. Pirate Dave Silver badge
    Pirate

    Physical access

    so, aside from espionage-type stuff of making an automobile accident look "accidental", if you've got enough physical access to the car to plug in and start whacking at the TCU chipset, wouldn't it be easier to just hotwire the starter and steal the car altogether? What is the payoff of hacking the TCU? Free WiFi from Onstar? Prank dialing 911? Maybe my imagination is a bit limited this late in the day, but what's the point?

    1. Alan W. Rateliff, II

      Re: Physical access

      I suppose one thing would be the next take-down of half the Internet could be done by cars instead of IP cameras.

      But, imagine if you will, suddenly making a bunch of cars of a particular model shut down at the same time, or they activate the braking system all at once on various Interstates. Obviously that all depends upon what additional systems can be accessed, but if car designers take the TJX or Target approach that nothing bad can happen inside a protected network, well, there are all sorts of shenanigans which can ensue.

      While the espionage angle of killing a journalist of political staffer without traces of foul play may sound outlandish, maybe taking that a little further in realizing in its most useful mode car is a ton and a-half missile. And I am not talking about the back seat on a hill top. Since we are becoming more and more dependent upon technologies like lane keeping, blind-spot monitoring, object avoidance and, eventually, self-driving, the uses for taking over a system using the defects in a modem are pretty evident.

      For that matter, I wonder what happens if we start sending malformed GPS signals to cars with built-in navigation. Even the car I am driving right now (not while typing this, mind you) without navigation can use the built-in GPS to set the clock, and when paired with my phone it can place an emergency call including my GPS coordinates in the event of an incapacitating accident. So, what about mishandling malformed GPS input when the unit is receiving an updated almanac?

      Anyway, that is just thinking about another vector into a potentially unprotected system, but gaining access to a car's systems, even "non-critical" ones like oil pressure or temperature sensing, speed indication, hood release, and so on could cause a great deal of mischief.

  13. Anonymous Coward
    Anonymous Coward

    The car companies are criminal

    My BMW was stolen a few nights ago - less than 30 seconds to unlock and 4-5 seconds from the guys arse hitting the drivers seat to the engine starting. No physical damage to the car.

    This was built in October 2016, more than six months after the previous key exploits were publicised and BMW are still selling these systems.

    C*nts.

    1. Roland6 Silver badge

      Re: The car companies are criminal

      >My BMW was stolen a few nights ago - less than 30 seconds to unlock and 4-5 seconds from the guys arse hitting the drivers seat to the engine starting.

      Sometimes the old methods are the best methods...

      Years back most cars didn't have an alarm fitted and could be unlocked in a matter of seconds, so if you wanted your car to be where you left it, you fitted a Krooklok or Stoplock...

      Not saying the car companies don't carry some blame (for just how insecure keyless cars are), just that sometimes you do have to exercise some responsibility and take matters into your own hands...

      1. Fatman
        Joke

        Re: The car companies are criminal

        <quote>so if you wanted your car to be where you left it, you fitted a Krooklok or Stoplock...</quote>

        Or NoJack, a rocket propelled grenade launcher hidden in the steering column.

  14. TheElder

    you fitted a Krooklok or Stoplock.

    Way back when I was In Berkeley I simply used Robertson screws to fasten the 8 Track player and quite a few other things. That was handy since I was driving a convertible Morris Minus. To make it harder to steal I just removed the two little fuses and replaced them with blown fuses. Then I could just stick one fuse between them.

    Driving was a lot more fun when I got an MGA, then an MGB, a TR4 as well as a Healy 3000.

  15. Anonymous Coward
    Anonymous Coward

    BA hack

    seems to have been remarkably similar. In fact I suspect that someone got in through an old machine with modem similar to this using the time honored technique of randomly phoning similar numbers and waiting for a particular response, namely a click of a specific timing and amplitude.

    Seems that someone left machine plugged in to an unused phone socket on the PBX, because it was late at night no-one heard it ring.

    Right out of "WarGames".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like