A few years ago, I read an academic paper on how to hack cars. Today news came out that what was previously demonstrated via direct access is also possible over the air.
I thought it would be fun to look at the firmware update file that fixes this, to see what format it is in, what’s in it, etc. To get an update for 2014 Jeep Cherokees, you need a VIN. It turns out a used car sales website posted the VINs of their inventory on their website, so I found one: 1C4PJMDB6EW255433
Then you put it into the UConnect website, which is a typical late 2000’s travesty of over-engineering. It wants you to use some plugin from Akami to download the file, but in small print tells you that you can also click on this link. But of course, there’s javascript insanity to prevent you from finding out what the link is. It is delivered via TLS, which is interesting. It is a 456 meg zip file. It also has a user-specific token on the end of it, and without that you get a 404 when you try to fetch it.
The zip file has an ISO inside of it:
$ unzip -l MY13_MY14_RA4_15_26_1.zip
Archive: MY13_MY14_RA4_15_26_1.zip
Length Date Time Name
-------- ---- ---- ----
583661568 06-23-15 14:48 swdl.iso
-------- -------
583661568 1 file
The ISO file is slightly bigger than the zip file, at 583 megs:
$ ls -l swdl.iso
-rw-r--r-- 1 jra staff 583661568 Jun 23 14:48 swdl.iso
Inside the ISO file is:
dr-xr-xr-x 2 jra staff 2048 Jun 23 16:47 bin
dr-xr-xr-x 2 jra staff 2048 Jun 23 16:47 etc
dr-xr-xr-x 2 jra staff 2048 Jun 23 16:47 lib
-r-xr-xr-x 1 jra staff 1716 Jun 23 16:47 manifest
dr-xr-xr-x 4 jra staff 2048 Jun 23 16:47 usr
And that manifest file? It is Lua, which is apparently read into the updater via execution.
So right. The updater itself apparently gives an attacker execute privs in the address space of the Lua interpreter via an unsigned file.
Jeeze, Chrysler, that’s like Game Set and Match, and I haven’t even looked into bin/ yet. WTF?
Update after reading some more…
Well something interesting happens in ioschk.lua
, where the second block of 64 bytes from the ISO is read and then fed to “openssl rsautl”, using a public key that is on the device. But ioschk.lua is loaded from the ISO itself, and is called by install.sh, from the ISO. So it seems like if you want to make your own ISO, you need to remember to make install.sh’s call to isochk.lua a no-op.
Other interesting things I found while trolling around… they have the Helvetica Neue font, and right next to it a license file saying, “for evaluation only”. Jeeze, sure hope that Harman have paid up, or else they might have a bill in the mail.
There’s a file called cisco.sh
which does the necessary to put the device on the Ethernet if a Linksys USB300M adapter is plugged in. It has some checks in it for an internal development mode, but those would be easy to bypass if you can in fact edit the ISO image at will.
So, all in all, it would be fun to play if I had a Jeep. But I’m still planning on getting a Tesla.
Leave a Reply