jimmiejam

Exactly,,,,you give strangers TOTAL access to you phone/tablets content when you download a app, etc.. Remember when you had to have an app to have a "flashlight" on your phone? You gave them total access to your phone.........for a flashlight feature.

911dude41

I would totally have a beer with you. I see your point man, but you're off the hook lol.

I watched him hack my PCM. Felt like Russian KGB espionage. I felt alive, free, and rebellious but all in the comfort of my TWO hundred thousand dollar 911 not ONE hundred thousand dollar. Not only was I nested inside my Poorsche, I was also in the confines of the USA. Come at me bro. We got missiles and stuff.

But really, he used some VW/Audi coding software. Was it a DiSgUiSe? It's truly spine tingling.

My PCM is not connected to the internet. It's been months, no one has hacked my stuff.

enzotcat

The PCM unit runs QNX. There are primary and secondary filesystems. The secondary filesystem contains a single binary of interest. The "antitheft" checks that asellus alludes to are checks that verify a SHA signature against a locally stored public key. The changes to the root fs for the secondary file system that are described in the massively long android auto thread are to a single binary. The code that it was originally written in was in C++. The changes that can be made simply nuke out a set of conditionals such that the failure branch is not executed, and execution falls through to the success branch. The second set of changes is to add a FEC (feature enablement code) to a FEC "container" - a file in the filesystem. That FEC container has a specific format, and the end of it contains a SHA hash of the FECs that have been enabled. You can either generate a new PK/PK pair, update the PK in the key container and leave the original code alone, or you can sign it with an arbitrarily generated PK, which necessitates the aforementioned changes. The 3rd change is to the "adaptations" database - that is essentially a redundant mechanism that the system uses to decide what features are enabled (which is then validated by way of the FEC check, which is the "antitheft" mechanism that asellus mentioned) - and this is something that is normally performed by a PIWIS, but can be performed via a command line utility on the head unit itself.

Now that I've established my credentials ...

1. In order to be able to monitor emails, calls, GPS position, etc. (on an ongoing basis post-modification) you would need a substantial change to the filesystem, and the abovementioned binary itself has a specific size in the filesystem. There is very little additional space left to write it, because you are doing a block-level write.
2. Even were you to monitor the above, all of this occurs on the head unit. Without having a SIM card installed with an available data plan, you cannot exfiltrate that data
3. Android auto does not allow a head unit to control settings or install software on the host mobile device, so malware delivery there is not possible
4. It is certainly possible to have accessed the already-stored phone numbers, text messages on the PCM device, although my recollection is that those are in a separate filesystem than the one being manipulated and I believe that they are only cached while the phone is connected via bluetooth or AA or CarPlay. So again, not a big attack vector.

I'd be far more concerned about attacks into your home network while installing the software. Anyone who uses this service should set up a separate, protected, guest network, and should allow access only to a virtual machine running on that laptop (or a clean, disposable laptop). Subsequent to the work, that VM should be completely destroyed.

TL;DR; - while your concerns have merit, in this instance the risk of ongoing monitoring is not particularly high. The risk of a payload deposit on your own laptop along with a subsequent network penetration is most certainly significantly higher, and that is the thing that should give people the most pause.

jimmiejam

Most excellent, enzotcat!!!!!

BTW, my head hurts after reading your post .

Porsche_nuts

what he said

manifold danger

Good breakdown, the hack makes much more sense now.

But you also appear to get what I was worried about. It's not so much what's being done to the PCM (although that is still a concern but there seem to be sensible guardrails in place, as there should be), but it's the access that must be allowed to put it there. A "throwaway" laptop or VM is a given. It still appears that you're relying on the built-in safeguards of the PCM architecture and the limitations on the Android Auto app itself. We do this every day with "traditional" endpoint devices, and it's not enough under all circumstances. There is still literally hundreds of billions of dollars spent in the cyber security industry, and bad things still happen. (case in point: https://www.cvedetails.com/vulnerabi...d-436/QNX.html)

But overall I don't have any rebuttal to this right now, seems pretty sound. Still won't be letting anyone dial in to my cars just to get a feature that should have been there in the first place, but the risk seems low based on this explanation.

Hopefully I gave enough caveats to make it clear I wasn't assuming anything- this includes the relative "safety" of the modifications as well as the validity of my concerns. Just expressing the lack of an overall comfort level that I still have and will continue to have until I have a TOTAL understanding of the PCM architecture and EXACTLY what is being done and how it's being executed. Which is honestly interesting enough to merit more research, if I could find time for a pet project. I know many are looking into this and I just haven't found a way to tie it into my day job, so it would require personal time to investigate- which I don't have much of at the moment.

I still don't actually have your credentials- you seem to know what you're talking about, far more than I do but I don't know if this is just diligent research or if you do this as a day job- but this is interesting. I have at least found someone on the same wavelength, which is a bonus.

edit: final question- would you let a guy from eastern Europe RDP into your car?

Noah Fect

RDP, no, because I can't watch him. VNC, sure.

B Russ

Well if that aint some technodick swinging

manifold danger

Well technically it isn't "RDP into your car" like I said, that was definitely figurative; I think one guy mentioned using teamviewer which is probably pretty close to a vnc session, but that's into the laptop. Which is scary in and of itself but the same guy who mentioned teamviewer said the laptop that was used was "borrowed" from Walmart so not much risk there except from granting access to the network- which could then be more or less mitigated by using a hotspot or starbucks wireless. I'd still be suspicious of things happening via teamviewer/vnc too; I'm sure there's some opportunity to drop a payload even while you're watching. If I thought hard enough I could probably come up with a couple examples actually, and I haven't done any red-teaming in several years.

I'm still worried about the connection to the car's interface (via USB IIRC), but I'll concede again I don't have any experience to draw from as I'm admittedly pretty ignorant outside of traditional enterprise security. I'm sure as hell interested though. These days not much piques my interest to this degree... but I also don't have a spare throwaway modern Porsche or PCM unit to experiment with on hand at the moment.

But my guess is there's some sort of maybe not-as-obvious vector via that USB connection to the car that my spidey sense still wants to investigate further. Before people call me paranoid again, I'm not saying there is definitely some opportunity for mischief there... but that there might be. And usually in cyber, where there's a "might be" when it comes to opportunities to make things misbehave, this generally means... "yes, there most certainly is under these specific conditions".

Sometimes I envy security researchers, they do this kind of stuff all day long. I just don't know how comfortable I'd be basing my income on what companies are paying (if they're paying) for bug bounties...

911dude41

Yes you do, it's called warranty. If it breaks, or he breaks it... Porsche buys and installs you a new one. At least that's what the pamphlet says

Noah Fect

Yeeeeeeeeeeeah.... no. Attempting to file a warranty claim on a hacked PCM will be good for a few laughs at the dealer, though.

manifold danger

lol. Good luck with that.

edit- no seriously, it would be pretty trivial to validate if what enzotcat described had been performed- obviously if it's being talked about on this board it's public knowledge... but I'm not 100% sure they would do that. There's probably tons of other parameters that would likely be checked before any warranty work on a bricked PCM would be done though, I'd be REALLY surprised if this would fly under a dealer's radar.

If you're expecting the guy who did the work to compensate you on a new PCM or god knows what else could break, I don't think that's very wise either.

In fact, all things aside, the warranty concerns alone are cause for pause on this "procedure". But same rules apply for a tune and it doesn't stop people from doing those all the time... (benefits are arguably more worth the risk but I digress).

asellus

ITT: people speculating about things they very clearly do not understand. Let's fix that.

Assume that somehow you managed to **** up the PCM entirely doing this little hack, which means you somehow broke the secondary file system. Let's assume that this breaking of the secondary filesystem somehow breaks your entry portal (spoiler: this cannot happen through the hacking method used, but let's have this argument anyways because someone is going to insist eventually).

What will happen is your PCM will go into a boot loop, or it will boot up to effectively "nothing" -- the boot loop is about 15-20 seconds on mine, plenty of time to literally just smash in a fixed image.

So, you go to the dealer. Say to the dealer "hey, my PCM is doing this weird thing, can you fix it?"

Dealer plugs in PIWIS. PIWIS can't talk to PCM because it won't fully boot. Dealer says "yep, she's hoopajooped, we can reproduce this easily and we can't seem fix it. Factory warranty (or CPO) covers this, so we'll get parts ordered." then installs the new parts. Done.

The only way to tell this is done is to manually checksum the mibroot fs (or the single file modified, as mentioned by enzotcat), compare that to the list of known checksums by version, and see that it doesn't match. Even then, the oh-so-easy "huh, corrupt filesystem/memory" excuse is overwhelmingly more likely than "this nefarious customer has attempted to reflash their PCM and cocked it up"

HooosierDaddy

The people that will never use this service sure are vocal about it. Reminds me of Facebook marketplace listings and how rando’s that can’t or never will buy, have the most to say.

Noah Fect

It's simple. I would have no problem working with simaservis1108 or anyone else, as long as I can see what they're doing on my PC. If he hoses the FAT or trashes the boot sector, no harm done, I can fix that easily. My own PCM's hard drive has long since been backed up and replaced with an SSD, which is something every long-term 9x1 owner should do anyway.

If the PCM does get bricked somehow, I am not going to try to scam the dealer into replacing it. I am going to chalk it up to Murphy's account and take responsibility for it. Just as I'm not going to go blow smoke up some kid's *** at the WalMart customer service counter. Yes, if you're willing to engage in all these shenanigans, I'm sure you can find a way to dodge the consequences if the hack goes wrong.

Not trying to preach, just saying what I would do personally, because I know (from experience) that I would feel awkward lying about it and would feel bad afterwards. Carry on...

(Edit: and yes, I wouldn't doubt that the relevant files are in flash memory rather than on the hard drive. Doesn't change the overall point.)