Subaru XV Crosstrek Forums banner

1 - 20 of 571 Posts

·
Registered
Joined
·
2,261 Posts
Discussion Starter #1 (Edited)
Aug 18’ New HU Firmware Released

Based on a comment made by another I did some digging and it looks like there IS new headunit firmware out.. in Europe and for the Outback.

Have no fear, the Outback also uses Harmon as well so that's a good sign.

The user stated "Today we here in Europe got the new Headunit-Firmware available... Latest before was 2.17.43.30 , now its U0.18.22.20"

IMG-2947.jpg


ref: https://www.subaruoutback.org/forums/138-gen-5-2015-2019/495077-new-headunit-firmware-2018-a.html

More interesting is that it appears the Wi-Fi update might have been working (applicable to those that have it) because there's no indication of user's update being done at a service bay.

I wonder if we have it yet.

More if I find it. Help from others appreciated.
 

·
Registered
'18 and '19 Crosstrek Limiteds
Joined
·
6,909 Posts
I wonder if this has anything to do with why the German video that kv posted has different ACC behavior than the US market?
 

·
Registered
Joined
·
2,261 Posts
Discussion Starter #4
I wonder if this has anything to do with why the German video that kv posted has different ACC behavior than the US market?

Haven’t seen kv’s Video but I wonder what sort of spaceship took the picture.
 

·
Registered
'18 and '19 Crosstrek Limiteds
Joined
·
6,909 Posts

·
Registered
Joined
·
2,261 Posts
Discussion Starter #8
So what does that mean for US cars? Are we still at 2.17.43.30 and a dealer-only install?

...stand by to wait out, I guess.

I'm going to capture the comms between my car and the internet to see what I can discover about it's download source and to see if there's alternate entrances.
 

·
Registered
'18 and '19 Crosstrek Limiteds
Joined
·
6,909 Posts
...stand by to wait out, I guess.

I'm going to capture the comms between my car and the internet to see what I can discover about it's download source and to see if there's alternate entrances.
That would be funny, if it was logging into an unsecured FTP server or whatever... :D

Or not! :icon_eek:
 

·
Registered
Joined
·
2,261 Posts
Discussion Starter #10 (Edited)
That would be funny, if it was logging into an unsecured FTP server or whatever... :D

Or not! :icon_eek:

One could argue that because many thousands of radios are trying to periodically connect, they won't have extensive security.
If anything at all, it could be security through obscurity. Those radios can only do so much so they aren't a real target.

However, as the source code is public, anyone can just read it and its provided by Harmon to Subaru who then uploads it to their network.
Does Subaru write in login credentials? Something tells me, no.

If they do, I would suspect you only need them to upload to the site while downloading is a free-for-all.
I suspect that'll be the case because it means Subaru doesn't have to modify and test code.

If that's the case, I hope to be able to browse the directory.
I don't think I'll get very far with it but it'll be fun.

Disclaimer: I won't be running any attacks against their network. It'll be passive observation only.

Edit: the source code is actually not public. It appears that only portions of their products are licensed using open source software.
 

·
Registered
'18 and '19 Crosstrek Limiteds
Joined
·
6,909 Posts
One could argue that because many thousands of radios are trying to periodically connect, they won't have extensive security.
If anything at all, it could be security through obscurity. Those radios can only do so much so they aren't a real target.

However, as the source code is public, anyone can just read it and its provided by Harmon to Subaru who then uploads it to their network.
Does Subaru write in login credentials? Something tells me, no.

If they do, I would suspect you only need them to upload to the site while downloading is a free-for-all.
I suspect that'll be the case because it means Subaru doesn't have to modify and test code.

If that's the case, I hope to be able to browse the directory.
I don't think I'll get very far with it but it'll be fun.

Disclaimer: I won't be running any attacks against their network. It'll be passive observation only.
I wasn't thinking of the radio being the target, per se. We already had a long thread about that. My concern if it's totally open and not a secure connection would be that someone could spoof the site and your car could download a malware version of the firmware. Can't wait to see what you find out!
 

·
Registered
Joined
·
2,261 Posts
Discussion Starter #12 (Edited)
As an afterthought to my previous, Subaru might add code, code that interacts between the Harman software and the Subaru controls; Bluetooth, HVAC, etc. The only reason I say this is because on the 8”, you can control the car’s speech volume on the head unit.

Perhaps they don’t add code but Harmon has a module to interact with the hardware between the head unit and the front speakers. I can’t remember what that piece is called.

On to spoofing; sorry for the following but if you recall, I tend to feel strongly about some things. This is for everybody reading, not just in response.

If someone is spoofing the site, they're targeting the radio and they’re targeting you; specifically you.

The reason they won’t be spoofing the Subaru firmware domain is because the address is hard coded into the software.

We don’t yet know if the software site is an IP address (192.168.1.1) or a URI [http(s)://www.exampleaddress.com] but spoofing takes advantage of either:

1. Registering typosquatting domains such as subaruxbforum.com. Note the bold “b” sitting right beside “v” on the keyboard; stupid sausage fingers.
2. URL redirection where “Subaru.ca” leads to “badsite.su” when you click on it.
3. Shortened links whereas “xxxx.tinyurl.com” leads to “superbadspoofsite.pk”.

Hehehe, I'm reminded of the time Microsoft let their domain expire and some kid bought it.

Anyway, a hardcoded device cannot be fooled by spoofing.
It can be fooled by domain hijacking; that's where an attacker illegally gains control of a legitimate domain but that almost never happens anymore.

The only way to spoof would be to sit between your car and your wireless network and, for them to pump out a stronger signal than the modem/router. However, this means they already have the network’s login credentials. For those reading who don’t know, this is called a man-in-the=middle attack. It’s still popular at public Wi-Fi locations so don’t go to important websites (like banking) when at a hotspot.

For a man-in-the-middle to work, the attacker would have had to have full access to the legitimate site in order to feed the expected responses back to the radio. It's more difficult to fool a machine over a person because the copy has to function perfectly whereas you can trick a person into following the path.

The question becomes why they would want to interact with your car radio, especially since they have your network credentials. Maybe a university class would have a go at it but in real world, it isn’t worth the effort.

Besides, what sort of malware would they even bother putting on a radio? There is no financial gain and it does not interact with usability of the car. The Wi-Fi capable models do include voice control and NAV but at what gain for an attacker and how difficult is it to rewrite those controls. I suspect very hard because there’s a lot of work and you have to know how the Subaru components interact with it.

So, the only real motive is denial of service but again, there’s no gain for an attacker. The exception being able to force the SSD/RAM to record in car conversations or Bluetooth transmitted data and upload it to our overlords whenever we're sitting near enough our Wi-Fi sources long enough for the connection to be made and data to be pushed. I don't know about you guys but mine sometimes takes a few minutes to connect and I usually don't sit in the car in my driveway that long.
 

·
Registered
'18 and '19 Crosstrek Limiteds
Joined
·
6,909 Posts
As an afterthought to my previous, Subaru might add code, code that interacts between the Harman software and the Subaru controls; Bluetooth, HVAC, etc. The only reason I say this is because on the 8”, you can control the car’s speech volume on the head unit.

Perhaps they don’t add code but Harmon has a module to interact with the hardware between the head unit and the front speakers. I can’t remember what that piece is called.

On to spoofing; sorry for the following but if you recall, I tend to feel strongly about some things. This is for everybody reading, not just in response.

If someone is spoofing the site, they're targeting the radio and they’re targeting you; specifically you.

The reason they won’t be spoofing the Subaru firmware domain is because the address is hard coded into the software.

We don’t yet know if the software site is an IP address (192.168.1.1) or a URI [http(s)://www.exampleaddress.com] but spoofing takes advantage of either:

1. Registering typosquatting domains such as subaruxbforum.com. Note the bold “b” sitting right beside “v” on the keyboard; stupid sausage fingers.
2. URL redirection where “Subaru.ca” leads to “badsite.su” when you click on it.
3. Shortened links whereas “xxxx.tinyurl.com” leads to “superbadspoofsite.pk”.

Hehehe, I'm reminded of the time Microsoft let their domain expire and some kid bought it.

Anyway, a hardcoded device cannot be fooled by spoofing.
It can be fooled by domain hijacking; that's where an attacker illegally gains control of a legitimate domain but that almost never happens anymore.

The only way to spoof would be to sit between your car and your wireless network and, for them to pump out a stronger signal than the modem/router. However, this means they already have the network’s login credentials. For those reading who don’t know, this is called a man-in-the=middle attack. It’s still popular at public Wi-Fi locations so don’t go to important websites (like banking) when at a hotspot.

For a man-in-the-middle to work, the attacker would have had to have full access to the legitimate site in order to feed the expected responses back to the radio. It's more difficult to fool a machine over a person because the copy has to function perfectly whereas you can trick a person into following the path.

The question becomes why they would want to interact with your car radio, especially since they have your network credentials. Maybe a university class would have a go at it but in real world, it isn’t worth the effort.

Besides, what sort of malware would they even bother putting on a radio? There is no financial gain and it does not interact with usability of the car. The Wi-Fi capable models do include voice control and NAV but at what gain for an attacker and how difficult is it to rewrite those controls. I suspect very hard because there’s a lot of work and you have to know how the Subaru components interact with it.

So, the only real motive is denial of service but again, there’s no gain for an attacker. The exception being able to force the SSD/RAM to record in car conversations or Bluetooth transmitted data and upload it to our overlords whenever we're sitting near enough our Wi-Fi sources long enough for the connection to be made and data to be pushed. I don't know about you guys but mine sometimes takes a few minutes to connect and I usually don't sit in the car in my driveway that long.
All agreed regarding the Wi-Fi stuff. We had this conversation before and I'm not a hardware techie.

However, let's say the site is a URL and they don't use SSL, even if the URL is hardcoded into the HU firmware, couldn't it be misdirected by a rogue DNS server?

Why would they want to mess with your radio (or hundreds, or thousands of radios)? I dunno, maybe a kid would think it was funny. Or could it somehow be configured to hijack a semi-autonomous car? All speculation, of course... :D
 

·
Registered
Joined
·
2,261 Posts
Discussion Starter #14 (Edited)
All agreed regarding the Wi-Fi stuff. We had this conversation before and I'm not a hardware techie.

However, let's say the site is a URL and they don't use SSL, even if the URL is hardcoded into the HU firmware, couldn't it be misdirected by a rogue DNS server?

Why would they want to mess with your radio (or hundreds, or thousands of radios)? I dunno, maybe a kid would think it was funny. Or could it somehow be configured to hijack a semi-autonomous car? All speculation, of course... :D
I don't remember the previous but we probably did.

A rogue DNS server could redirect to a bad site, encrypted or not. The initial connection to a tunneled website is unencrypted. This is when they exchange keys. Provided the malicious site has provided a key, it'll encrypt the session but for it to work on hardware, you still have to duplicate all the expected workings of the hardware in question and the legitimate site. Also, the bad guys will try to provide a fake certificate. These sites like to provide an exact copy of the legitimate site but tend to host hundreds of malwares which then attempt to execute on your computer and do more stuff. Alternatively and just as frequently, they also spoof legitimate websites hoping you'll enter personal information which they can then use or sell.

However, if you're affected by a rogue DNS server, you've been targeted with DNS Changer malware. I haven't even heard of an effective DNS changer in years and any computer running decent anti virus should be unaffected. Besides, why someone interested in changing your home DNS address in order to affect your Subaru for no gain is beyond me.

It's harder for DNS changers to change the router or modem because of login credentials. On a computer, it used to be a simple matter of privilege escalation but that's getting much harder without user assistance.

The most appropriate attack vector would be at an industrial level where car company X wants to discredit Suabru. However they can't possibly go after car owners, too distributed and significantly more risk if caught, they'd have to go after the source, the Subaru update domain. They'd have to have already obtained a firmware copy and modified the code to degrade or deny the system. Then they'd have to hack the legitimate domain to upload their modified file as the next update. This would only work with the Wi-Fi being enabled because Subaru publishes TSBs for these sort of things.

Otherwise; the amount of work it takes to target this specific piece of hardware puts this firmly in the realm of legitimate security researchers and university/college students; one gets paid the other graduates with a name for employment and both inform Subaru for if no other reason than to prevent being sued for damages and charged for hacking. Until cars can totally drive themselves a-la Maximum Overdrive, state actors don't care. Criminals can't make money from it and the nerd kid down the street doesn't have the time to pick away at a complicated and easily defeated attack vector for a brief period of nuisance until a dealer can flash it out, unless you give them personal reason.

Anyway, I'll be prepping the laptop tonight and hope to get to it soon.
 

·
Registered
Joined
·
2,261 Posts
Discussion Starter #15 (Edited)
Interesting results on the head unit comms.

First the good news

The destination is owned by Harmon International Industries Ltd.

Traffic is encrypted.

The bad news

There is nothing there.

The domain is a little sloppy.

Also:


It seems associated to the Harman Ignite program.

“The HARMAN Ignite platform is a perfect match for Subaru because it allows us to streamline our process for device management,” said Anthony Landamia, infotainment product manager, Subaru of America. “We are able to introduce and easily deploy new cloud applications and services to our customers. Given HARMAN’s history in on-vehicle and cloud technologies, we’re excited to leverage this platform’s capabilities.”

(https://news.harman.com/releases/harman-introduces-harman-ignite-the-first-fully-integrated-cloud-based-platform-for-developing-managing-and-operating-in-vehicle-applications)

Ignite.jpg
 

·
Registered
'18 and '19 Crosstrek Limiteds
Joined
·
6,909 Posts
Is it an FTP site? What's the address?
 

·
Registered
Joined
·
2,261 Posts
Discussion Starter #17 (Edited)
It's all TCP traffic.

52.4.86.6, leads to a subdomain of ahanet .net but its only a server test page.

pcap.jpg

Poking around, I found large repositories, latest updated 25 Jun 18, but haven't done anything with them yet.

Does the EU headunit connect elsewhere or was Outback boy full of it?
 

·
Registered
Joined
·
2,261 Posts
Discussion Starter #18 (Edited)
Interesting update by the original Outback poster (Turns out he's German; why, oh why did GMork leave us?):

When asked "Did you get the new firmware updated via built-in Wi-Fi, installed for you by a dealer or you’ve got a brand new car with this version?"

Replied: "i installed it myself with usb stick"

This morning someone asked where the firmware stick came from but there's no reply yet.

--
Subaru did update the report for the Harmon Gen 3 in March 18'

March 28, 2018 MANUFACTURER COMMUNICATION NUMBER: 15-211-17R
Components: ELECTRICAL SYSTEM, EQUIPMENT

NHTSA ID Number: 10133524
Manufacturer Communication Number: 15-211-17R

Summary
The following information addresses reprogramming file availability and a software update installation procedure to provide optimization to the new Harman Gen 3 Audio and Navigation head units utilized. The procedure will involve either downloading the software update files from Subarunet (or using those sent directly from Nuspire) and transferringthem onto a flash drive for head unit installation.
5 Affected Products
Vehicles
MAKE MODEL YEAR

SUBARU CROSSTREK 2018
SUBARU IMPREZA 2017-2018
SUBARU LEGACY 2018
SUBARU OUTBACK 2018

---

Also, found this on the Outback forum, dated 13 Jun 18: "The corporate rep at Subaru with whom I have been working to correct the problems with our infotainment system and various noises and rattles in the roof just advised me that an update to the infotainment system is being issued late this month. Let's see if that helps."
https://www.subaruoutback.org/forums/138-gen-5-2015-2019/465882-2018-infotainment-update-who-still-having-issues-27.html
 

·
Registered
Joined
·
1,183 Posts
I wasn't thinking of the radio being the target, per se. We already had a long thread about that. My concern if it's totally open and not a secure connection would be that someone could spoof the site and your car could download a malware version of the firmware. Can't wait to see what you find out!
Plus, if your phone is connecting to the head unit, malware on the head unit could be used to compromise your phone.
 

·
Registered
Joined
·
1,183 Posts
All agreed regarding the Wi-Fi stuff. We had this conversation before and I'm not a hardware techie.

However, let's say the site is a URL and they don't use SSL, even if the URL is hardcoded into the HU firmware, couldn't it be misdirected by a rogue DNS server?

Why would they want to mess with your radio (or hundreds, or thousands of radios)? I dunno, maybe a kid would think it was funny. Or could it somehow be configured to hijack a semi-autonomous car? All speculation, of course... :D
Yes, DNS poisoning. It's unlikely, but still possible. Attackers, if they were to find an exploitable vulnerability, could target Subaru's firmware system, thereby compromising any of us who might have occasion to connect to Subaru's system, but I think Doca's right that it's unlikely at best. Still, not impossible. The only detail that I would maybe mildly disagree with Doca on (keeping in mind I'm still only a student of InfoSec right now) is if attackers were to discover an exploitable zero-day vulnerability on Subaru's system, attackers would most likely be more than willing to take advantage of it. Plus, while most attackers are motivated by money these days, I'm betting there are still those knuckleheads that might do it for cred or for kicks.


I don't know enough about bots, but maybe you can fill us in Doca, would it be possible to turn the head units into bots, to use the head unit to make phones/tablets into bots? I'm still very novice in the Cyber Security field, but I'm finding this discussion very interesting :)
 
1 - 20 of 571 Posts
Top