IoT backdoors in cars

Connecting cheap IoT devices to the safety-critical network of a car can be an extremely bad idea, but at least it allows us to hack together our own automotive gadget.

This talk explains the complete procedure involved in transforming a cheap OBD GSM dongle designed for fleet management into a open source automotive hacking tool. First, the hardware reverse engineering is demonstrated, showing how each component is interconnected and working together. With this knowledge, it was possible to capture the communication of the GSM module and understand the OTA protocol used by this dongle, which can be used to extract the firmware. A quick reverse engineering of the software will show that no cryptographic authentication is used for the OTA updates, and therefore a pirate GSM BTS can be used to obtain remote code execution. After that, a new open source firmware is written for the device, which can easily be extended and controlled remotely with the LUA scripting language. Examples on how hacking this dongle remotely can affect the safety of the driver will be also given.