TIPington claim to have successfully exploited a telematics system powered by Airbiquity’s
aqLink software. This software allows for the transmission of critical data through channels
normally reserved for voice communication. This is useful because wireless networks
intended for voice communication, such as GSM and CDMA, have greater coverage areas
than networks such as 3G.
On a similar note, researchers Mathew Solnik and Don Bailey found a way to exploit the Short Message
Service (SMS) to remotely unlock a Subaru Outback and even start the car. Their presentation, titled
“War Texting”, is available for download.The researchers were able to find the actual phone number assigned to the car and called
it to listen to the initiation tone. Since aqLink uses the audio channel to transmit digital data,
this was the first step employed by the researchers to reverse engineer the protocol. The white-
paper does not discuss the actual exploit code utilized, but the researchers claim to have found
various buffer overflow conditions in the implementation of aqLink. They devised an exploit
that took 14 seconds to transmit, but it was found that the car’s telematics unit would termi-
nate the call 12 seconds after receiving it.
To get around this limitation, they found another flaw in the authentication algorithm of
aqLink, which is responsible for authenticating incoming calls to make sure they are from a
legitimate source. The researchers found that the car would initiate an authentication chal-
lenge upon receiving the call. In the simplest terms, this means that the car expects the caller,
if legitimate, to be able to know a shared cryptographic secret that is used to respond with the
correct answer to the challenge. In most cases, a random token (a nonce), is used to make sure
that the same challenge is not issued repeatedly. However, in this case it was found that the
car would use the same nonce sequence when turned off and on again. This created a situa-
tion in which the researchers could capture a legitimate response to the challenge and resend
it to a car that has just been turned on (also known as a replay attack). Furthermore, it was
found that the car would accept an incorrect response once every 256 times. Therefore, the
researchers were able to authenticate with the car by repeatedly calling and bypassing authen-
tication after an average of 128 calls.
Once authenticated, the researchers were able to change the timeout from 12 seconds to
60 seconds and then re-call the car to deliver the buffer overflow exploit discovered earlier. In
this way, the researchers demonstrated that they could remotely call the car and take over the
telematics ECU. Since the ECU is on the CAN bus, they were further able to influence addi-
tional aspects of the car, such as by flashing the TPMS ECU with custom code to trigger rogue
notification packets.
CHAPTER 6: CONNECTED CAR SECURITY ANALYSIS—FROM GAS TO FULLY(^168) ELECTRIC