Jump to content

Custom Search




Welcome to the Ford C-MAX Energi Forum


Sign In  Log in with Facebook

Create Account
Welcome to the Ford C-MAX Energi Forum. You must register to create topics or post in our community - but don't worry this is a simple free process that requires minimal information for you to signup. Be apart of Ford C-MAX Energi Forum by signing in or creating an account.
  • Start new topics and reply to others
  • Subscribe to topics and forums to get email updates
  • Get your own profile page and make new friends
  • Send personal messages to other members
  • Create a photo album and post images. . .more.
Click here to create an account now.
 
Guest Message by DevFuse

Get you C-MAX Energi Registered in the official Ford Authorized Registry. More here.


Photo
- - - - -

The Register: "It’s 2017 and Hayes AT modem commands can hack luxury cars"

2g 3g telematics energi

  • Please log in to reply
7 replies to this topic

#1 OFFLINE   Jonathan Ezor

Jonathan Ezor

    New Member

  • C-MAX Energi Platinum Member
  • 222 posts
  • Region:Decline
  • LocationLong Island, NY
  • My C-MAX:2015
  • Current Vehicle:2015 C-MAX Energi

Posted 02 August 2017 - 01:08 PM

The Register posted an article about a security vulnerability in 2G modems found in certain BMWs, Infinitis, Nissans and "a handful of Ford hybrids."

I *really* hope that the modem swap fixed this vulnerability if we had it, and that, if so, Ford is diligent about ensuring all Energi vehicles *get* the modem swap.

 

An excerpt from the article:

 

A bunch of mid-age Ford, Infiniti, Nissan and BMW vehicles are carrying around a vulnerable chipset from Infineon that America's ICS-CERT reckons is easy to exploit.

 

The BMWs went on sale between 2009 and 2010, the affected Infiniti models were built between 2013 and 2015 and there's a chance Nissan Leafs manufactured between 2011 to 2015 have bugs. A handful of Ford hybrids may also be in trouble.

 

In IT terms a 2009 product is close to end-of-life; a car that age might still be covered by an extended warranty (and in Australia, by parts of the 10-year statutory warranty).

 

Infineon's contribution to the problem is a 2G baseband chipset, the S-Gold 2 (part number PMB 8876), used by upstream German vendor Continental to produce telematics control units (TCUs).

 

 

{Jonathan}









Lose this advertisement by becoming a member. Click here to create a free account.

#2 OFFLINE   jdbob

jdbob

    Techo Geek

  • C-MAX Energi Member
  • PipPip
  • 601 posts
  • Region:U.S. Pacific Coast
  • LocationJohn Day, Oregon
  • Current Vehicle:2013 C-Max Energi

Posted 02 August 2017 - 01:34 PM

Continental was indeed the manufacturer of our original 2G TCU's. The new ones are manufactured by Clarion Co., Ltd. using a 3G wireless module from Telit Wireless Solutions.


  • Jonathan Ezor likes this

#3 OFFLINE   RubyMax

RubyMax

    Energi Member

  • C-MAX Energi Member
  • PipPip
  • 681 posts
  • Region:U.S. Great Lakes
  • LocationNortheast Ohio
  • My C-MAX:2013
  • Current Vehicle:C-Max Energi, 302A, Pano; Focus Electric

Posted 02 August 2017 - 06:34 PM

Hayes AT command. Now you're really dating yourself Jonathan.  :wink:



#4 OFFLINE   cr08

cr08

    New Member

  • C-MAX Energi Member
  • Pip
  • 195 posts
  • Region:U.S. Great Lakes
  • LocationColumbus, Ohio
  • My C-MAX:2013
  • Current Vehicle:2013 Ice Storm C-Max Energi

Posted 03 August 2017 - 02:53 AM

Once again another reason to get that modem updated. I know at least one other poster here questioned whether or not to get it taken care of since they didn't use the functionality. Doesn't hurt not to do it while Ford is still doing it on their own dime and it only takes a couple hours to replace.


  • Jonathan Ezor likes this

#5 OFFLINE   sporkinum

sporkinum

    New Member

  • C-MAX Energi Member
  • Pip
  • 135 posts
  • Region:U.S. Mississippi Valley
  • LocationIllinois
  • My C-MAX:2014
  • Current Vehicle:C-Max Energi

Posted 03 August 2017 - 06:55 AM

Since the car has auto start, and auto parking, it's not too far a stretch to think there are some nasty things that could happen if someone hacked to the level needed to control.



#6 OFFLINE   Jonathan Ezor

Jonathan Ezor

    New Member

  • C-MAX Energi Platinum Member
  • 222 posts
  • Region:Decline
  • LocationLong Island, NY
  • My C-MAX:2015
  • Current Vehicle:2015 C-MAX Energi

Posted 03 August 2017 - 08:03 AM

Hayes AT command. Now you're really dating yourself Jonathan.  :wink:

That ancient galleon has long since sailed. {Jonathan the Ancient Mariner}



#7 OFFLINE   cr08

cr08

    New Member

  • C-MAX Energi Member
  • Pip
  • 195 posts
  • Region:U.S. Great Lakes
  • LocationColumbus, Ohio
  • My C-MAX:2013
  • Current Vehicle:2013 Ice Storm C-Max Energi

Posted 03 August 2017 - 08:06 AM

Wall of text incoming:

 

Theoretically any modern car with drive-by-wire and electronic power steering can be 'remotely controlled' via a CANbus connected telematics unit (Or even an infotainment unit via Wifi or Bluetooth if able to be hacked 'through'). But there's also a lot of gotchas involved. Basically having intimate knowledge of each vehicle's set of modules and CANbus networks, what are the modules programmed to responde to/interact with over the network. If the desired interaction cannot happen, can the modules be reprogrammed to allow them to respond in the desired fashion? There's rarely ever any direct and dumb 'trigger this output' interactions but specific routines that the modules follow that may or may not do what you desire.

 

For example with our C-Max. With the auto-park option, there is a function there in the system allowing the parking aid module to speak to the EPAS module and directly control steering while the car is in gear. There may be some specific safeguards though. I recall reading, and don't recall if it was a Ford vehicle or another make, that there is a hardcoded limit to lock out this control path above a certain speed. Throttle and brake control are another beast altogether. With the C-Max there's not a whole lot of entry points for that. We don't have the luxury of adaptive cruise control so for just basic CC that is usually self contained within the PCM which already acts on internal info from itself (engine speed, vehicle speed, engine load, etc) and the only external inputs are direct connections to the steering wheel controls and brake switch. Brake control is also similarly limited through ABS and what outside inputs it can act upon. Now if you move over to something like the Fusion which does have options such as Adaptive Cruise, you possibly have some options there for interaction but once again depends on what the various modules are designed to respond to.

 

I'm actually surprised there hasn't been anything from the side of GM vehicles with OnStar as they advertised early on the anti-theft features such as remotely restricting vehicle speed if it is actively being stolen.

 

Long story made short these things are a lot more complicated beyond gaining that entry point and expecting to have full control over everything out of the gate. There's also the benefit that all of this programming is obviously going to be different between makes and models, likely even down to individual model years and even various flashes and updates down the road. Never a one size fits all and that's why most of what you see are proof of concept hacks for the most part.

 

With all that said, it is still good practice to button up these holes and I am glad people are out there poking around and bringing these to light so manufacturers can get it taken care of.

 

While not as involved as this topic, I did toy around with the MS-CAN bus on my old '07 Focus for a bit. It wasn't as nearly as elaborate. Essentially the MS-CAN was isolated to just the radio and any accessories it may have had connected. In my case stock it had nothing attached but there have been aftermarket attachments for stuff like Aux inputs, bluetooth, ipod adapters, etc. that all communicate and control via the CAN bus. I originally started with an Aux adapter which just fed analog audio to the radio and enabled the Aux button/mode. The only advanced thing it did was display its brand name on the radio screen. I had intended to try and rig up a Raspberry Pi that could interact with the radio and act as a USB jukebox that could be controlled via the faceplate on the radio or even have the Pi control certain parts of the radio. Didn't get really far beyond reading what could and could not be interacted with. I eventually gave up and replaced it with a BT/USB aftermarket unit. What I essentially found out is a limited set of faceplate buttons were visible on the network in Aux mode: Volume, preset buttons (aside from I think button 6 which was the Text button?), up/down and seek buttons. Menu was unavailable. It did indicate when mode was changed through AM/FM/CD/AUX. When in any mode but Aux, all controls were not visible. In the other direction there wasn't a whole ton of control. Mostly being able to send text to the screen and I believe mute. Memory is a bit fuzzy on that at this stage.


Edited by cr08, 03 August 2017 - 08:08 AM.

  • Jonathan Ezor and sporkinum like this

#8 OFFLINE   Jonathan Ezor

Jonathan Ezor

    New Member

  • C-MAX Energi Platinum Member
  • 222 posts
  • Region:Decline
  • LocationLong Island, NY
  • My C-MAX:2015
  • Current Vehicle:2015 C-MAX Energi

Posted 03 August 2017 - 08:06 AM

Once again another reason to get that modem updated. I know at least one other poster here questioned whether or not to get it taken care of since they didn't use the functionality. Doesn't hurt not to do it while Ford is still doing it on their own dime and it only takes a couple hours to replace.

 

...and now that it actually works. {Jonathan}











Also tagged with one or more of these keywords: 2g, 3g, telematics, energi

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Privacy Policy TERMS OF SERVICE ·