On being mobbed

Blue&Me was developed by Fiat in partnership with Magneti Marelli—an Italian manufacturer of automotive components—and Microsoft Corporation. The Magneti Marelli name appears on the tag that identifies the part shown below. Blue&Me uses Windows Automotive, an embedded operating system for automobiles based on the old Windows CE embedded operating system.

According to Wikipedia, the last release of Windows Automotive was in October 2010; extended support for the platform ended in July 2013 (“Blue&Me,” Wikipedia, https://en.wikipedia.org/wiki/Blue%26Me). Fiat introduced a replacement for Blue&Me, Uconnect 5.0, in 2012. The obsolescence of the Windows Automotive family of embedded operating systems doesn’t bode well for the security of the vehicles using it.

Blue&Me was designed to be extended with other features and to integrate with different components in different vehicles. This means that the electronics onboard the Blue&Me hardware in the black ventilated case vary with the use case. At the heart of the electronic control unit (ECU) is the STA2062A SoC “infotainment application processor with embedded GPS.”

The integration between the Blue&Me hardware and the vehicle is implemented in the signals that are transported over the 32-pin connector that powers the board. The connector enables communication to USB ports, audio out (AUX), and to microphone input. It also enables communication with the CAN bus.

CAN is the Controller Area Network that enables communication in vehicles. The CAN bus is the communication system that connects the ECUs in your car (What is CAN bus?, https://www.csselectronics.com/screen/page/simple-intro-to-can-bus/language/en#what-is-can-bus). ECUs are the embedded devices that control the electronic components of the current day automobile. A bus includes the hardware components and the software—including the communication protocols that support communications between ECUs (“Bus (computing),” Wikipedia, https://en.wikipedia.org/wiki/Bus_(computing)). Chung-Wei Lin and Alberto Sangiovanni-Vincentelli of the University of California at Berkeley note that the CAN protocol specification (https://www.sae.org/publications/technical-papers/content/921603/) does not offer support for secure communication (“Cyber-Security for the Controller Area Network (CAN) Communication Protocol” https://escholarship.org/content/qt5422g038/qt5422g038_noSplash_f8c542841c55634ea7b98bb06ff39d1b.pdf).

Montefoschi’s source for the technique he uses to reverse-engineer the CAN network that supports the Blue&Me ECU, is the comprehensive The Car Hacker’s Handbook: A Guide for the Penetration Tester (2016), by Craig Smith of OpenGarages.org (http://opengarages.org/handbook/ebook/#calibre_link-527). The attack surface of a vehicle, Smith says, is the sum total of the ways in which it can be attacked. The focus of this analysis is the communications interfaces and how communication—data—enters the vehicle. For example, radio waves, touch and motion sensors, GPS, USB, cellular, CD, WiFi and Bluetooth. From this point of view, it makes sense when Smith says infotainment systems expose “more remote attack surfaces than any other vehicle component.” In the same way that software update mechanisms have been used as malware distribution systems by bad actors, malware can be packaged as a software update to the infotainment system of your car and introduced wirelessly or by USB or DVD. According to Smith, “While vehicles are susceptible to the same malware as your desktop, automakers aren’t required to audit the security of a vehicle’s electronics.” Access to the CAN bus exposes the connected systems. Noting that communication between ECUs is performed without authentication, Lin and Sangiovanni-Vincentelli cite the finding that “the potential exists for an automotive ECU to be infiltrated by an attacker who can then potentially gain access via a serial communication bus, to an array of other ECUs.”

The fact that these signals travel the same bus and board may have implications for mobbing or other mobile harassment based on radio-frequency attack. Smith notes that USB and Bluetooth expose the infotainment module to exploits and connection to the infotainment console exposes the CAN bus network. I’ve avoided charging my new iPhone while listening to music in the car since the use of USB appears to allow for intensified harassment. The possibility that the mobbers use my microphone, too, has also long seemed a possibility. Even if other communications channels are not directly accessed for the transport of rogue sound, the Blue&Me hardware is installed between the low-priority bus and the the speakers–becoming middle-man even to audio out (AUX) communication. The Blue&Me hardware components that handle microphone input and audio out might begin to explain why using an AUX cabled connection from a phone with network services disconnected cannot entirely stop the verbal abuse, even when the phone and the radio are off. Smith also explains as he provides recommendations on setting up an infotainment test bench, that using an aftermarket radio is not the way to go because they cannot usually integrate with the CAN bus network as it was designed by the manufacturer. This may explain why the USB ports in my own car remained functional after I swapped out the stock radio, with charging available for my iPhone until the Blue&Me infotainment module was finally removed. [Note 07/23/21: I was premature in saying that I no longer have USB. There are ports in a couple of locations and I haven’t adequately tested them. Other features might support USB charging.] [Note 08/09/21: USB charging remains available on the USB port whose functionality was not broken when I swapped out the Fiat specified radio for one that does not support USB. And when I charge using that USB port, rogue sound makes it onto the device. I haven’t double-checked the other ports yet but they probably remain inactive–the Blue&Me ECU is probably not involved with communications interfaces that are not accessible through the radio. I’ll have to look at what the USB functionality that goes through the Blue&Me ECU does; I think pin 4 is a ground; have to look at what USB D+ is and see if some of those who’ve been hacking the CAN bus have insight into how mobile mobbing works. I’m also a bit concerned because when I restarted the car within a few seconds of stopping it the other day, I saw the Blue&Me splash screen. That does not typically happen so it’s hard for me to just disregard it as some Blue&Me software component that is part of the steering wheel integration and not installed on the Blue&Me ECU that I removed. I wish I could uninstall non-essential software from the car.]

In a more detailed article, Connecting to the infotainment CAN network (https://medium.com/@fmntf/connecting-to-the-infotainment-can-network-34a79b6de0d8), Montefoschi explores the communication between Blue&Me and the CAN network. The transmission of different types of communications over the slow-speed bus used by the infotainment system is mapped by the connector pins.

The mapping of the connector pins on the bus even includes power. This makes me wonder whether the same techniques that are used to boost signal and inject rogue data by the Seattle and Albany mobbers make it possible to monkey-wrench all the interfaces available from the low-priority CAN bus and transmit data over automotive components that are not meant to interpret it.

Ω

Years back, on one of my marathon drives from Seattle to California, the mobber harassing me chided me for not using my mirrors. At the time I figured it was condescension or boredom but with the heavy traffic approaching San Francisco on I-80, I began to use my side-view mirrors instead of turning my head. More recently I realized that the mobber’s motive was likely to ensure that the mirrors were optimally positioned for the transport of the mobbing harassment.

It wasn’t long after the mobbing began that I found that positioning the mirrors to their most extreme angles away from the car and reflecting the road or the sky mitigated the sensation of heat, the occasional electric shock that I associated with a passing vehicle, and the sound of the verbal abuse. I’ve meant to describe this in more detail in a post on being harassed in cars, but the unusual phenomenology of being abused with radiators and waveforms coupled with the failure of those I turned to for help to believe me has resulted in the topic being relegated to the list of items I would prefer to describe in greater depth to investigators who actually listen to the reports of victims. [07/18/21 Note: I did not mention it while writing but cracking the windows or “breaking the surface” in cars also helps to ameliorate the rogue sound, just as it does in the house.] But given my experiences of being shocked and radiated at home and the realization that the rogue data is probably reaching my environment, my appliances and my devices over electrical wire, it’s not hard to wonder if the the mobbers are running a similar hack as they monkey-wrench my vehicle. For example, can they flood the CAN bus and transmit data over the electrical system? Can the same 12-volt power that energizes an iPhone connected over USB be the carrier current for rogue data transported to the motors for the side-view mirrors? Can they create a powerline connection with a car battery? Perhaps that would explain the sensation of an electric shock when the mirrors are adjusted for view and the faint harassment that persists even when the radio is off. I am sure that I have been followed but am not sure how the rogue data enters the car and have considered whether they use backscatter or directional antennas from short range.

Another issue is the fact that in any car I drive, turning on the heater or the A/C increases the volume of the harassment with the fan. In general, I’ve considered that it could simply be because air current increases the reach of pressure waves (sound). In my commuter car, however, the Blue&Me ECU is installed beneath the glove compartment and close to the vents that run through the dash. This finding was enough to make me begin to wonder whether automotive acoustics are deliberately designed to ensure that if the ventilation increases sound, it is the sound of the radio. I found some links to active sound design including An Annotated Bibliography: Ventilation and Acoustics (unlinked to avoid embedding it here). It’s an interesting topic, but likely tangential to how the mobbing harassment is affected by forced air.

Ω

Maybe it was just a coincidence, but I can’t help but think about the fact that while I was in the open garage workspace of JG Audio & Alarm, a black late model Alfa Romeo sedan parked in the red zone across the street at an angle that gave the driver a view, albeit from a distance, of what was happening on the floor. He must have been parked there, engine running, for a good half-hour before he pulled into the driveway, paused momentarily, and then swung the car out into the street and drove off in the opposite direction. Given the time I was harassed during an hour-long NPR broadcast streamed on my computer in Seattle while an unknown black Fiat 500 parked, driver in the car with a mobile device visible on the dashboard, in the driveway of the south mobbing house owner, it was difficult not to consider whether at least some of the mobile harassment in the Bay Area, and even the at-home harassment, is administered from vehicles within range with compatible infotainment systems or access to a target WiFi extender or network (Your TV doesn’t have to be smart to be hacked (part 2)).

At any rate, removing the Blue&Me module made a significant difference in my ability to enjoy music without the intrusion of mobbing harassment. When I left JG Audio & Alarm, I couldn’t hear the mobbers at all. Within a couple of days they began trying to compensate, something that probably requires greater proximity without the ECU. But the removal of the hardware results in fewer communications interfaces available to mob; the attack surface of the car is reduced. And a mobile target like a car increases the difficulty of finding a work-around. Eliminating in-vehicle infotainment makes it harder for mobbers to mob, and probably makes it riskier too.

Ω

As few years ago I contacted a Seattle area forensics outfit to find out if they could analyze the car’s audio system for intrusions or rogue data. I was told the data could not be retrieved from the make and model of car that I owned. But what this really meant was that they didn’t have a tool that would allow them to do so. Those tools were limited to models with more sophisticated video screens than my little car had. That probably doesn’t mean data cannot be obtained by connecting over a CAN bus adapter, for example, or by using a test bench to inspect the hardware for registry information or for unusual use.

At least, that’s what I’m beginning to think about the ECU, the SD card, and the electric and electronic components of the appliances and devices—automotive or otherwise—that have been exposed to the mobbing. If you agree and have information about how I can get it done, let me know.