New bluetooth exploit--anybody know what operating system is used in Toyota entertainment system?

Discussion in 'Gen 4 Prius Audio and Electronics' started by subsonicred, Sep 12, 2017.

  1. subsonicred

    subsonicred Junior Member

    Joined:
    Jul 8, 2016
    8
    5
    0
    Location:
    Massachusetts
    Vehicle:
    2016 Prius
    Model:
    Four
    Researchers from Armis have disclosed a new Bluetooth vulnerability that allows attackers to easily execute apparently arbitrary code on Windows (without a Microsoft patch responding to the vulnerability), Android, Linux, and IOS. Patches for Android and Linux are being released now (though the Android ones will take a while to go through OEMs before they get to most users). Some of the CVE (Common Vulnerabilities and Exposures) numbers are CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, CVE-2017-0785, CVE-2017-1000251, CVE-2017-1000250, and CVE-2017-8628, if you're interested in seeing the details.

    I hope that the entertainment system (including the bluetooth connections) on the Prius is thoroughly isolated from the other electronics on the car, though that's certainly not the case on all cars. But does anybody know (a) what the Prius is really running and whether it would be vulnerable to one of these attacks, and (b) if the Prius is vulnerable, how and when Toyota would respond with patches?
     
    RCO likes this.
  2. RCO

    RCO Senior Member

    Joined:
    Aug 31, 2016
    2,061
    2,465
    0
    Location:
    Cornwall
    Vehicle:
    2016 Prius
    Model:
    Three
    Thanks, very interesting, if not a little worrying. Not sure how vulnerable the car would be though. AFAIK, Toyota have avoided using out of house systems except where absolutely essential to defer excessive costs.
     
  3. Elektroingenieur

    Elektroingenieur Active Member

    Joined:
    Jan 8, 2017
    236
    342
    9
    Location:
    California
    Vehicle:
    2016 Prius
    Model:
    Three Touring
    The Bluetooth interface in the fourth-generation Prius is part of the radio head unit, which Toyota calls the Navigation Receiver Assembly or the Radio and Display Receiver Assembly. There are many versions of these, depending on the destination country and trim level; a few months ago, I counted eighteen part numbers, made by three companies, not including those sold only in Japan.

    Each of these may have quite different software. The updates for the Entune Audio and Entune Premium Audio head units sold in the U.S. and Canada, which are made for Toyota by Panasonic, appear to contain the QNX Neutrino real-time operating system, version 6.5. The Bluetooth stack seems to be the Blue SDK, formerly offered by Sybase iAnywhere, but now a product of OpenSynergy.

    Neither QNX nor Blue SDK is mentioned in the Armis white paper (PDF), though the software in the head units might have other vulnerabilities, along similar lines or otherwise—it’s unlikely that anyone outside of Toyota or its suppliers has done a serious investigation.
    The head unit is on CAN Bus 3, which is connected to the Central Gateway ECU (Network Gateway ECU) and an option connector, so it has at most indirect communication with essential ECUs like the Engine Control Module or the Hybrid Vehicle Control ECU. Toyota’s service documentation doesn’t disclose what filtering or validation, if any, is done on messages passing through the Central Gateway ECU.
    To fix other bugs in head unit software, Toyota has issued technical service bulletins and made the updated software available to dealers, by subscription to techinfo.toyota.com, and on a public website. If there were a more serious problem, Toyota could institute a service campaign or safety recall, as Chrysler did in 2015.
     
    pilotgrrl, Prodigyplace and RCO like this.
  4. RCO

    RCO Senior Member

    Joined:
    Aug 31, 2016
    2,061
    2,465
    0
    Location:
    Cornwall
    Vehicle:
    2016 Prius
    Model:
    Three
    Hope this doesn't sound creepy, but thanks for all the fantastic, easy to read explanations you provide on here. If I could award gold stars on here, you'd certainly get one. (y)
     
    Elektroingenieur likes this.
  5. subsonicred

    subsonicred Junior Member

    Joined:
    Jul 8, 2016
    8
    5
    0
    Location:
    Massachusetts
    Vehicle:
    2016 Prius
    Model:
    Four
    Elektroingenieur, I also want to thank you for this response and for your other posts, which always supply detailed and useful technical information!

    It's interesting that the US head units are running QNX, though I guess it's not surprising. That's probably not the first thing security researchers test, and the head unit versions are probably much harder for them to get access to than standard Windows/Android,/Linux/iOS systems. So I'm not sure that we can tell much from it not being mentioned in the Armis white paper. I guess we'll have to wait to see what QNX, OpenSynergy, and Toyota do. And in the meantime hope that the Central Gateway ECU does a good job keeping the entertainment system away from the more critical electronic controls.

    Thanks again for the information.
     
    Elektroingenieur and RCO like this.
  6. Prodigyplace

    Prodigyplace Senior Member

    Joined:
    Nov 1, 2016
    4,059
    3,404
    0
    Location:
    Central Virginia
    Vehicle:
    2017 Prius
    Model:
    Two
    Interestingly, I saw a story that claimed Toyota Entune was based off Microsoft software.
    I trust the evidence here more, though.
     
    RCO likes this.
  7. pilotgrrl

    pilotgrrl Member

    Joined:
    Jul 23, 2017
    96
    111
    0
    Location:
    Chicagoan in TX
    Vehicle:
    2016 Prius
    Model:
    Three
    Toyota Connect (also in Plano TX) is working with Microsoft, but I haven't been able to find out a whole lot about what exactly they're doing there. They occasionally advertise for Android developers, but they're pretty hush hush.

    Posted via the PriusChat mobile app.
     
    RCO likes this.