New bluetooth exploit--anybody know what operating system is used in Toyota entertainment system?

subsonicred · Sep 12, 2017

Researchers from Armis have disclosed a new Bluetooth vulnerability that allows attackers to easily execute apparently arbitrary code on Windows (without a Microsoft patch responding to the vulnerability), Android, Linux, and IOS. Patches for Android and Linux are being released now (though the Android ones will take a while to go through OEMs before they get to most users). Some of the CVE (Common Vulnerabilities and Exposures) numbers are CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, CVE-2017-0785, CVE-2017-1000251, CVE-2017-1000250, and CVE-2017-8628, if you're interested in seeing the details.

I hope that the entertainment system (including the bluetooth connections) on the Prius is thoroughly isolated from the other electronics on the car, though that's certainly not the case on all cars. But does anybody know (a) what the Prius is really running and whether it would be vulnerable to one of these attacks, and (b) if the Prius is vulnerable, how and when Toyota would respond with patches?

RCO · Sep 12, 2017

subsonicred said: ↑

Researchers from Armis have disclosed a new Bluetooth vulnerability that allows attackers to easily execute apparently arbitrary code on Windows (without a Microsoft patch responding to the vulnerability), Android, Linux, and IOS. Patches for Android and Linux are being released now (though the Android ones will take a while to go through OEMs before they get to most users). Some of the CVE (Common Vulnerabilities and Exposures) numbers are CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, CVE-2017-0785, CVE-2017-1000251, CVE-2017-1000250, and CVE-2017-8628, if you're interested in seeing the details.

I hope that the entertainment system (including the bluetooth connections) on the Prius is thoroughly isolated from the other electronics on the car, though that's certainly not the case on all cars. But does anybody know (a) what the Prius is really running and whether it would be vulnerable to one of these attacks, and (b) if the Prius is vulnerable, how and when Toyota would respond with patches?
Click to expand...

Thanks, very interesting, if not a little worrying. Not sure how vulnerable the car would be though. AFAIK, Toyota have avoided using out of house systems except where absolutely essential to defer excessive costs.

Elektroingenieur · Sep 14, 2017

subsonicred said: ↑

But does anybody know (a) what the Prius is really running and whether it would be vulnerable to one of these attacks
Click to expand...

The Bluetooth interface in the fourth-generation Prius is part of the radio head unit, which Toyota calls the Navigation Receiver Assembly or the Radio and Display Receiver Assembly. There are many versions of these, depending on the destination country and trim level; a few months ago, I counted eighteen part numbers, made by three companies, not including those sold only in Japan.

Each of these may have quite different software. The updates for the Entune Audio and Entune Premium Audio head units sold in the U.S. and Canada, which are made for Toyota by Panasonic, appear to contain the QNX Neutrino real-time operating system, version 6.5. The Bluetooth stack seems to be the Blue SDK, formerly offered by Sybase iAnywhere, but now a product of OpenSynergy.

Neither QNX nor Blue SDK is mentioned in the Armis white paper (PDF), though the software in the head units might have other vulnerabilities, along similar lines or otherwise—it’s unlikely that anyone outside of Toyota or its suppliers has done a serious investigation.

subsonicred said: ↑

I hope that the entertainment system (including the bluetooth connections) on the Prius is thoroughly isolated from the other electronics on the car, though that's certainly not the case on all cars.
Click to expand...

The head unit is on CAN Bus 3, which is connected to the Central Gateway ECU (Network Gateway ECU) and an option connector, so it has at most indirect communication with essential ECUs like the Engine Control Module or the Hybrid Vehicle Control ECU. Toyota’s service documentation doesn’t disclose what filtering or validation, if any, is done on messages passing through the Central Gateway ECU.

subsonicred said: ↑

(b) if the Prius is vulnerable, how and when Toyota would respond with patches?
Click to expand...

To fix other bugs in head unit software, Toyota has issued technical service bulletins and made the updated software available to dealers, by subscription to techinfo.toyota.com, and on a public website. If there were a more serious problem, Toyota could institute a service campaign or safety recall, as Chrysler did in 2015.

RCO · Sep 14, 2017

Elektroingenieur said: ↑

The Bluetooth interface in the fourth-generation Prius is part of the radio head unit, which Toyota calls the Navigation Receiver Assembly or the Radio and Display Receiver Assembly. There are many versions of these, depending on the destination country and trim level; a few months ago, I counted eighteen part numbers, made by three companies, not including those sold only in Japan.

Each of these may have quite different software. The updates for the Entune Audio and Entune Premium Audio head units sold in the U.S. and Canada, which are made for Toyota by Panasonic, appear to contain the QNX Neutrino real-time operating system, version 6.5. The Bluetooth stack seems to be the Blue SDK, formerly offered by Sybase iAnywhere, but now a product of OpenSynergy.

Neither QNX nor Blue SDK is mentioned in the Armis white paper (PDF), though the software in the head units might have other vulnerabilities, along similar lines or otherwise—it’s unlikely that anyone outside of Toyota or its suppliers has done a serious investigation.

The head unit is on CAN Bus 3, which is connected to the Central Gateway ECU (Network Gateway ECU) and an option connector, so it has at most indirect communication with essential ECUs like the Engine Control Module or the Hybrid Vehicle Control ECU. Toyota’s service documentation doesn’t disclose what filtering or validation, if any, is done on messages passing through the Central Gateway ECU.

To fix other bugs in head unit software, Toyota has issued technical service bulletins and made the updated software available to dealers, by subscription to techinfo.toyota.com, and on a public website. If there were a more serious problem, Toyota could institute a service campaign or safety recall, as Chrysler did in 2015.
Click to expand...

Hope this doesn't sound creepy, but thanks for all the fantastic, easy to read explanations you provide on here. If I could award gold stars on here, you'd certainly get one.

subsonicred · Sep 14, 2017

Elektroingenieur, I also want to thank you for this response and for your other posts, which always supply detailed and useful technical information!

It's interesting that the US head units are running QNX, though I guess it's not surprising. That's probably not the first thing security researchers test, and the head unit versions are probably much harder for them to get access to than standard Windows/Android,/Linux/iOS systems. So I'm not sure that we can tell much from it not being mentioned in the Armis white paper. I guess we'll have to wait to see what QNX, OpenSynergy, and Toyota do. And in the meantime hope that the Central Gateway ECU does a good job keeping the entertainment system away from the more critical electronic controls.

Thanks again for the information.

Prodigyplace · Sep 14, 2017

Interestingly, I saw a story that claimed Toyota Entune was based off Microsoft software.
I trust the evidence here more, though.

pilotgrrl · Sep 14, 2017

Toyota Connect (also in Plano TX) is working with Microsoft, but I haven't been able to find out a whole lot about what exactly they're doing there. They occasionally advertise for Android developers, but they're pretty hush hush.

Posted via the PriusChat mobile app.

New bluetooth exploit--anybody know what operating system is used in Toyota entertainment system?

subsonicred Junior Member

RCO Senior Member

Elektroingenieur Senior Member

RCO Senior Member

subsonicred Junior Member

Prodigyplace Senior Member

pilotgrrl Senior Member

About PriusChat

Quick Navigation

Like us on Facebook

Buy us a beer!

Useful Searches

New bluetooth exploit--anybody know what operating system is used in Toyota entertainment system?

subsonicred Junior Member

RCO Senior Member

Elektroingenieur Senior Member

RCO Senior Member

subsonicred Junior Member

Prodigyplace Senior Member

pilotgrrl Senior Member