Connect via SSH to the Infotainment

Debugging the serial adapter told us that the infotainment system is running Linux. We can try different tools for connecting to the Linux system so that we can investigate further.

Learning Objectives

In this exercise, you will:

  • connect to the Linux command line interface using a serial adapter,
  • start the infotainment's wireless access point,
  • connect to the infotainment system using SSH and its wireless connection, and
  • explore the infotainment's filesystem.

Adapter Wiring

  • Connect the USB-Serial adapter to the infotainment system as pictured (RX to RX, TX to TX and GND to GND). There might be several different adapters, so be sure to look at the pins on your specific adapter.

Adapter Wiring

Adapter Wiring 2

  • Plug the USB-Serial adapter into the Linux computer. It is important that the Linux computer be a bare-metal computer, not a virtual machine.
  • Turn the infotainment system on.

Instructions

  • Type the following command on the Linux console to connect to the serial console:
sudo screen /dev/ttyUSB0 115200

  • We will see a lot of debugging messages being printed to the screen. For the first minute or two that the system is powered on there are a lot of messages being printed. After the first couple of minutes the messages slow, but do not stop. It's important to note that these debugging messages do not affect any commands we are about to run on the infotainment system, so continue typing the following commands even if debug messages obscure or seem to overwrite what you are typing.

  • Press enter to get to the login screen. Log in with the following credentials (Note: the username is root if your infotainment system has a label on it that says Username: root):

    • Username: cmu
    • Password: jci
  • Important: the screen will be spammed with messages, and though they will appear to interrupt what you are typing, the messages on the screen will not change any commands you type. Basically, type confidently and the correct commands will run.
  • Sometimes debugging scripts are left on systems. If we look in the directory /jci we will see a many debugging scripts on this system. One that stands out on further investigation is the jci-wifiap.sh script which appears to set up a wireless access point. This infotainment unit isn't supposed to have Wi-Fi, but the Bluetooth chip used is a combination Wi-Fi/Bluetooth chip and it appears the developers used the Wi-Fi access point functionality for debugging access.
  • Start the access point by running the following command on the infotainment system:
/jci/bin/jci-wifiap.sh start
  • The new access point set up by the infotainment system. The name of this access point is CMU-MACADDR, where MACADDR is the MAC address of the WiFi chip on the unit. The MAC address is printed on a label on the bottom of the infotainment unit.

MAC Address

At this point, you should use a different computer to connect to SSH into the infotainment system. The infotainment system runs a DHCP server, so it will assign IP addresses to computers that connect to it.

SSH Into the Infotainment Device from Windows

  • Find the new WiFi access point and connect.

Windows WiFi

  • In the Windows Start menu, launch PowerShell.
  • Run the following command to SSH into the infotainment system.
ssh cmu@192.168.53.1
  • The first time you connect, you will need to enter yes to accept the key fingerprint.
  • Enterthe passwords jci when prompted.
  • Once logged in, any commands you enter will be run on the infotainment system.

SSH from Windows

SSH Into the Infotainment Device from Linux

  • Like Windows, you will need to connect to the device's access point.
    • If running a Kali VM, you would need to change the network settings so that the network adapter is in bridged mode.
  • Once connected to the new WiFi access point, SSH into the infotainment system by running the following command (again, if your infotainment unit has a label that says Username: root substitute root for cmu in the following command):
ssh cmu@192.168.53.1
  • Enter jci for the password. The SSH console is easier to use than the serial console since you don't have debugging messages being printed to the screen, though the responsiveness of the SSH console is not very good and will often seem to hang.

What Now?

With SSH access into the infotainment system, you can now explore any files or processes running on the Linux system. Below are just a few commands to get you started.

pwd
ls
ls /jci
  • Can you find user data synchronized from smartphones?
  • Can you find any pictures?
  • Can you change the image of the homescreen?

Be cool. Don't delete any files or try to break the system.

At this point, the hardest part of evaluating the infotainment system will be your Linux skills.

Reflection

Which of the following concepts did this exercise involve? How?

  • Defense in Depth
  • Confidentiality
  • Integrity
  • Availability
  • Think Like an Adversary
  • Keep It Simple

Conclusion

Finding debugging scripts and programs on embedded systems can be a powerful way to understand and get access to a system.