Looking at the Attack Surface of the Sony XAV-AX5500 Head Unit

Last month, we looked at the attack surface of the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, we look at the attack surface of another target in a different category. The Sony XAV-AX5500 is a popular aftermarket head unit that interacts with different systems within a vehicle. It also offers attackers a potential foothold into an automobile.

The Sony XAV-AX5500 is an aftermarket vehicle head unit. This head unit supports many technologies that encompass its attack surface. This post endeavors to introduce the Sony XAV-AX5500, describe the relevant technologies in the head unit, and identify the attack surface present in the device.

Sony XAV-AX5500 Attack Surface Summary

Broadly speaking, the attack surface of the device can be broken down into the following categories:

— WebLink by Abalta Technologies
— Apple CarPlay 
— Android Auto
— SiriusXM Satellite Radio
— Bluetooth connectivity
— USB media
— Radio Data System (RDS)
— Open-Source Software

Sony XAV-AX5500 Documentation

The following links provide details from the manufacturer about the XAV-AX5500 head unit. They provide a high-level description of the technologies used in the device.

— Sony XAV-AX5500 Product Page
— Sony XAV-AX5500 Documentation Download
— Sony XAV-AX5500 Firmware Download
— Sony XAV-AX5500 Specifications
— Sony XAV-AX5500 Help Guide
— Sony XAV-AX5500 Help Guide - Description of USB port capabilities

WebLink by Abalta Technologies

The Sony XAV-AX5500 uses the WebLink application by Abalta Technologies. This application enables both Apple CarPlay and Android Auto support on the device. When connecting a mobile phone to the head unit over USB, the user must launch the WebLink application to activate Apple CarPlay or Android Auto. 

In addition to enabling the driver’s preferred driving assistance technologies, the WebLink application also provides its own set of features. These features potentially expand the attack surface of both the Sony XAV-AX5500 and the connected mobile phone.

The first application with the greatest potential for misuse is the “Cast” feature of WebLink. The Cast feature displays the touch interface of the connected handset. This allows the user to control their phone directly from the Sony XAV-AX5500 touchscreen. The Cast feature requires the user to grant permissions from their mobile device. Additionally, each time a Cast connection is initiated, the user must allow this linking from the connected handset. This potentially limits the security exposure. Once permission is given, any application on the phone may be launched from the head unit. The Sony XAV-AX5500 will then have near complete control over phone functionality, including the ability to change the configurations on the handset and access sensitive user data. If the head unit is compromised by an attacker, the attacker might leverage the Cast features to access or modify data on the handset.

The second WebLink feature with a potential for misuse is the “Music” feature of WebLink. This feature displays information about the songs currently playing on the handset. The potential for abuse by connecting a malicious handset is not fully known at this time but does present a potential attack surface.

Other applications come bundled with WebLink, such as an integration with the Waze Satellite navigation application on the connected handset. It also implements a native YouTube application.

Apple CarPlay

The Sony XAV-AX5500 supports the Apple CarPlay driver assistance technology. The connected handset must have the WebLink application installed for CarPlay to be accessible on the head unit. Once the handset is connected, WebLink will establish a CarPlay session with the device. The security implications of this manner of integration are currently unknown.

Once the CarPlay session is established, the head unit and connected handset communicate over USB in a manner that appears identical to the observed communications that happen between a connected handset and head units sold by other manufacturers.

Apple CarPlay communication between the head unit and connected handset operates over USB using an IPv6 connection. During connection initiation, the head unit and connected handset exchange a small amount of information in plain text. Some of this communication includes the transfer of binary Apple plist data. After this initial configuration is established, the connected handset initiates an encrypted TLS session with the head unit. Further research into this communication will be needed to assess the security of the CarPlay communication over USB and IPv6.

Android Auto

The Sony XAV-XV5500 also supports the Android Auto driver assistance technology. The connected handset must have the WebLink application installed for Android Auto to be accessible on the head unit. Once the handset is connected, WebLink will establish an Android Auto session with the head unit. The security implications of this manner of integration are currently unknown.

Trend Micro researchers are conducting further research to better understand the communication that occurs between the Sony XAV-AX5500 and connected Android handsets. Further work in this area will help determine what the attack surface exposes and how attacks against the implementation of Android Auto function on the head unit.

SiriusXM Satellite Radio

The Sony XAV-AX5500 ships bundled with a receiver for SiriusXM satellite radio. This receiver connects to a ten-pin connector on the rear of the device. The communication using this receiver represents a potential attack surface against the head unit. However, an attacker may have to defeat layers of security in the signal received from the SiriusXM network in order to attempt an attack against the Sony XAV-AX5500 over this communication channel. 

In addition to radio layer attacks against the receiver, there is the potential for attacks over the local communication between the SiriusXM receiver and the Sony XAV-AX5500. This part of the threat model may not be in scope for Pwn2Own Automotive, as attacks against this require uncontrolled physical access to the device. Moreover, unlike attacks over the USB bus, which require casual physical access, the connector for the SiriusXM receiver is not available to passengers of a vehicle without removing the entire unit from the dashboard to access the connector on the rear of the head unit.

Bluetooth Communications

The Sony XAV-AX5500 provides support for using Bluetooth communications with a compatible mobile handset. This allows the head unit to access the connected handset to make phone calls, play audio, and other potential uses. The supported profiles and other Bluetooth support are identified in the user manual for the head unit.

From the user guide provided by the vendor:

Frequency band:
2.4 GHz band (2.4000 GHz – 2.4835 GHz) Modulation method: FHSS
Compatible BLUETOOTH Profiles*2:
A2DP (Advanced Audio Distribution Profile) 1.3 AVRCP (Audio Video Remote Control Profile) 1.3 HFP (Handsfree Profile) 1.6
PBAP (Phone Book Access Profile) 1.1
Corresponding codec: SBC, AAC

USB Media Connections

The Sony XAV-AX5500 makes extensive use of the USB bus for connecting handsets. The head unit also supports other types of USB devices, such as media players and USB storage devices. The device supports multiple types of media file codecs for playback.

The Sony XAV-AX5500 also supports several versions of the FAT file system. Devices that support this file system type often implement support in a file system driver. These types of system drivers are subject to parsing specially crafted file systems. If a vulnerability in the head unit file system driver is present, an attacker with casual physical access might be able to perform attacks against the head unit file system driver if they connect a properly crafted file system. 

The Sony XAV-AX5500 supports several media codecs for playback on the head unit. These include many of the most widely used audio codecs, including MP3, WAV, AAC, and other media formats. The head unit also supports several widely used video codecs, such as MPEG-4 and WMV. Media formats such as these are complex data streams. The parsing of these codecs can be prone to containing parsing errors, and these errors can potentially have a security impact on the code that performs the parsing.

Radio Data System (RDS)

The Sony XAV-AX5500 implements support for the Radio Data System (RDS) standard. This standard defines a method for the transmission of digital information in conventional FM radio broadcasts. This represents an unauthenticated source of data that is processed by the head unit. There are a number of data formats supported by this standard. Many of the data fields are limited in size as defined in the standard. The Trend Micro research team has not investigated the RDS implementation in the Sony XAV-AX5500, and its security risk is currently unknown.

Open Source Software

This information is gathered from the Sony touchscreen. The years are provided here as a start to trying to identify the version in use. A better method would be to get the file system image of the device to get better information.

— OpenSSL (1998-2018)
— LwIP (2001-2004)
— libpng (1995-2018)
— zlib (1995-2017)
— md5 (RSA md5 1990)
— unrarlib (2000-2002)
— BidiReferenceCpp (1991-2012)
— LibYuv (2011)
— LZ4 (2011-2016)

Further research into the software used by the head unit is warranted.

Sony XAV-AX5500 Hardware Details

The Sony XAV-AX5500 comprises two circuit boards. The display board hosts the main display screen, as well as all the other user interface buttons on the unit. The primary board connects to the vehicle and hosts the primary ARM CPU and wireless modules. More research will be done to better identify these devices.

Detailed images of the Sony XAV-AX5500 PCBs are provided as follows:

Summary

While these may not be the only attack surfaces available on the Sony XAV-AX5500 head unit, they represent the most likely avenues a threat actor may use to exploit the device. Sony has long been a leader in innovative radio and consumer devices. From their simple transistor radios in the 1950s to the ubiquitous Walkman of the 1980s to the world's first car mini-disc player in the 1990s, Sony has consistently advanced entertainment technology. It will be interesting to see if the security of their devices has kept up with their other innovations. We’re excited to see what research is displayed in Tokyo during the event.

Stay tuned to the blog for attack surface reviews for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.