Author| Tian Zheng Project Manager of Shanghai Kongan Trusted Software Innovation Research Institute
Source | Jianyuan Lab
Community | Add WeChat ID " TICPShanghai " and join "Shanghai Kongan 51fusa Security Community"
Introduction: The frequent occurrence of automotive information security incidents has made the security situation in the automotive industry increasingly tense. These cybersecurity attacks on automobiles can affect corporate product releases and product reputation at least, or lead to large-scale automobile recalls or damage to stock prices, resulting in immeasurable economic losses and security costs. This article selects typical examples of intelligent networked vehicle network security attacks and introduces them in detail.
01
Automotive Information Security Threats
With the continuous development of automobiles towards intelligence, networking, electrification, and automation, the trend of software-defined automobiles is becoming increasingly prominent. At present, the scale of key codes of intelligent networked vehicles has increased by 10-100 times, and code vulnerabilities have increased exponentially. At the same time, the number of automotive electronic control units (ECUs) and in-vehicle connectivity have continued to increase, which has greatly increased the risk of automobiles being attacked by information security. .
Frequent automotive information security incidents in recent years have exacerbated concerns from all walks of life about the development prospects of smart cars. For example, at the Black Hat Conference in the United States in 2015, researchers launched a disguised attack through the car entertainment system and successfully invaded Jeep Cherokee to remotely obtain the key function operation authority of the car [1]. This incident directly led to Chrysler's global recall of 1.4 million vehicles, and also prompted the auto industry to take more seriously the information security risks faced by smart cars.
Since then, the automotive industry has actively responded to information security challenges, but new intelligent connected vehicles equipped with advanced information and communication technologies cannot completely avoid the threat of cyber attacks. For example, Tencent Keen Lab attacked Tesla twice in 2016[2] and 2017[3] to achieve remote attacks on vehicles without physical contact, using kernel, browser, MCU firmware, UDS protocol and OTA update process Multiple high-risk security vulnerabilities in Tesla vehicles, hacked into Tesla's CID, IC, gateway and autopilot modules, and then handed over the security vulnerabilities it discovered to Tesla. In 2019 [4-5], Tencent Keen Lab demonstrated on a variety of BMW self-driving cars that they exploited vulnerabilities in the vehicle infotainment system and vehicle information communication terminals to remotely wirelessly intrude into the vehicle, and further exploited the security flaws in the central gateway to achieve internal The core CAN bus injects malicious messages, gaining control of the underlying safety-critical in-vehicle network. In 2020[6], the 360 Sky-Go team discovered 19 security vulnerabilities and exploited them to form an attack link for Mercedes-Benz’s in-vehicle entertainment console, in-vehicle communication module, IoV communication protocol, and back-end services. , is expected to affect more than 2 million Mercedes-Benz vehicles. "White hat hacker"-style tactics like these have been played out in the automotive security industry to find, report, and even fix vulnerabilities in cars.
02
Attack Case Analysis
2.1 Attack on Amway Introduction
In 2016[2], Keen Lab successfully used multiple high-risk security vulnerabilities to implement a remote attack on Tesla without physical contact, and realized the car sunroof, turn signal, seat, display, door, etc. in the parking state of Tesla. The remote control of the lock system, as well as the remote control of the wiper, trunk and brake system in the driving state. Keen Lab enters through wireless (Wi-Fi/cellular), destroying many vehicle systems, such as CID (Center Information Display, central control display system), IC (Instrument Cluster, instrument cluster), Parrot (wireless and Bluetooth module) and gateway, etc., and then inject malicious CAN messages into the CAN bus. This is the first time in the world that a security breach has successfully remotely hacked into Tesla without physical contact and achieved arbitrary body and driving control.
2.2 Case Analysis
2.2.1 Research object
Keen Lab successfully completed the test on Tesla Model S P85 and P75, and the corresponding models and version information are shown in Figure 1 and Table 1 below.
Figure 1 Research Object—Tesla Model S
Table 1 Test vehicle version information
2.2.2 Analysis of attack steps
1) Attack the browser
Before an attack can begin, the attack surface needs to be determined first. There is a Wi-Fi hotspot provided by the vehicle in every Tesla car, and many users will save the SSID information on the car for automatic connection. If this Wi-Fi hotspot is forged and the traffic of QtCarBrowser is redirected to the attacker's domain name, a remote attack on Tesla vehicles can be achieved. Additionally, when in cellular mode, by establishing a crafted domain name, phishing and user input errors can also lead to remote triggering of browser vulnerabilities, enabling remote delivery of exploits without physical access.
The user agent of the Tesla browser can infer that the version of QtWebkit is 2.2.x, and there are many vulnerabilities in this version of QtWebkit. After obtaining the QtCarBrowser binary file of Tesla CID, the researchers obtained the shell of Tesla CID by exploiting these two vulnerabilities in the browser, so as to achieve arbitrary code execution.
The first vulnerability exists in the function JSArray::sort(). This function will be called when the sort() method function of the array is called in JavaScript code. The vulnerable function code fragment is shown in Figure 2. If compareFunction is JSArray::shiftCount(), the length of m_vector will be changed, and the entire m_vector structure will be transferred to another place. However, the local variable pointer storage still points to the old location, resulting in memory corruption. When calling sort() on a non-shifted array triggers this issue, the variable map referenced by the local pointer storage always overlaps the variable m_length of the new storage structure, causing a crash. By exploiting the vulnerability in JSArray::sort(), the JSCell address can be obtained.
Figure 2 Vulnerable function code fragment
The second vulnerability, CVE-2011-3928 discovered by Keen Labs, can be exploited for memory leaks. As shown in Figure 3, if multiple Element structures are allocated, after the static_cast, the member m_data of HTMLInputElement will overlap with the pointer m_next of Element. In addition, the second and third Element structures are inserted into the same tag as sub-elements, and both m_next and m_data point to the third Element structure. Because m_data points to the StringImpl structure, and the StringImpl structure overlaps with the Element structure. The member m_data of the StringImpl structure is always a fixed value of 1, and the m_length of the StringImpl structure is always a pointer large enough to read the entire memory.
Figure 3 Vulnerability in CVE-2011-3928
2) Local privilege escalation
After obtaining the remote shell based on the browser attack, it is still impossible to obtain arbitrary privileges, which requires another vulnerability to escape from AppArmor and obtain higher privileges than the browser process context. The researchers found that the well-known ARM Linux vulnerability CVE-2013-6282 (ie: lack of access checks in the kernel API) still exists on Tesla. Using this vulnerability, the researchers first patched the setresuid() system call to obtain root privileges, and then called reset_security_ops() to disable AppArmor, achieving arbitrary read/write privileges in the kernel context.
3) Unauthorized access to embedded systems
In addition to CID, there are three more important independent embedded systems on Tesla Model S, namely IC, Parrot and Gateway, as shown in Figure 4. Due to flaws in the network design and lack of strong password protection, the researchers were able to gain root access to the three systems through remote attacks.
Figure 4 Important equipment of the vehicle network
· IC
After obtaining root privileges in CID, researchers can obtain root access privileges on IC through the command "ssh root@ic" without any password, and log in to IC through SSH.
In addition, mutual access between CID and IC can be realized. CID incorporates a key rotation scheme that receives random new tokens from users every 24 hours from the mothership. CID sets the key in clear text in the IC's file system, which means that even if you only have access to the IC, you can SSH into the CID and gain root privileges.
· Parrot
The Parrot module is a third-party module, the model is FC6050W, it integrates wireless and Bluetooth functions, and can be connected to CID through USB protocol. By scanning for open ports on Parrot, the researchers found that port 23 was open for Telnet. An important vulnerability is that Telnet is anonymous, and researchers can access and control the Parrot module through the simple command "nc parrot 23".
· Gateway
Gateway looks much more secure than IC and Parot. The researchers first use the binary file gw-diag to wake up the backdoor of Gateway on port 23 and find the shell entry of Gateway. Then, the researchers obtained the token in it by reverse engineering the firmware, and gained access to the Gateway.
4) ECU programming
By disassembling the CID unit, the researchers found some debug and upgrade-related log files in the SD card connected to the gateway ECU. These files describe the detailed process of the entire upgrade, including sending the hexadecimal file to the ECU, configuring the relay switch and other important steps, and important internal information can be viewed through the disassembled file.
For the update software, the entire update is controlled by the function at memory address 0x40006AE4. It will first perform a security check on the file and set its working mode to ensure that the entire car remains physically safe during the update process. Then bypass the integrity check, flash the firmware to the gateway, and successfully program the customized code into the ECU. The specific steps are as follows:
①Decompress the release.tgz file and ensure that the checksum value meets the requirements.
② Check whether there is a manifest file in the compressed file, and obtain the version information in the firmware package from it.
③ Process each ".Hex" file in the program. Convert the hex file to a binary stream and send the firmware using the UDS protocol. The bootloader on the target chip needs to write the hex file to flash and check that the application is valid every boot. Finally check if the firmware has been sent and programmed to the target ECU.
④After processing all these files, create a log, and restart.
5) Gateway reverse engineering and attack
Vulnerabilities exist in many important tasks running on the gateway, which allow almost any type of communication with the ECU on the CAN bus. Researchers can inject any CAN message at any time, and use patches to block some necessary CAN signals to achieve vehicle body control. The specific attack process includes:
①The gateway transmits the UDP broadcasts of ports 20100 and 20101 to the CAN bus, and researchers can control the door lock system by forging UDP signals.
②Researchers can replace the diagnostic function 0x01 with the diagnostic function 0x04, inject CAN messages, and send them to the PT-CAN bus with ID 0x45 to realize the operation of turning on the lights when the car is running or stopped.
③ After locating the structure stored in the firmware, the researchers changed the target ID in the firmware to block some important messages (such as the ID of 0x218 on BDY CAN), so as to open the trunk or disable the automatic locking function when the car is driving.
6) Attack UDS/CAN bus
The Unified Diagnostic Service (UDS) is codified in ISO-14229 and allows diagnostic control of functions on the electronic control unit (ECU) in the vehicle. By setting the Electronic Stability Program (ESP) as a low-speed diagnostic programming session, the researchers used a Bash shell script to inject UDS data frames through the gateway and disable the ESP ECU at low speed, resulting in no vehicle speed-related CAN messages on the CAN-CH bus, and The real-time speed value of the IC cannot be updated when the car is running at high speed. Additionally, the vehicle displays warning messages about the anti-lock braking system (ABS), raising safety concerns about steering and brake failure.
Figure 5 CAN controller made by Keen Lab
03
Summarize
This article introduces the vulnerabilities and related technical details involved in the research of Keen Lab to realize the remote control of Tesla Model S. This security attack incident is the first typical case of using the CAN bus to carry out remote attacks to remotely control Tesla vehicles in parking and driving modes. In the end, Keen Lab handed over the research report and vulnerabilities to Tesla, and Tesla responded within 10 days, and used its OTA mechanism to fix vulnerabilities and update security in browsers, kernels, and ECU firmware. Code signing protection was introduced to Tesla vehicles to protect on-board systems.
references:
[1] Charlie Miller,Chris Valasek.Remote exploitation of an unaltered passenger vehicle[C]. Black Hat USA,2015.
[2] Keen Security Lab of Tencent. Free-fall:hacking Tesla from wireless to CAN bus [C]. Black Hat USA,2016.
[3] Keen Security Lab of Tencent. Over-the-air: how we remotely compromised the gateway,BCM,and autopilot ECUs of Tesla cars[C]. Black Hat USA,2017.
[4]Cai Zhiqiang , Wang Aohui , Zhang Wenkai , Gruffke M ,Schweppe H . 0-days & Mitigations: Roadways to Exploit and Secure Connected BMW Cars[C]. Black Hat USA,2019.
[5] Keen Security Lab of Tencent. Experimental Security Assessment of BMW Cars: A Summary Report[EB/OL]. https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Assessment_of_BMW_Cars_by_KeenLab.pdf,2018.
[6] 360 Sky-Go group. Security Research Report on Mercedes-Benz Cars [EB/OL]. https://skygo.360.net/archive/Security-Research-Report-on-Mercedes-Benz-Cars-en.pdf,2020.