The first half of the year 2022 started with a vulnerability in Tesla vehicles allowing attackers to control some vehicle functions. This vulnerability in a third-party application highlighted once more that vehicles have become a platform on which more and more software from third parties are installed.Thereafter followed a number of vulnerabilities in keyless entry systems. New relay attacks showed that ultra-wideband (UWB) solutions are currently the only ones that provide sufficient protection against them. But there were also other vulnerabilities making car theft easier, a vulnerability in two Tesla models was found that allowed to enroll a new key when the car was unlocked with an NFC card and then there is the Hyundai and Kia hack which got viral on social networks such as TikTok. Video instructions showed how to start the engine of vehicles that do not use a push-button to start with nothing more than a USB cable. This hack got widespread to the extent that cities even consider legal actions against the car makers due to the increased violence caused by the increased theft of these vehicles.We also reported and updated our readers on various supply chain attacks in which automotive suppliers got hit by ransomware attacks, for example Kojima-Toyota, TB Kawashima, and Nichirin-Flex USA.Next to car thefts and attacks towards the supply chain, we also reported about BROKENWIRE, an attack demonstrating how to deny vehicle charging wirelessly from up to 47 metres using off-the-shelf radio hardware.
The half-year report by upstream contains a more detailed summary of the first half of 2022. The report emphasizes that the number of vulnerabilities in charging stations is growing and ‘could be the Achilles heel’. Next, the report identifies that APIs to mission-critical systems in vehicles are becoming increasingly attacked. Third and last, upstream pinpoint to attacks on global level, such as supply chain attacks and attacks against commercial vehicle fleets.
The path to hacking one’s vehicle to ultimately run your own software
A user named greenluigi1 describes their journey on how they were able to hack their own vehicle. All started in 2021 when they bought a Hyundai Ioniq SEL.
Greenluigi1, a passionate programmer, was very fast in entering the engineering mode, as guides on how to enter it including getting the password were already out on the Internet. The author describes in detail how they continued, from hoping to find an open ADB port to looking into the log files. The latter gave them insights into the system and its components. To get further into the system, the author figured they need to exploit one of the applications and doing that requires reverse engineering the applications.
Going to the site with software updates allowed to download an update of another vehicle. This update, however, requires a password and using a brute force password cracker with up to 12 characters didn’t work. After trying different ways, the author found a computer program exploiting a vulnerability in zip compression – all they needed were at least 12 bytes of a file that is also in the encrypted zip folder to potentially encrypt the entire folder. After finding a similar named file with a fitting file size (and some usage errors by the author), they were finally able to extract the entire folder and start reverse engineering the applications.
Expecting the folder also revealed that a driver for a USB to Ethernet was installed. Again, it took some tinkering to change the MAC address the programmer’s USB network adapter, but they ultimately managed to access the system only to find out to not have more access rights. Back to the reverse engineered files then. They were encrypted.
By inspecting the open-source code from Hyundai MOBIS Open Source Center showed a “linux_envsetup.sh” file which presumable created the zip files for the updates. The script revealed the encryption call including the keys. First, the author thought it is just an example and googled the key and it turned it was AES 128bit CBC example key, hence it shouldn’t work. But it did! The same applied for the RSA private key.
Since there was no firmware update for the specific vehicle model available, the author needed to wait. Once a new update arrived, greenluigi1 could get started to work on a backdoor. Writing a simple backdoor was easy, however, they changed the password for entering the engineering mode! Inspecting the files revealed how the four-digit pin is generated and voilà. The python shell didn’t work, but cleverly the author had a backup plan by launching a script connecting to the notebooks auto-assigned IP address when the USB network adapter was attached. Now the second stage of having total control over the infotainment system was achieved.
The third stage is writing some software. After some initial library issues, everything was set and done – the first simple application was working. In the end the author was able to create a graphical UI using Qt Creator demonstrating the ability to unlock and lock the vehicle through their own application.
Reading this journey shows that it is not that easy to hack the infotainment system of a modern car, however, due to some – really bad – mistakes by the developers, like using the example keys (for AES and RSA encryption), it took only one persistent programmer to hack it.
Written by Thomas Rosenstatter