Popular Car Hacks#
The first notable academic publications related to security analyses of modern vehicles were published from Koscher et al. in 2010 [KoscherCzeskisRoesner+10], followed by another publication from Checkoway et al. in 2011 [CMK+11]. The whole research field received a broad audience after the publications of Miller and Valasek in 2013, 2014, and 2015 were they demonstrated a remote exploitation of an unaltered passenger vehicle [MV13, MV14, MV15]. The German car manufacturer BMW was targeted from Spaar who demonstrated a remote attack on the locking mechanism in 2015 [Spa15a]. The story continues with publications from the Tencent Keen Security Lab about a remote exploitation of a Tesla Model S in 2016 and remote exploitation of multiple BMW models in 2018 [Lab16, Lab18]. A smaller publication targeted the car brands Volkswagen and Audi in 2018 [BV18].
In 2016, Craig Smith published the book The Car Hacker’s Handbook [Smi16]. The book documents techniques and tools used by the Open Garages community which started a movement around all kind of software modifications of vehicles in 2014.
Since 2019 the Pwn2Own competition, hosted from the organization Zero Day Initiative, added a Tesla car to their targets for hacking [Ini0)]. Every year from that onward, attendees showed their abilities and successfully broke into the cars web browser, which rewards them with the ownership of the hacked car next to a cash prize.
These important publications raised public awareness for security in the safety-critical system, passenger vehicle. OEMs couldn’t ignore the necessity of security engineering and security testing for their vehicles, anymore. The effects of these publications are already visible in the electrical design of modern vehicles. Insecure network topologies were abolished and security measures for ECU software were taken. Nonetheless, the challenge to provide secure vehicles is immense. Over the years, security wasn’t a major part of vehicle engineering and the ecosystem that OEMs built around connected cars is huge and complex. The software and firmware management in a modern car, even in a single ECU is already a challenging task.
A new ISO/SAE standard, ISO/SAE 21434 Road vehicles – Cybersecurity engineering, which enforces security engineering and penetration testing during the development process of any vehicle for the European market will be valid in November 2020. This can also be interpreted as direct aftermath from the previous publications.
Dieter Spaar: Beemer, Open Thyself!#
[Spa15b]
Attack against BMW’s remote control features
Smartphone application to lock and unlock vehicles
Shared cryptographic secrets
Implementation flaws in the NGTP communication protocol
Spaar could open arbitrary vehicles through a malicious BTS
He managed to remotely change a victim’s car’s configuration to enable the required remote features
Fig. 8 Attack overview#
Miller & Valasek: Remote Exploitation of an Unaltered Passenger Vehicle#
[MV15]
Full control over a vehicle through a remote attack
Vehicle exposed highly sensitive services on various ports
Accessible through the vehicle’s IP address
Absence of an APN
Connection to vulnerable cars over the Internet
Exposed software update services of arbitrary ECUs
No firmware signature mechanisms in place
Remote CAN bus access through malicious firmware modifications
Cyber-physical functions could be triggered by silencing ECUs with safety functions (steering, breaking)
Nie et al.: Free-Fall - Hacking Tesla from Wireless to CAN Bus#
[SN17]
Remote exploitation of a Tesla Model S
Attack chain to compromise the entire vehicle, based on an already known browser exploit (CVE-2011-3928).
Local privilege escalation bug in Linux allowed full control over MMU (central component in Tesla’s architecture) (CVE-2013-6282)
MMU can provide software-updates to other ECUs
No firmware signature for vehicle gateway ECU
Full control over all vehicle buses through malicious gateway firmware
Fig. 9 Imporant components. CID (Central Information Display), IC (Instrument Cluster), Parrot Wi-Fi and Bluetooth module as part of CID#
A CID teardown was performed and documented by PenTestPartners [Pen20].
Cai et al.: 0-days & Mitigations - Roadways to Exploit and Secure Connected BMW Cars#
[CWZ19]
Remote exploit of an unaltered vehicle from BMW
Two very complex attack chains were used
Attack chain 1:
Web browser exploit on the MMU as a remote entry
TOCTOU attack against internal diagnostic services allowed them to send arbitrary UDS messages
Implementation flaws in the UDS protocol of the CGW allowed the escalation to all internal communication systems
Attack chain 2:
Buffer overflow in the provisioning feature of the NGTP protocol for RCE on the TCU
A vulnerable diagnostic service allowed them to send arbitrary messages onto the vehicle’s CAN bus
Implementation flaws in the UDS protocol of the CGW allowed the escalation to all internal communication systems
Fig. 10 Attack Chain#
Computest: The Connected Car - Ways to get unauthorized access and potential implications#
[BV18]
Open ports on the MMU of Audi and Volkswagen vehicles
QNX vulnerability allowed them to open a shell through a WLAN or mobile data connection
Presence of an APN depends on the country the vehicle is operated
Local privilege escalation vulnerability in QNX made further MMU services accessible to them
Through a firmware modification of the CAN MCU inside the MMU, they obtained arbitrary write access to the vehicle’s CAN bus
They stopped their research here
An attack of the vehicle gateway ECU would have been necessary to compromise the entire vehicle
Fig. 11 Attack Chain#
TBONE – A zero-click exploit for Tesla MCUs#
[WS20]
Research for PWN2OWN 2020
Tesla vehicles connect automatically to the
Tesla ServiceSSIDConnMan 1.37 was used inside Tesla vehicles.
They fuzzed a DNS handling function, offline
Finally they obtained RCE through a stack overflow
This research only targeted the MMU of Tesla vehicles
Bonus: This attack was launched from a drone, 100m above
Mercedes-Benz MBUX Security Research Report#
[Lab20]
Very detailed research on Mercedes-Benz vehicles architecture
Head-Unit was attacked via a browser exploit
Some but very limited vehicle functions could be triggered from the Head-Unit (ambient light, reading light, and sunshade cover)
Fig. 12 Possible attack chains. Airbag Control Module, Electronic Iginition System#
Computest Services B.V. The Connected Car - Ways to get unauthorized access and potential implications. Apr 2018. https://www.computest.nl/documents/9/The_Connected_Car._Research_Rapport_Computest_april_2018.pdf.
Zhiqiang Cai, Aohui Wang, and Wenkai Zhang. 0-days & Mitigations: roadways to Exploit and Secure Connected BMW Cars. In BlackHat USA, 1–37. Aug 2019. https://i.blackhat.com/USA-19/Thursday/us-19-Cai-0-Days-And-Mitigations-Roadways-To-Exploit-And-Secure-Connected-BMW-Cars-wp.pdf.
Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. Comprehensive Experimental Analyses of Automotive Attack Surfaces. In Proceedings of the 20th USENIX Conference on Security, SEC’11, 1–6. USA, 2011. USENIX Association.
Zero Day Initiative. Pwn2Own Vancouver 2019: Wrapping Up and Rolling Out. 2020 (accessed February 29, 2020). https://www.zerodayinitiative.com/blog/2019/3/22/pwn2own-vancouver-2019-wrapping-up-and-rolling-out.
Tencent Keen Security Lab. Car Hacking Research: Remote Attack Tesla Motors. 2016. https://keenlab.tencent.com/en/2016/09/19/Keen-Security-Lab-of-Tencent-Car-Hacking-Research-Remote-Attack-to-Tesla-Cars/.
Tencent Keen Security Lab. New Vehicle Security Research by KeenLab: Experimental Security Assessment of BMW Cars. 2018. https://keenlab.tencent.com/en/2018/05/22/New-CarHacking-Research-by-KeenLab-Experimental-Security-Assessment-of-BMW-Cars/.
Tencent Keen Security Lab. Mercedes-Benz MBUX Security Research Report. 2020. https://keenlab.tencent.com/en/whitepapers/Mercedes_Benz_Security_Research_Report_Final.pdf.
Dr. Charlie Miller and Chris Valasek. Adventures in Automotive Networks and Control Units. DEF CON 21 Hacking Conference. Las Vegas, NV: DEF CON, August 2013. http://illmatics.com/car_hacking.pdf.
Dr. Charlie Miller and Chris Valasek. A Survey of Remote Automotive Attack Surfaces. DEF CON 22 Hacking Conference. Las Vegas, NV: DEF CON, August 2014.
Dr. Charlie Miller and Chris Valasek. Remote Exploitation of an Unaltered Passenger Vehicle. DEF CON 23 Hacking Conference. Las Vegas, NV: DEF CON, August 2015.
PenTestPartners. Reverse Engineering Tesla Hardware. 2020. https://www.pentestpartners.com/security-blog/reverse-engineering-tesla-hardware/.
Yuefeng Du Sen Nie, Ling Liu. FREE-FALL: HACKING TESLA FROM WIRELESS TO CAN BUS. 2017. https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla-From-Wireless-To-CAN-Bus-wp.pdf.
Craig Smith. The Car Hacker’s Handbook: A Guide for the Penetration Tester. No Starch Press, USA, 1st edition, 2016. ISBN 1593277032.
Dieter Spaar. Beemer, Open Thyself! – Security vulnerabilities in BMW's ConnectedDrive. February 2015. https://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html.
Dieter Spaar. Beemer, Open Thyself! – Security vulnerabilities in BMW's ConnectedDrive. February 2015. https://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html.
Ralf-Philipp Weinmann and Benedikt Schmotzle. TBONE – A zero-click exploit for Tesla MCUs. October 2020. https://kunnamon.io/tbone/tbone-v1.0-redacted.pdf.
K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage. Experimental Security Analysis of a Modern Automobile. In 2010 IEEE Symposium on Security and Privacy, volume, 447–462. May 2010. doi:10.1109/SP.2010.34.