Popular Car Hacks#
The first notable academic publications related to security analyses of modern vehicles were published from Koscher et al. in 2010 [KoscherCzeskisRoesner+10], followed by another publication from Checkoway et al. in 2011 [CMK+11]. The whole research field received a broad audience after the publications of Miller and Valasek in 2013, 2014, and 2015 were they demonstrated a remote exploitation of an unaltered passenger vehicle [MV13, MV14, MV15]. The German car manufacturer BMW was targeted from Spaar who demonstrated a remote attack on the locking mechanism in 2015 [Spa15a]. The story continues with publications from the Tencent Keen Security Lab about a remote exploitation of a Tesla Model S in 2016 and remote exploitation of multiple BMW models in 2018 [Lab16, Lab18]. A smaller publication targeted the car brands Volkswagen and Audi in 2018 [BV18].
In 2016, Craig Smith published the book The Car Hacker’s Handbook [Smi16]. The book documents techniques and tools used by the Open Garages community which started a movement around all kind of software modifications of vehicles in 2014.
Since 2019 the Pwn2Own competition, hosted from the organization Zero Day Initiative, added a Tesla car to their targets for hacking [Ini0)]. Every year from that onward, attendees showed their abilities and successfully broke into the cars web browser, which rewards them with the ownership of the hacked car next to a cash prize.
These important publications raised public awareness for security in the safety-critical system, passenger vehicle. OEMs couldn’t ignore the necessity of security engineering and security testing for their vehicles, anymore. The effects of these publications are already visible in the electrical design of modern vehicles. Insecure network topologies were abolished and security measures for ECU software were taken. Nonetheless, the challenge to provide secure vehicles is immense. Over the years, security wasn’t a major part of vehicle engineering and the ecosystem that OEMs built around connected cars is huge and complex. The software and firmware management in a modern car, even in a single ECU is already a challenging task.
A new ISO/SAE standard, ISO/SAE 21434 Road vehicles – Cybersecurity engineering, which enforces security engineering and penetration testing during the development process of any vehicle for the European market will be valid in November 2020. This can also be interpreted as direct aftermath from the previous publications.
Dieter Spaar: Beemer, Open Thyself!#
[Spa15b]
Attack against BMW’s remote control features
Smartphone application to lock and unlock vehicles
Shared cryptographic secrets
Implementation flaws in the NGTP communication protocol
Spaar could open arbitrary vehicles through a malicious BTS
He managed to remotely change a victim’s car’s configuration to enable the required remote features
![../../_images/ad-789adb42f0c8aba1.jpeg](../../_images/ad-789adb42f0c8aba1.jpeg)
Fig. 10 Attack overview#
Miller & Valasek: Remote Exploitation of an Unaltered Passenger Vehicle#
[MV15]
Full control over a vehicle through a remote attack
Vehicle exposed highly sensitive services on various ports
Accessible through the vehicle’s IP address
Absence of an APN
Connection to vulnerable cars over the Internet
Exposed software update services of arbitrary ECUs
No firmware signature mechanisms in place
Remote CAN bus access through malicious firmware modifications
Cyber-physical functions could be triggered by silencing ECUs with safety functions (steering, breaking)
Nie et al.: Free-Fall - Hacking Tesla from Wireless to CAN Bus#
[SN17]
Remote exploitation of a Tesla Model S
Attack chain to compromise the entire vehicle, based on an already known browser exploit (CVE-2011-3928).
Local privilege escalation bug in Linux allowed full control over MMU (central component in Tesla’s architecture) (CVE-2013-6282)
MMU can provide software-updates to other ECUs
No firmware signature for vehicle gateway ECU
Full control over all vehicle buses through malicious gateway firmware
![../../_images/Screenshotfree-fall-hacking-tesla-from-wireless-to-can-bus.png](../../_images/Screenshotfree-fall-hacking-tesla-from-wireless-to-can-bus.png)
Fig. 11 Imporant components. CID (Central Information Display), IC (Instrument Cluster), Parrot Wi-Fi and Bluetooth module as part of CID#
A CID teardown was performed and documented by PenTestPartners [Pen20].
Cai et al.: 0-days & Mitigations - Roadways to Exploit and Secure Connected BMW Cars#
[CWZ19]
Remote exploit of an unaltered vehicle from BMW
Two very complex attack chains were used
Attack chain 1:
Web browser exploit on the MMU as a remote entry
TOCTOU attack against internal diagnostic services allowed them to send arbitrary UDS messages
Implementation flaws in the UDS protocol of the CGW allowed the escalation to all internal communication systems
Attack chain 2:
Buffer overflow in the provisioning feature of the NGTP protocol for RCE on the TCU
A vulnerable diagnostic service allowed them to send arbitrary messages onto the vehicle’s CAN bus
Implementation flaws in the UDS protocol of the CGW allowed the escalation to all internal communication systems
![../../_images/ScreenshotBMW.png](../../_images/ScreenshotBMW.png)
Fig. 12 Attack Chain#
TBONE – A zero-click exploit for Tesla MCUs#
[WS20]
Research for PWN2OWN 2020
Tesla vehicles connect automatically to the
Tesla Service
SSIDConnMan 1.37 was used inside Tesla vehicles.
They fuzzed a DNS handling function, offline
Finally they obtained RCE through a stack overflow
This research only targeted the MMU of Tesla vehicles
Bonus: This attack was launched from a drone, 100m above
Mercedes-Benz MBUX Security Research Report#
[Lab20]
Very detailed research on Mercedes-Benz vehicles architecture
Head-Unit was attacked via a browser exploit
Some but very limited vehicle functions could be triggered from the Head-Unit (ambient light, reading light, and sunshade cover)
![../../_images/ScreenshotMercedes_Benz_Security_Research_Report_Final.png](../../_images/ScreenshotMercedes_Benz_Security_Research_Report_Final.png)
Fig. 14 Possible attack chains. Airbag Control Module, Electronic Iginition System#