Death by a Thousand Cuts: Compromising Automotive Systems via Vulnerability Chains

Linfeng XiaoQican MaRapidDNS
Written By Robert Yuen

In recent years, with the continuous development of electic vehicles (EV), intelligent networking and traditional auto manufacturing have collided intensely, blurring the boundary between cyber security and physical security. In the past, many attacks against cars focused on car keys, but nowadays, are cars adequate to deal with attacks from the internet? In this presentation, our goal is to hack an EV without physical contact, as these vehicles have surpassed 11 million in cumulative global production and sales. We will introduce our team's black box security testing on several new energy vehicle models, starting from a situation where we had no debugging access, to finally chaining multiple vulnerabilities together into exploit chains for stealing the vehicle through an attack. First, we will introduce how we discovered multiple RCE vulnerabilities and privilege escalation vulnerabilities in several vehicle models. Next, we will present how to utilize in-vehicle communication technologies for post-exploitation attacks, such as controlling vehicle components like doors and windows, and even bypassing the PEPS vehicle start authorization system using vulnerabilities. In addition, we will discuss how to expand the attack surface of vehicles and broaden the impact of RCE for contactless attacks. Finally, we will draw conclusions and provide perspectives on EV security, as well as offer security recommendations to automakers.

 

About the Presenter: Linfeng Xiao

Linfeng Xiao(@0xp0kerface) is a Security Researcher at Xiaomi ShadowBlade Security Lab. He focuses his research on binary and wireless security. He is a speaker at security conferences including HITBSecConf and KCon. He has contributed vulnerabilities to companies like Facebook, Huawei and others.

 

About the Presenter: Qican Ma

Qican Ma is a Security Researcher at Xiaomi ShadowBlade Security Lab. IoT /Automotive/AI security researcher.

 

About the Presenter: RapidDNS

RapidDNS(@rapiddns) is a Security Researcher at Xiaomi ShadowBlade Security Lab. Bug Bounty Hunter . Webmaster of RapidDNS.io

Robert Yuen
Previous

Rooting Android Devices in One Shot: Simple Bug, Complex Exploit (incl. Memory Tagging Extension)
Next

Glitching in 3D: Low Cost EMFI Attacks