Understanding Connected Car Vulnerabilities

In a recent blog from our research team, Vít Šembera highlighted the impressive work demonstrated at the #Pwn2Own Automotive 2024 event. Synacktiv’s #cybersecurity researchers successfully executed a two-bug exploit chain to breach Tesla's in-vehicle infotainment (IVI) system. By leveraging vulnerabilities in Tesla's LTE connectivity card and a custom Ofono plug-in, they achieved remote code execution and root-level access, underscoring that even highly secured systems can still be susceptible to carefully crafted exploitation. Sharing a few key insights: 💡 Input Validation and Buffer Allocation: Common flaws like improper input validation and buffer allocation enabled this breach. Despite Tesla's sandboxing and firewalls, overlooked input command validation and buffer management created exploitable gaps. 💡 Layered Defense Needs Regular Maintenance: Tesla’s strong security setup (MiniJail, SecComp, AppArmor) was still vulnerable due to misconfigurations and minor flaws. This highlights the need for ongoing review and enhancement of layered defenses. 💡Advanced Exploitation Techniques in Action: Synacktiv used complex methods, including heap shaping and return-oriented programming (ROP), to bypass barriers. By simulating a cellular network base station, they permanently disabled the firewall, gaining remote access via SSH. ✍ Note to Cybersecurity Practitioners: Tesla’s Pwn2Own incident emphasizes that achieving high #security doesn’t mean complacency. For organizations, this breach serves as a reminder to maintain vigilance against even the smallest vulnerabilities, ensure all systems have rigorous validation, and conduct regular, comprehensive security reviews. As #automotive technology evolves, the importance of these practices grows, offering lessons applicable across all sectors reliant on connected devices and critical systems. Read the Blog: https://lnkd.in/gH6cFYF2

Tesla Cars Targeted in Sophisticated Phishing Attack In today's automotive landscape, many vehicles boast Internet connectivity powered by 4G and 5G technologies, enabling a plethora of functionalities and services. Notably, a particular electric vehicle (EV) manufacturer maximizes this connectivity to distribute software updates seamlessly. Researchers recently showcased their ability to execute a Man-in-the-Middle (MiTM) phishing attack, compromising Tesla accounts and granting unauthorized access to vehicles. This exploit is effective on the latest versions of the Tesla app (4.30.6) and Tesla software (11.1 2024.2.7). During this attack, security experts Talal Haj Bakry and Tommy Mysk successfully registered a new 'Phone Key,' providing them access to Tesla vehicles. Despite notifying Tesla of this vulnerability, emphasizing the lack of proper authentication security when linking a new phone to a car, the company dismissed the report as out of scope. While the researchers employed a Flipper Zero for this phishing attack, it can be replicated with other readily available devices such as computers, Raspberry Pi, or Android phones. At a Tesla supercharger station, attackers could set up a deceptive WiFi network named "Tesla Guest," a commonly recognized SSID at Tesla service centers. Mysk utilized a Flipper Zero to broadcast this network, noting its replicability with devices equipped with WiFi hotspot capabilities. Victims connecting to the spoofed network encounter a counterfeit Tesla login page, prompting them to enter their credentials. The attacker can intercept this information in real-time. Subsequently, victims are coerced into providing a one-time password (OTP) to bypass two-factor authentication, granting attackers access to their Tesla accounts. The attacker must act swiftly to exploit the stolen credentials before the OTP expires, gaining entry into the Tesla app and allowing real-time tracking of the vehicle's location. This vulnerability stems from the lack of proper authentication security when adding a new Phone Key. While Tesla Card Keys necessitate physical verification, Phone Keys can be added remotely without any notification to the owner. Security experts advocate for additional authentication layers, such as requiring a key card when adding a new Phone Key, to mitigate this security loophole. However, Tesla maintains that the current system aligns with their intended design, as outlined in the owner's manual, disregarding the need for further security measures. This vulnerability underscores the persistent challenges in safeguarding connected vehicles against evolving cyber threats. #tesla #cybersecurity #electricvehicles #phishing https://lnkd.in/eRk-jvvt

Many vehicles can be tracked, remotely unlocked and started with mobile apps. The security and privacy of those apps has always been a concern. Security researchers Sam Curry and Shubham Shah recently discovered and exploited a significant security flaw in Subaru's Starlink system. Their research highlighted vulnerabilities that could allow unauthorized access to Subaru vehicles and sensitive customer data. Key findings: 🔑 Researchers accessed Subaru’s admin portal using a generic testing email and password reset loophole. 📍 They could track vehicle location histories for up to a year, start vehicles, unlock doors, and access customer details like emergency contacts and billing info. ✅ Once notified of the vulnerability, Subaru responded swiftly, fixed the vulnerability, and confirmed no unauthorized access to customer information had occurred. This incident serves as a reminder of the growing privacy and cybersecurity risks in connected vehicles. With cars collecting vast amounts of personal data, stricter safeguards are critical for our security.

A new Bluetooth flaw means millions of cars can be hacked. Now that's a headline you wouldn't have read 20 years ago. Even 5 years ago. But here we are, this is very real. A newly disclosed set of vulnerabilities, dubbed PerfektBlue, affects millions of vehicles from Mercedes-Benz, VW, Skoda, and others. Researchers found 4 critical bugs in a common Bluetooth stack (BlueSDK) used in many infotainment systems. With just a one-click pairing, an attacker could remotely execute code, access your location, calls, contacts and in some scenarios, pivot deeper into the vehicle’s network. The bugs were responsibly reported in 2024. Patches exist. But how many cars are still unpatched? (I suspect quite a lot). This is yet another wake-up call for: Auto OEMs & suppliers ➡️ Patch faster. Security isn't a nice-to-have. Fleet managers ➡️ Check for updates. Turn bluetooth off when not needed. Security teams ➡️ treat embedded systems as top priorities in cybersecurity. Connected cars are cool. But connection without protection is a ticking time bomb. Source: https://lnkd.in/eQ6zZjkQ #PerfektBlue #IoTSecurity