[{"data":1,"prerenderedAt":1354},["Reactive",2],{"kb-chapters":3,"kb-doc:/knowledge-base/existing-research/infotainment-telematics/":169},[4,11,17,23,29,35,41,47,53,59,65,71,77,83,89,96,102,108,114,120,126,132,138,144,151,157,163],{"_path":5,"title":6,"description":7,"part":8,"_file":9,"chapterNumber":10},"/knowledge-base/networks/introduction","Introduction","Overview of the communication networks used in modern vehicles, from LIN to Automotive Ethernet.","Vehicle Networks & Protocols","7.knowledge-base/1.networks/1.introduction.md",1,{"_path":12,"title":13,"description":14,"part":8,"_file":15,"chapterNumber":16},"/knowledge-base/networks/vehicle-documentation","Vehicle Documentation","Where to find manufacturer wiring diagrams, J2534 passthrough devices, and the different types of diagrams that are useful when researching a vehicle.","7.knowledge-base/1.networks/2.vehicle-documentation.md",2,{"_path":18,"title":19,"description":20,"part":8,"_file":21,"chapterNumber":22},"/knowledge-base/networks/lin-bus","Local Interconnect Network (LIN)","Local Interconnect Network — a single-wire low-speed bus used as a low-cost alternative to CAN for non-critical body electronics.","7.knowledge-base/1.networks/3.lin-bus.md",3,{"_path":24,"title":25,"description":26,"part":8,"_file":27,"chapterNumber":28},"/knowledge-base/networks/controller-area-network","Controller Area Network (CAN)","ISO 11898 — the differential bus that became the backbone of automotive networking. Frames, bit timing, errors, CAN FD, message contents, and practical attacks.","7.knowledge-base/1.networks/4.controller-area-network.md",4,{"_path":30,"title":31,"description":32,"part":8,"_file":33,"chapterNumber":34},"/knowledge-base/networks/secure-onboard-communication","Secure Onboard Communication (SecOC)","AUTOSAR's standard for cryptographic message authentication on in-vehicle networks — freshness values, MAC computation and key management.","7.knowledge-base/1.networks/5.secure-onboard-communication.md",5,{"_path":36,"title":37,"description":38,"part":8,"_file":39,"chapterNumber":40},"/knowledge-base/networks/flexray","FlexRay","Time-triggered, deterministic automotive bus standardized as ISO 17458, designed for higher speeds and drive-by-wire systems.","7.knowledge-base/1.networks/6.flexray.md",6,{"_path":42,"title":43,"description":44,"part":8,"_file":45,"chapterNumber":46},"/knowledge-base/networks/automotive-ethernet","Automotive Ethernet","Automotive variants of Ethernet — 100BASE-T1, 1000BASE-T1, and 10BASE-T1S — built around single twisted-pair cabling and strict EMC requirements.","7.knowledge-base/1.networks/7.automotive-ethernet.md",7,{"_path":48,"title":6,"description":49,"part":50,"_file":51,"chapterNumber":52},"/knowledge-base/diagnostics/introduction","Overview of automotive diagnostic protocols — ISO-TP, OBD-II, UDS, CCP and XCP — and how they layer on top of CAN.","Diagnostic Protocols","7.knowledge-base/2.diagnostics/1.introduction.md",8,{"_path":54,"title":55,"description":56,"part":50,"_file":57,"chapterNumber":58},"/knowledge-base/diagnostics/iso-tp","ISO 15765-2 (ISO-TP)","ISO 15765-2 transport layer for sending diagnostic payloads larger than 8 bytes over CAN — single, first, consecutive and flow-control frames.","7.knowledge-base/2.diagnostics/2.iso-tp.md",9,{"_path":60,"title":61,"description":62,"part":50,"_file":63,"chapterNumber":64},"/knowledge-base/diagnostics/vw-tp20","VW Transport Protocol 2.0 (TP 2.0)","Volkswagen's pre-ISO-TP transport layer for KWP2000 over CAN — channel setup, parameter negotiation, and the data exchange counter scheme.","7.knowledge-base/2.diagnostics/3.vw-tp20.md",10,{"_path":66,"title":67,"description":68,"part":50,"_file":69,"chapterNumber":70},"/knowledge-base/diagnostics/obd-ii","On-board diagnostics (OBD-II)","On-Board Diagnostics II — the J1962 connector, signal protocols, service IDs, parameter IDs, and DTC encoding.","7.knowledge-base/2.diagnostics/4.obd-ii.md",11,{"_path":72,"title":73,"description":74,"part":50,"_file":75,"chapterNumber":76},"/knowledge-base/diagnostics/uds","Unified Diagnostic Services (UDS)","ISO 14229-1 — the modern diagnostic protocol for sessions, Read/Write DID, Security Access, Routine Control and firmware Request Download / Upload.","7.knowledge-base/2.diagnostics/6.uds.md",12,{"_path":78,"title":79,"description":80,"part":50,"_file":81,"chapterNumber":82},"/knowledge-base/diagnostics/ccp","CAN Calibration Protocol (CCP)","A low-level debug/calibration protocol over CAN — Command Receive Object, Data Transfer Object, and the commands used to read and write ECU memory.","7.knowledge-base/2.diagnostics/7.ccp.md",13,{"_path":84,"title":85,"description":86,"part":50,"_file":87,"chapterNumber":88},"/knowledge-base/diagnostics/xcp","Universal Measurement and Calibration Protocol (XCP)","ASAM XCP — successor to CCP supporting CAN, CAN FD, FlexRay, and Ethernet, with synchronous data acquisition, stimulation, and calibration.","7.knowledge-base/2.diagnostics/8.xcp.md",14,{"_path":90,"title":91,"description":92,"part":93,"_file":94,"chapterNumber":95},"/knowledge-base/reverse-engineering/ecu-flashing","ECU Flashing","How a control unit is reprogrammed over the wire with UDS, walked through step by step, why the sequence is staged the way it is, and how the SecurityAccess seed/key gate works, from weak proprietary LFSR ciphers to the Volkswagen SA2 script.","Reverse Engineering","7.knowledge-base/3.reverse-engineering/1.ecu-flashing.md",15,{"_path":97,"title":98,"description":99,"part":93,"_file":100,"chapterNumber":101},"/knowledge-base/reverse-engineering/oem-update-files","OEM Update Files","Where to find official ECU firmware, why OEMs ship it, and how the major manufacturer update container formats (VW FRF/ODX, Toyota CUW, Ford VBF, BMW psdzdata, Tesla BHX) are structured, decrypted, and unpacked.","7.knowledge-base/3.reverse-engineering/2.oem-update-files.md",16,{"_path":103,"title":6,"description":104,"part":105,"_file":106,"chapterNumber":107},"/knowledge-base/existing-research/introduction","Landmark papers from 2010 to 2016 that defined automotive security research and demonstrated the first complete remote exploit chain against a production vehicle.","Existing Research","7.knowledge-base/4.existing-research/1.introduction.md",17,{"_path":109,"title":110,"description":111,"part":105,"_file":112,"chapterNumber":113},"/knowledge-base/existing-research/engine-control-units","Engine Control Units","Public reverse-engineering work on engine ECUs, focusing on bri3d's documented exploit chains for the Volkswagen Group Simos 18 ECU and its Infineon TriCore TC1791 processor.","7.knowledge-base/4.existing-research/2.engine-control-units.md",18,{"_path":115,"title":116,"description":117,"part":105,"_file":118,"chapterNumber":119},"/knowledge-base/existing-research/ev-charging","EV Charging","Research covering two distinct attack surfaces introduced by electric vehicle charging, the HomePlug Green PHY powerline data layer used by the Combined Charging System, and the AC charger as a peer device with its own firmware and bidirectional communications.","7.knowledge-base/4.existing-research/3.ev-charging.md",19,{"_path":121,"title":122,"description":123,"part":105,"_file":124,"chapterNumber":125},"/knowledge-base/existing-research/fault-injection","Fault Injection","Published fault injection research relevant to automotive microcontrollers, covering voltage glitching, EMFI, debug access, and secure-boot bypasses on Renesas, Infineon, NXP/Freescale, and Tesla compute platforms.","7.knowledge-base/4.existing-research/4.fault-injection.md",20,{"_path":127,"title":128,"description":129,"part":105,"_file":130,"chapterNumber":131},"/knowledge-base/existing-research/infotainment-telematics","Infotainment & Telematics","Sixteen published research entries covering remote exploitation of infotainment and telematics systems across Tesla, BMW, Mercedes-Benz, Volkswagen Group, and Nissan vehicles, plus a cross-industry web API survey.","7.knowledge-base/4.existing-research/5.infotainment-telematics.md",21,{"_path":133,"title":134,"description":135,"part":105,"_file":136,"chapterNumber":137},"/knowledge-base/existing-research/sensors-and-radios","Other Wireless Attack Surfaces","Research covering wireless attack surfaces beyond the primary CAN and telematics interfaces, including tire pressure sensors and DAB radio receivers, both of which accept untrusted RF input and have historically performed no authentication or input validation.","7.knowledge-base/4.existing-research/6.sensors-and-radios.md",22,{"_path":139,"title":140,"description":141,"part":105,"_file":142,"chapterNumber":143},"/knowledge-base/existing-research/remote-keyless-entry","Remote Keyless Entry and Immobilisers","Research on cryptographic attacks against passive keyless entry systems, transponder-based immobilisers, rolling-code RKE, and the CAN-injection theft chain.","7.knowledge-base/4.existing-research/7.remote-keyless-entry.md",23,{"_path":145,"title":146,"description":147,"part":148,"_file":149,"chapterNumber":150},"/knowledge-base/tools/can-adapters","CAN Adapters","USB-to-CAN adapters — comma.ai red panda and PEAK-System PCAN — and the standard DB-9 pinout for CAN.","Tools","7.knowledge-base/5.tools/1.can-adapters.md",24,{"_path":152,"title":153,"description":154,"part":148,"_file":155,"chapterNumber":156},"/knowledge-base/tools/can-analysis","CAN Analysis","Tools for analysing and reverse-engineering CAN traffic — comma.ai cabana, SavyCAN, VehicleSpy, and Wireshark.","7.knowledge-base/5.tools/2.can-analysis.md",25,{"_path":158,"title":159,"description":160,"part":148,"_file":161,"chapterNumber":162},"/knowledge-base/tools/scripting","Scripting","Python libraries and CLI tools for talking to a CAN bus — comma.ai panda, SocketCAN can-utils, python-can, and Scapy with ISO-TP and UDS examples.","7.knowledge-base/5.tools/3.scripting.md",26,{"_path":164,"title":165,"description":166,"part":148,"_file":167,"chapterNumber":168},"/knowledge-base/tools/dbc-files","DBC Files","The DBC file format used to describe the contents of CAN messages — nodes, messages, signals, comments, and value tables.","7.knowledge-base/5.tools/4.dbc-files.md",27,{"_path":127,"_dir":170,"_draft":171,"_partial":171,"_locale":172,"title":128,"description":129,"part":105,"references":173,"body":280,"_type":1350,"_id":1351,"_source":1352,"_file":130,"_extension":1353},"existing-research",false,"",[174,181,188,194,201,207,213,220,227,232,238,245,251,257,264,270,276],{"id":175,"authors":176,"title":177,"publisher":178,"year":179,"url":180},"tencent-free-fall-2017","Nie, Liu, Du","FREE-FALL: Hacking Tesla from Wireless to CAN Bus","Black Hat USA 2017",2017,"https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla-From-Wireless-To-CAN-Bus-wp.pdf",{"id":182,"authors":183,"title":184,"publisher":185,"year":186,"url":187},"tencent-tesla-wifi-2020","Keen Security Lab of Tencent","Exploiting Wi-Fi Stack on Tesla Model S","Keen Security Lab Blog",2020,"https://keenlab.tencent.com/en/2020/01/02/exploiting-wifi-stack-on-tesla-model-s/",{"id":189,"authors":190,"title":191,"publisher":192,"year":186,"url":193},"tbone-2020","Weinmann, Schmotzle","TBONE — A Zero-Click Exploit for Tesla MCUs","Comsecuris, 2020","https://kunnamon.io/tbone/",{"id":195,"authors":196,"title":197,"publisher":198,"year":199,"url":200},"i-feel-a-draft-2022","Berard, Dehors","I Feel a Draft. Opening the Doors and Windows: 0-Click RCE on the Tesla Model 3","Hexacon 2022 / Pwn2Own Vancouver 2022",2022,"https://www.synacktiv.com/sites/default/files/2022-10/tesla_hexacon.pdf",{"id":202,"authors":196,"title":203,"publisher":204,"year":205,"url":206},"unlocking-drive-2023","Unlocking the Drive — Exploiting Tesla Model 3","CanSecWest 2023 / Pwn2Own Vancouver 2023",2023,"https://www.synacktiv.com/sites/default/files/2023-11/tesla_grehack.pdf",{"id":208,"authors":196,"title":209,"publisher":210,"year":211,"url":212},"cellular-2024","0-Click RCE on the Tesla Infotainment Through Cellular Network","OffensiveCon 2024 / Pwn2Own Automotive Tokyo 2024",2024,"https://www.synacktiv.com/sites/default/files/2024-05/tesla_0_click_rce_cellular_network_offensivecon2024.pdf",{"id":214,"authors":215,"title":216,"publisher":217,"year":218,"url":219},"spaar-bmw-2015","Spaar","Beemer, Open Thyself! — Security Vulnerabilities in BMW's ConnectedDrive","c't / heise online, 2015",2015,"https://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html",{"id":221,"authors":222,"title":223,"publisher":224,"year":225,"url":226},"tencent-bmw-2019","Cai, Wang, Zhang","0-days & Mitigations: Roadways to Exploit and Secure Connected BMW Cars","Black Hat USA 2019",2019,"https://i.blackhat.com/USA-19/Thursday/us-19-Cai-0-Days-And-Mitigations-Roadways-To-Exploit-And-Secure-Connected-BMW-Cars-wp.pdf",{"id":228,"authors":183,"title":229,"publisher":230,"year":186,"url":231},"tencent-mbux-2020","Mercedes-Benz MBUX Security Research Report","Tencent Keen Security Lab, 2020","https://keenlab.tencent.com/en/whitepapers/Mercedes_Benz_Security_Research_Report_Final.pdf",{"id":233,"authors":234,"title":235,"publisher":236,"year":186,"url":237},"skygo-mercedes-2020","Sky-Go Team, Qihoo 360","Security Research on Mercedes-Benz: From Hardware to Car Control","Black Hat USA 2020","https://i.blackhat.com/USA-20/Thursday/us-20-Yan-Security-Research-On-Mercedes-Benz-From-Hardware-To-Car-Control.pdf",{"id":239,"authors":240,"title":241,"publisher":242,"year":243,"url":244},"computest-vw-2018","Keuper, Alkemade","The Connected Car: Ways to Get Unauthorized Access and Potential Implications","Computest, 2018",2018,"https://defion.security/en/research-labs/volkswagen-auto-group-mib-infotainment-system-unauthenticated-remote-code-execution-as-root/",{"id":246,"authors":247,"title":248,"publisher":249,"year":199,"url":250},"navinfo-id3-2022","Serdyuk, Kondikov","Back-connect to the Connected Car: Search for Vulnerabilities in the VW Electric Car","Black Hat Europe 2022","https://i.blackhat.com/EU-22/Wednesday-Briefings/EU-22-Serdyuk-Back-connect-to-the-connected-car.pdf",{"id":252,"authors":253,"title":254,"publisher":255,"year":211,"url":256},"pcautomotive-vw-2024","Parnishchev, Ivachev","Over the Air: Compromise of Modern Volkswagen Group Vehicles","Black Hat Europe 2024","https://i.blackhat.com/EU-24/Presentations/EU-24-Parnishchev-OverTheAirVW.pdf",{"id":258,"authors":259,"title":260,"publisher":261,"year":262,"url":263},"pcautomotive-nissan-2025","Smirnova, Motspan, Evdokimov","Vulnerabilities in Nissan Infotainment System Manufactured by BOSCH","PCAutomotive Advisory, 2025",2025,"https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch",{"id":265,"authors":266,"title":267,"publisher":268,"year":205,"url":269},"curry-web-2023","Curry, Rivera, Buerhaus, Robert, Carroll, Rhinehart, Shah","Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More","samcurry.net, January 2023","https://samcurry.net/web-hackers-vs-the-auto-industry",{"id":271,"authors":272,"title":273,"publisher":274,"year":205,"url":275},"mehaboobe-tbox","Pareja Veredas, Mehaboobe","(Re)Playing With Your Keys: Attacking Vehicle Fleet Management Systems","DefCamp 2023","https://www.youtube.com/watch?v=OKaCuHCNlQQ",{"id":277,"authors":272,"title":278,"publisher":274,"year":205,"url":279},"mehaboobe-tbox-slides","(Re)Playing With Your Keys: Attacking Vehicle Fleet Management Systems (slides)","https://def.camp/wp-content/uploads/dc2023/Yashin%20Mehaboobe.pdf",{"type":281,"children":282,"toc":1317},"root",[283,291,313,320,327,342,347,396,405,413,418,430,443,451,457,469,474,521,529,535,547,552,591,599,605,617,630,638,643,655,660,711,719,725,731,743,748,756,762,774,779,800,808,814,819,831,836,841,849,854,866,871,877,882,894,907,915,921,933,938,1033,1038,1043,1055,1060,1089,1097,1103,1109,1121,1126,1209,1217,1223,1229,1241,1246,1251,1259,1264,1270,1276,1289,1294,1299,1307,1313],{"type":284,"tag":285,"props":286,"children":288},"element","h1",{"id":287},"infotainment-telematics",[289],{"type":290,"value":128},"text",{"type":284,"tag":292,"props":293,"children":294},"p",{},[295,297,303,305,311],{"type":290,"value":296},"The infotainment head unit often concentrates high-risk external interfaces such as Wi-Fi, Bluetooth, cellular, USB, media parsing, browser content, and backend connectivity. In vulnerable architectures, a single exploitable bug in that software stack can become the first link in a chain that crosses gateways or companion controllers and reaches CAN. This chapter follows an OEM-by-OEM structure covering Tesla, BMW, Mercedes-Benz, Volkswagen Group, and Nissan, followed by a multi-OEM web-API survey. The Miller and Valasek Jeep papers (2015 and 2016) that established this attack model are covered in the ",{"type":284,"tag":298,"props":299,"children":300},"a",{"href":103},[301],{"type":290,"value":302},"Introduction chapter",{"type":290,"value":304},". The Synacktiv TPMS 2024 chain, which enters through forged BLE TPMS advertisements, is covered in the ",{"type":284,"tag":298,"props":306,"children":308},{"href":307},"/knowledge-base/existing-research/sensors-and-radios#tire-pressure-monitoring-systems-tpms",[309],{"type":290,"value":310},"Other Wireless Attack Surfaces chapter",{"type":290,"value":312},".",{"type":284,"tag":314,"props":315,"children":317},"h2",{"id":316},"tesla",[318],{"type":290,"value":319},"Tesla",{"type":284,"tag":321,"props":322,"children":324},"h3",{"id":323},"free-fall-hacking-tesla-from-wireless-to-can-bus",[325],{"type":290,"value":326},"FREE-FALL: Hacking Tesla From Wireless to CAN Bus",{"type":284,"tag":292,"props":328,"children":329},{},[330,336,338],{"type":284,"tag":331,"props":332,"children":333},"em",{},[334],{"type":290,"value":335},"Nie, Liu, Du (Tencent Keen Security Lab), Black Hat USA 2017",{"type":290,"value":337}," ",{"type":284,"tag":339,"props":340,"children":341},"citation",{"id":175},[],{"type":284,"tag":292,"props":343,"children":344},{},[345],{"type":290,"value":346},"This was the first public end-to-end remote chain against a Tesla, targeting the Model S P85/P75 on firmware v7.1. Tesla received disclosure nine months earlier and pushed an OTA patch within ten days, introducing code signing that did not previously exist.",{"type":284,"tag":292,"props":348,"children":349},{},[350,352,359,361,369,371,378,380,386,388,394],{"type":290,"value":351},"Entry was through the QtWebKit browser on the CID. Two bugs chained: a type-confusion in ",{"type":284,"tag":353,"props":354,"children":356},"code",{"className":355},[],[357],{"type":290,"value":358},"JSArray::sort()",{"type":290,"value":360}," and a DOM memory disclosure (",{"type":284,"tag":298,"props":362,"children":366},{"href":363,"rel":364},"https://nvd.nist.gov/vuln/detail/CVE-2011-3928",[365],"nofollow",[367],{"type":290,"value":368},"CVE-2011-3928",{"type":290,"value":370},") gave browser sandbox RCE. Kernel privilege escalation via ",{"type":284,"tag":298,"props":372,"children":375},{"href":373,"rel":374},"https://nvd.nist.gov/vuln/detail/CVE-2013-6282",[365],[376],{"type":290,"value":377},"CVE-2013-6282",{"type":290,"value":379}," against the unpatched Linux 2.6.36 on the Nvidia Tegra SoC bypassed AppArmor. Adjacent systems provided lateral movement: the IC accepted root SSH from the CID, the Parrot module had anonymous Telnet on port 23, and the Gateway ECU's UDP diagnostic service was gated by a static hardcoded token (",{"type":284,"tag":353,"props":381,"children":383},{"className":382},[],[384],{"type":290,"value":385},"1q3e5t7u",{"type":290,"value":387},"). The Gateway accepted ",{"type":284,"tag":353,"props":389,"children":391},{"className":390},[],[392],{"type":290,"value":393},"boot.img",{"type":290,"value":395}," updates with only a CRC32 check, allowing full firmware replacement; the team used this to enable CAN injection at any speed. Physical effects included forcing the ESP/ABS module into programming mode, disabling power-assisted braking and steering. Tesla's response included Linux 4.4.35, stricter AppArmor profiles, and ECU firmware code signing.",{"type":284,"tag":292,"props":397,"children":398},{},[399],{"type":284,"tag":400,"props":401,"children":404},"img",{"alt":402,"src":403},"Important in-vehicle network components in the Tesla Model S, showing the CID, IC, Parrot, and Gateway arrangement. Figure from Nie, Liu, Du, 2017 (FREE-FALL: Hacking Tesla from Wireless to CAN Bus).","/images/knowledge-base/existing-research/infotainment-telematics/free-fall-2017-1.png",[],{"type":284,"tag":292,"props":406,"children":407},{},[408],{"type":284,"tag":400,"props":409,"children":412},{"alt":410,"src":411},"Gateway firmware structure (IDA view) showing the CAN message forwarding table used to inject arbitrary frames onto the powertrain bus. Figure from Nie, Liu, Du, 2017 (FREE-FALL: Hacking Tesla from Wireless to CAN Bus).","/images/knowledge-base/existing-research/infotainment-telematics/free-fall-2017-2.png",[],{"type":284,"tag":321,"props":414,"children":416},{"id":415},"exploiting-wi-fi-stack-on-tesla-model-s",[417],{"type":290,"value":184},{"type":284,"tag":292,"props":419,"children":420},{},[421,426,427],{"type":284,"tag":331,"props":422,"children":423},{},[424],{"type":290,"value":425},"Keen Security Lab of Tencent, Keen Security Lab Blog 2020",{"type":290,"value":337},{"type":284,"tag":339,"props":428,"children":429},{"id":182},[],{"type":284,"tag":292,"props":431,"children":432},{},[433,435,441],{"type":290,"value":434},"A January 2020 blog post described two bugs in the Marvell 88W8688 Wi-Fi chip integrated into the Parrot module on the Tesla Model S. The chip runs ThreadX RTOS on an ARM9 Feroceon core, connected via SDIO. One bug was a heap overflow in the 802.11e WMM ADDTS action frame handler; the other was in the Linux ",{"type":284,"tag":353,"props":436,"children":438},{"className":437},[],[439],{"type":290,"value":440},"mwifiex",{"type":290,"value":442}," driver processing Wi-Fi events from the chip. An attacker within wireless range could chain both to gain code execution on the CID host Linux system. Both were disclosed to Tesla and Marvell before publication.",{"type":284,"tag":292,"props":444,"children":445},{},[446],{"type":284,"tag":400,"props":447,"children":450},{"alt":448,"src":449},"Architecture of the Parrot/Wi-Fi module on the Tesla Model S, showing the 88W8688 chip connecting via SDIO to the CID host Linux system. Figure from Tencent Keen Security Lab, 2020 (Exploiting Wi-Fi Stack on Tesla Model S).","/images/knowledge-base/existing-research/infotainment-telematics/tesla-wifi-stack-2020-1.png",[],{"type":284,"tag":321,"props":452,"children":454},{"id":453},"tbone-a-zero-click-exploit-for-tesla-mcus",[455],{"type":290,"value":456},"TBONE, A Zero-Click Exploit for Tesla MCUs",{"type":284,"tag":292,"props":458,"children":459},{},[460,465,466],{"type":284,"tag":331,"props":461,"children":462},{},[463],{"type":290,"value":464},"Weinmann, Schmotzle (Comsecuris), 2020",{"type":290,"value":337},{"type":284,"tag":339,"props":467,"children":468},{"id":189},[],{"type":284,"tag":292,"props":470,"children":471},{},[472],{"type":290,"value":473},"Originally developed for the cancelled Pwn2Own 2020 event, TBONE achieves unauthenticated RCE over Wi-Fi without user interaction by exploiting Tesla vehicles' automatic connection to access points broadcasting the SSID \"Tesla Service\" with WPA2 credentials hardcoded in the firmware.",{"type":284,"tag":292,"props":475,"children":476},{},[477,479,485,487,493,495,501,503,510,512,519],{"type":290,"value":478},"Two bugs in ConnMan 1.37 are chained. The first is a stack overflow in the DNS proxy ",{"type":284,"tag":353,"props":480,"children":482},{"className":481},[],[483],{"type":290,"value":484},"uncompress()",{"type":290,"value":486}," function: a ",{"type":284,"tag":353,"props":488,"children":490},{"className":489},[],[491],{"type":290,"value":492},"strncpy()",{"type":290,"value":494}," copies label data to a fixed 1025-byte buffer while advancing the destination pointer by the actual string length, allowing writes past the end. DNS compression pointers can steer the advance over the stack canary. The second is an information disclosure in the DHCP client: an unzeroed packet buffer leaks 4-byte chunks of uninitialized stack memory via crafted DHCP options, which, iterated across successive offers, yields a libc address and stack pointer sufficient to defeat ASLR and construct a ROP chain. The stage 2 payload disables ",{"type":284,"tag":353,"props":496,"children":498},{"className":497},[],[499],{"type":290,"value":500},"iptables",{"type":290,"value":502}," and, as demonstrated, opens the charge port. Tesla patched ",{"type":284,"tag":298,"props":504,"children":507},{"href":505,"rel":506},"https://nvd.nist.gov/vuln/detail/CVE-2021-26675",[365],[508],{"type":290,"value":509},"CVE-2021-26675",{"type":290,"value":511}," and ",{"type":284,"tag":298,"props":513,"children":516},{"href":514,"rel":515},"https://nvd.nist.gov/vuln/detail/CVE-2021-26676",[365],[517],{"type":290,"value":518},"CVE-2021-26676",{"type":290,"value":520}," in a subsequent OTA update.",{"type":284,"tag":292,"props":522,"children":523},{},[524],{"type":284,"tag":400,"props":525,"children":528},{"alt":526,"src":527},"The uncompress() function in ConnMan 1.37 showing the strncpy / pointer-advance pattern that causes the stack overflow when processing crafted DNS reply records. Figure from Weinmann and Schmotzle, 2020 (TBONE).","/images/knowledge-base/existing-research/infotainment-telematics/tbone-2020-1.png",[],{"type":284,"tag":321,"props":530,"children":532},{"id":531},"i-feel-a-draft-opening-the-doors-and-windows",[533],{"type":290,"value":534},"I Feel a Draft: Opening the Doors and Windows",{"type":284,"tag":292,"props":536,"children":537},{},[538,543,544],{"type":284,"tag":331,"props":539,"children":540},{},[541],{"type":290,"value":542},"Berard, Dehors (Synacktiv), Hexacon 2022",{"type":290,"value":337},{"type":284,"tag":339,"props":545,"children":546},{"id":195},[],{"type":284,"tag":292,"props":548,"children":549},{},[550],{"type":290,"value":551},"This Hexacon 2022 / Pwn2Own Vancouver 2022 entry targets the Tesla Model 3 via Wi-Fi. Like TBONE, entry relies on the \"Tesla Service\" auto-connect SSID. The Model 3 infotainment runs Linux 4.14 on an Intel Atom A3950 SoC; an internal Ethernet switch connects all major ECUs.",{"type":284,"tag":292,"props":553,"children":554},{},[555,557,564,566,573,575,582,583,590],{"type":290,"value":556},"Two previously unknown ConnMan bugs are at the core. ",{"type":284,"tag":298,"props":558,"children":561},{"href":559,"rel":560},"https://nvd.nist.gov/vuln/detail/CVE-2022-32292",[365],[562],{"type":290,"value":563},"CVE-2022-32292",{"type":290,"value":565}," is an out-of-bounds byte swap in the WISPR captive portal HTTP client: ConnMan issues an HTTP GET to an attacker-controlled URL after connecting, and one specific byte is converted to null at one byte past an allocation boundary, corrupting heap metadata. ",{"type":284,"tag":298,"props":567,"children":570},{"href":568,"rel":569},"https://nvd.nist.gov/vuln/detail/CVE-2022-32293",[365],[571],{"type":290,"value":572},"CVE-2022-32293",{"type":290,"value":574}," is a double free in the same path, used to clean the heap state. Exploitation combined heap shaping, a libc pointer infoleak through DHCP hostname manipulation, and tcache poisoning for arbitrary write. The sandbox escape used a raw socket available to ConnMan that gave direct Ethernet access for CAN proxy injection to the Gateway. The fixes covered both ConnMan CVEs and two kernel issues, ",{"type":284,"tag":298,"props":576,"children":579},{"href":577,"rel":578},"https://nvd.nist.gov/vuln/detail/CVE-2022-42431",[365],[580],{"type":290,"value":581},"CVE-2022-42431",{"type":290,"value":511},{"type":284,"tag":298,"props":584,"children":587},{"href":585,"rel":586},"https://nvd.nist.gov/vuln/detail/CVE-2022-42430",[365],[588],{"type":290,"value":589},"CVE-2022-42430",{"type":290,"value":312},{"type":284,"tag":292,"props":592,"children":593},{},[594],{"type":284,"tag":400,"props":595,"children":598},{"alt":596,"src":597},"Model 3 ICE architecture (Ethernet network), showing the Infotainment, Wi-Fi/BT chip (BCM4359), Gateway, Connectivity card, and Autopilot interconnections. Figure from Berard and Dehors, 2022 (I Feel a Draft).","/images/knowledge-base/existing-research/infotainment-telematics/i-feel-a-draft-2022-1.png",[],{"type":284,"tag":321,"props":600,"children":602},{"id":601},"unlocking-the-drive",[603],{"type":290,"value":604},"Unlocking the Drive",{"type":284,"tag":292,"props":606,"children":607},{},[608,613,614],{"type":284,"tag":331,"props":609,"children":610},{},[611],{"type":290,"value":612},"Berard, Dehors (Synacktiv), Pwn2Own Vancouver 2023",{"type":290,"value":337},{"type":284,"tag":339,"props":615,"children":616},{"id":202},[],{"type":284,"tag":292,"props":618,"children":619},{},[620,622,628],{"type":290,"value":621},"A three-stage chain against the Model 3 via Bluetooth Classic presented at Pwn2Own Vancouver 2023. Entry is the ",{"type":284,"tag":353,"props":623,"children":625},{"className":624},[],[626],{"type":290,"value":627},"bsa_server",{"type":290,"value":629}," process (BSA vendor Bluetooth stack), compiled without PIE and with debug symbols available from a related open-source project. The Bluetooth Imaging (BIP) profile, used to fetch phone cover art over OBEX, has a heap overflow triggered by a malformed image properties descriptor. Exploitation used heap spraying, a libc pointer infoleak via DHCP hostname manipulation, and ROP. A new Linux kernel LPE provided the sandbox escape; an RCE in the Security Gateway process gave CAN write access. Patches followed for all three components.",{"type":284,"tag":292,"props":631,"children":632},{},[633],{"type":284,"tag":400,"props":634,"children":637},{"alt":635,"src":636},"Exploit chain for the 2023 Pwn2Own entry: Bluetooth BIP heap overflow in bsa_server, kernel LPE, and Security Gateway RCE leading to CAN write. Figure from Berard and Dehors, 2023 (Unlocking the Drive).","/images/knowledge-base/existing-research/infotainment-telematics/unlocking-drive-2023-1.png",[],{"type":284,"tag":321,"props":639,"children":641},{"id":640},"_0-click-rce-on-the-tesla-infotainment-through-cellular-network",[642],{"type":290,"value":209},{"type":284,"tag":292,"props":644,"children":645},{},[646,651,652],{"type":284,"tag":331,"props":647,"children":648},{},[649],{"type":290,"value":650},"Berard, Dehors (Synacktiv), OffensiveCon 2024",{"type":290,"value":337},{"type":284,"tag":339,"props":653,"children":654},{"id":208},[],{"type":284,"tag":292,"props":656,"children":657},{},[658],{"type":290,"value":659},"Presented at OffensiveCon 2024 (Pwn2Own Automotive Tokyo 2024), this entry attacks the Tesla from the cellular network. The connectivity card is a Quectel modem bridging LTE to the internal Ethernet switch via VLAN.",{"type":284,"tag":292,"props":661,"children":662},{},[663,665,671,673,679,681,687,689,695,697,702,704,709],{"type":290,"value":664},"The entry bug is a command injection in the ",{"type":284,"tag":353,"props":666,"children":668},{"className":667},[],[669],{"type":290,"value":670},"ql_awd",{"type":290,"value":672}," process (",{"type":284,"tag":353,"props":674,"children":676},{"className":675},[],[677],{"type":290,"value":678},"AT+QABFOTA=\"package\",\"$(injected)\"",{"type":290,"value":680},") on the connectivity card, which should only be reachable internally. An iptables race condition at boot leaves the firewall absent roughly 25% of the time: the ",{"type":284,"tag":353,"props":682,"children":684},{"className":683},[],[685],{"type":290,"value":686},"firewall",{"type":290,"value":688}," service and ",{"type":284,"tag":353,"props":690,"children":692},{"className":691},[],[693],{"type":290,"value":694},"QCMAP_ConnectionManager",{"type":290,"value":696}," contend for the iptables lock, and if ",{"type":284,"tag":353,"props":698,"children":700},{"className":699},[],[701],{"type":290,"value":694},{"type":290,"value":703}," wins, ",{"type":284,"tag":353,"props":705,"children":707},{"className":706},[],[708],{"type":290,"value":686},{"type":290,"value":710}," exits without loading any rules. Synacktiv found a reliable remote trigger: the infotainment reboots the connectivity card after three consecutive internet probe failures, which an attacker-controlled base station can force by dropping the probe requests; NTP spoofing bypasses the reboot rate limit. With the firewall absent, the command injection is reachable from the base station. From the modem, the team pivoted to the infotainment over Ethernet and reached the same CAN path as prior entries.",{"type":284,"tag":292,"props":712,"children":713},{},[714],{"type":284,"tag":400,"props":715,"children":718},{"alt":716,"src":717},"Network architecture of the Tesla Model 3 showing the Ethernet switch, Connectivity card (LTE), Infotainment, Security Gateway (with CAN connections), and Autopilot. Figure from Berard and Dehors, 2024 (0-Click RCE Through Cellular Network).","/images/knowledge-base/existing-research/infotainment-telematics/cellular-2024-1.png",[],{"type":284,"tag":314,"props":720,"children":722},{"id":721},"bmw",[723],{"type":290,"value":724},"BMW",{"type":284,"tag":321,"props":726,"children":728},{"id":727},"beemer-open-thyself-security-vulnerabilities-in-bmws-connecteddrive",[729],{"type":290,"value":730},"Beemer, Open Thyself! - Security Vulnerabilities in BMW's ConnectedDrive",{"type":284,"tag":292,"props":732,"children":733},{},[734,739,740],{"type":284,"tag":331,"props":735,"children":736},{},[737],{"type":290,"value":738},"Spaar, heise online 2015",{"type":290,"value":337},{"type":284,"tag":339,"props":741,"children":742},{"id":214},[],{"type":284,"tag":292,"props":744,"children":745},{},[746],{"type":290,"value":747},"In January 2015, Dieter Spaar disclosed six vulnerabilities in BMW's ConnectedDrive telematics service, affecting approximately 2.2 million BMW, Mini, and Rolls Royce vehicles. After extracting the Combox telematics module firmware by desoldering its flash, Spaar found that all affected vehicles shared the same static symmetric keys for encrypting ConnectedDrive messages. Decrypting any ConnectedDrive message or forging new ones was therefore straightforward. The HTTP connection between car and backend carried no TLS, allowing an emulated GSM base station to intercept and substitute provisioning XML, activating Remote Services even on vehicles where the owner had disabled them. Replay attacks against door unlock succeeded because the protocol had no replay protection. BMW responded with an OTA configuration push enabling TLS for all ConnectedDrive traffic.",{"type":284,"tag":292,"props":749,"children":750},{},[751],{"type":284,"tag":400,"props":752,"children":755},{"alt":753,"src":754},"Attack flow for the BMW ConnectedDrive door unlock exploit: an SMS triggers the car to fetch a command over an unencrypted HTTP connection intercepted using an emulated GSM base station. Figure from Spaar, 2015 (Beemer, Open Thyself).","/images/knowledge-base/existing-research/infotainment-telematics/spaar-bmw-2015-1.png",[],{"type":284,"tag":321,"props":757,"children":759},{"id":758},"_0-days-mitigations-roadways-to-exploit-connected-bmw-cars",[760],{"type":290,"value":761},"0-Days & Mitigations: Roadways to Exploit Connected BMW Cars",{"type":284,"tag":292,"props":763,"children":764},{},[765,770,771],{"type":284,"tag":331,"props":766,"children":767},{},[768],{"type":290,"value":769},"Cai, Wang, Zhang (Tencent Keen Security Lab), Black Hat USA 2019",{"type":290,"value":337},{"type":284,"tag":339,"props":772,"children":773},{"id":221},[],{"type":284,"tag":292,"props":775,"children":776},{},[777],{"type":290,"value":778},"An 18-month study of multiple BMW models documenting fourteen vulnerabilities across the NBT Head Unit, Telematic Communication Box, and Central Gateway.",{"type":284,"tag":292,"props":780,"children":781},{},[782,784,790,792,798],{"type":290,"value":783},"The NBT splits across HU-Intel (QNX on x86, ConnectedDrive and multimedia) and HU-Jacinto (QNX on TI DRA44x, CAN). Three local attack paths into HU-Intel: a USB-to-Ethernet adapter that the QNX USB stack recognises and exposes as an unfiltered interface to internal services; a stack overflow in the navigation map update service (",{"type":284,"tag":353,"props":785,"children":787},{"className":786},[],[788],{"type":290,"value":789},"apnnavc",{"type":290,"value":791},") via an unbounded ",{"type":284,"tag":353,"props":793,"children":795},{"className":794},[],[796],{"type":290,"value":797},"sprintf()",{"type":290,"value":799}," on USB-supplied filenames; and a TOCTOU race in the diagnostic service allowing file swap between signature check and execution. Remotely, the unencrypted ConnectedDrive HTTP polling channel allowed a fake GSM base station to inject provisioning XML redirecting browser requests to attacker-controlled servers. Combined, these paths demonstrated code execution from the cellular network through to CAN injection via HU-Jacinto.",{"type":284,"tag":292,"props":801,"children":802},{},[803],{"type":284,"tag":400,"props":804,"children":807},{"alt":805,"src":806},"Architecture of the BMW NBT Head Unit, showing the Intel x86 HU-Intel and TI Jacinto HU-Jacinto processors, their QNET interconnect, and connections to the TCB and Central Gateway. Figure from Cai, Wang, Zhang, 2019 (0-Days and Mitigations).","/images/knowledge-base/existing-research/infotainment-telematics/bmw-0days-2019-1.png",[],{"type":284,"tag":314,"props":809,"children":811},{"id":810},"mercedes-benz",[812],{"type":290,"value":813},"Mercedes-Benz",{"type":284,"tag":321,"props":815,"children":817},{"id":816},"mercedes-benz-mbux-security-research-report",[818],{"type":290,"value":229},{"type":284,"tag":292,"props":820,"children":821},{},[822,827,828],{"type":284,"tag":331,"props":823,"children":824},{},[825],{"type":290,"value":826},"Keen Security Lab of Tencent, 2020",{"type":290,"value":337},{"type":284,"tag":339,"props":829,"children":830},{"id":228},[],{"type":284,"tag":292,"props":832,"children":833},{},[834],{"type":290,"value":835},"A 91-page report covering the MBUX NTG6 platform found in the W177 A-Class, E-Class, GLE, GLS, and EQC. The head unit runs an Nvidia Parker SoC with a QNX hypervisor; a Renesas RH850 handles CAN. The T-Box uses a cellular baseband and a Renesas SH-2A MCU for CAN-D access.",{"type":284,"tag":292,"props":837,"children":838},{},[839],{"type":290,"value":840},"The verified real-vehicle chain used the head-unit browser to reach code execution, then a kernel privilege escalation to gain root on the head unit. From there the researchers demonstrated persistence and body-function control such as ambient lighting, reading lights, and the sunshade. A separate bench/removal scenario reached the head unit over the internal CSB/MMB network and exploited HiQnet parser bugs. The report also analysed T-Box paths: the team did not find a cellular-network compromise, but on a debug-version T-Box they demonstrated SH-2A firmware downgrade and code-signing bypasses that enabled arbitrary CAN-D messages.",{"type":284,"tag":292,"props":842,"children":843},{},[844],{"type":284,"tag":400,"props":845,"children":848},{"alt":846,"src":847},"MBUX hardware architecture overview showing the Nvidia Parker SoC head unit, T-Box, and their CAN and Ethernet network topology. Figure from Tencent Keen Security Lab, 2020 (Mercedes-Benz MBUX Security Research Report).","/images/knowledge-base/existing-research/infotainment-telematics/mbux-2020-1.png",[],{"type":284,"tag":321,"props":850,"children":852},{"id":851},"security-research-on-mercedes-benz-from-hardware-to-car-control",[853],{"type":290,"value":235},{"type":284,"tag":292,"props":855,"children":856},{},[857,862,863],{"type":284,"tag":331,"props":858,"children":859},{},[860],{"type":290,"value":861},"Sky-Go Team, Qihoo 360, Black Hat USA 2020",{"type":290,"value":337},{"type":284,"tag":339,"props":864,"children":865},{"id":233},[],{"type":284,"tag":292,"props":867,"children":868},{},[869],{"type":290,"value":870},"This Black Hat USA 2020 paper covers a Mercedes-Benz E300L with the NTG 5.5 head unit and HERMES telematics control unit. After reading the HERMES NAND flash (desoldered BGA) and reconstructing the YaFFS filesystem, the team found client TLS certificates encrypted with a hardcoded AES key; decrypting the private key allowed authenticating to Mercedes-Benz backend servers as a vehicle. A server-side SSRF in a social plugins web application then exposed internal backend files. Together these allowed accessing backend services and demonstrating remote door unlock and engine start via the cloud. Mercedes-Benz deployed a full patch within weeks.",{"type":284,"tag":314,"props":872,"children":874},{"id":873},"volkswagen-group",[875],{"type":290,"value":876},"Volkswagen Group",{"type":284,"tag":321,"props":878,"children":880},{"id":879},"the-connected-car-ways-to-get-unauthorized-access-and-potential-implications",[881],{"type":290,"value":241},{"type":284,"tag":292,"props":883,"children":884},{},[885,890,891],{"type":284,"tag":331,"props":886,"children":887},{},[888],{"type":290,"value":889},"Keuper, Alkemade (Computest), 2018",{"type":290,"value":337},{"type":284,"tag":339,"props":892,"children":893},{"id":239},[],{"type":284,"tag":292,"props":895,"children":896},{},[897,899,905],{"type":290,"value":898},"This 2018 report covers the Harman MIB2 platform in the Volkswagen Golf GTE and Audi A3 e-tron. The MIB2 runs QNX 6.5.0 on an Nvidia Tegra T30. With its Wi-Fi hotspot active a port scan revealed Telnet, undocumented TCP services, and UPnP; the Telnet root password was a ",{"type":284,"tag":353,"props":900,"children":902},{"className":901},[],[903],{"type":290,"value":904},"descrypt()",{"type":290,"value":906}," hash with the 8-character maximum imposed by that algorithm, breakable by FPGA dictionary attack for under $100. A remotely exploitable bug in an undocumented service escalated from arbitrary file read to a root shell on the MMX unit. An internal 10.0.0.0/24 network with a default Telnet password led to the RCC unit (a second QNX processor for CAN), which communicated with a Renesas V850 CAN controller over SPI. V850 firmware updates from the RCC required no signature re-validation; the team outlined the path to arbitrary CAN injection via backdoored V850 firmware but stopped short of implementing it for IP reasons. The CAN gateway blocked access to safety-critical buses. Two additional entry vectors were documented: on the Audi the cellular (Audi connect) interface exposed a public IPv4 address reachable from the internet where the ISP permitted client-to-client traffic, and a USB-to-Ethernet dongle plugged into the head unit was recognised as an unfirewalled debug interface exposing the same internal services as Wi-Fi.",{"type":284,"tag":292,"props":908,"children":909},{},[910],{"type":284,"tag":400,"props":911,"children":914},{"alt":912,"src":913},"Attack chain from Computest 2018: Wi-Fi RCE on the MMX unit, through the RCC over Ethernet, to the Renesas V850 CAN controller and the gateway ECU. Figure from Keuper and Alkemade, 2018 (The Connected Car).","/images/knowledge-base/existing-research/infotainment-telematics/computest-vw-2018-1.png",[],{"type":284,"tag":321,"props":916,"children":918},{"id":917},"back-connect-to-the-connected-car",[919],{"type":290,"value":920},"Back-connect to the Connected Car",{"type":284,"tag":292,"props":922,"children":923},{},[924,929,930],{"type":284,"tag":331,"props":925,"children":926},{},[927],{"type":290,"value":928},"Serdyuk, Kondikov (NavInfo Europe), Black Hat Europe 2022",{"type":290,"value":337},{"type":284,"tag":339,"props":931,"children":932},{"id":246},[],{"type":284,"tag":292,"props":934,"children":935},{},[936],{"type":290,"value":937},"This Black Hat Europe 2022 work covers the Volkswagen ID.3 (with the same architecture also present on ID.4 and ID.5, around 120,000 vehicles at disclosure). Two compute modules are in scope: ICAS3, the LG MEB ICAS3 infotainment built on a Qualcomm APQ8096AU running QNX 7 as host with Automotive Grade Linux as a QVM guest; and ICAS1, the gateway \"brain\" on a Renesas R-Car M3 R8A77960 running the L4RE Fiasco.OC microkernel with three EB Corbos Linux guest VMs (vm_java, vm_adaptive, vm_housekeeping), squashfs+dm-verity rootfs, and an OP-TEE TrustZone. ICAS1 also contains a PPC SPC58 RTOS that handles the actual CAN gateway.",{"type":284,"tag":292,"props":939,"children":940},{},[941,943,950,952,958,960,966,967,973,975,982,984,990,992,998,1000,1006,1008,1015,1017,1023,1025,1031],{"type":290,"value":942},"Three CVEs were disclosed. ",{"type":284,"tag":298,"props":944,"children":947},{"href":945,"rel":946},"https://nvd.nist.gov/vuln/detail/CVE-2022-41557",[365],[948],{"type":290,"value":949},"CVE-2022-41557",{"type":290,"value":951}," is in the IVI guest's ",{"type":284,"tag":353,"props":953,"children":955},{"className":954},[],[956],{"type":290,"value":957},"/usr/bin/swdlusb.sh",{"type":290,"value":959}," USB software update script: a FAT32 USB drive containing ",{"type":284,"tag":353,"props":961,"children":963},{"className":962},[],[964],{"type":290,"value":965},"swdl-entry.conf",{"type":290,"value":511},{"type":284,"tag":353,"props":968,"children":970},{"className":969},[],[971],{"type":290,"value":972},"swdl-pre-extra-exec.sh",{"type":290,"value":974}," is executed as root with no signature check, giving guest AGL root from an inserted USB stick. ",{"type":284,"tag":298,"props":976,"children":979},{"href":977,"rel":978},"https://nvd.nist.gov/vuln/detail/CVE-2022-23778",[365],[980],{"type":290,"value":981},"CVE-2022-23778",{"type":290,"value":983}," is in the IVI host QNX MgrLog/MgrTsk service listening on 0.0.0.0:54323 and reachable from the AGL guest: the ",{"type":284,"tag":353,"props":985,"children":987},{"className":986},[],[988],{"type":290,"value":989},"tcpSnifferWriteConfigFile",{"type":290,"value":991}," command writes attacker-controlled arguments to a config file that ",{"type":284,"tag":353,"props":993,"children":995},{"className":994},[],[996],{"type":290,"value":997},"tcpSnifferStart",{"type":290,"value":999}," then passes to ",{"type":284,"tag":353,"props":1001,"children":1003},{"className":1002},[],[1004],{"type":290,"value":1005},"tcpdump",{"type":290,"value":1007},", yielding root command execution on the QNX host, a VM escape from guest AGL. ",{"type":284,"tag":298,"props":1009,"children":1012},{"href":1010,"rel":1011},"https://nvd.nist.gov/vuln/detail/CVE-2022-23777",[365],[1013],{"type":290,"value":1014},"CVE-2022-23777",{"type":290,"value":1016}," is in ICAS1's coredump-filter handling: with physical eMMC access an attacker plants files that cause ",{"type":284,"tag":353,"props":1018,"children":1020},{"className":1019},[],[1021],{"type":290,"value":1022},"/sbin/init.pre",{"type":290,"value":1024}," to copy ",{"type":284,"tag":353,"props":1026,"children":1028},{"className":1027},[],[1029],{"type":290,"value":1030},"coredump-filter",{"type":290,"value":1032}," into a writable dm-integrity partition where it can be replaced, used to extract per-VM dm-integrity keys from TrustZone, and then to execute arbitrary code in any of the three Corbos Linux VMs.",{"type":284,"tag":292,"props":1034,"children":1035},{},[1036],{"type":290,"value":1037},"The chain achieved root on both AGL guest and QNX host of the IVI and inside the ICAS1 application VMs, with backdoor persistence. Demonstrated capabilities included microphone and camera access, GPS position and history, charging control, IVI and instrument-cluster display manipulation, and Bluetooth phonebook extraction. The team did not escape from the Corbos Linux VMs into the SPC58 gateway RTOS, so direct CAN injection was not achieved, and the entry vectors all require local access (USB port or removed-module eMMC).",{"type":284,"tag":321,"props":1039,"children":1041},{"id":1040},"over-the-air-compromise-of-modern-volkswagen-group-vehicles",[1042],{"type":290,"value":254},{"type":284,"tag":292,"props":1044,"children":1045},{},[1046,1051,1052],{"type":284,"tag":331,"props":1047,"children":1048},{},[1049],{"type":290,"value":1050},"Parnishchev, Ivachev (PCAutomotive), Black Hat Europe 2024",{"type":290,"value":337},{"type":284,"tag":339,"props":1053,"children":1054},{"id":252},[],{"type":284,"tag":292,"props":1056,"children":1057},{},[1058],{"type":290,"value":1059},"This Black Hat Europe 2024 work covers the MIB3 infotainment platform in Skoda and VW Group vehicles produced from 2021. MIB3 uses a Renesas R-Car M3 SoC running Yocto Linux 4.14.75 and a CARCOM FreeRTOS co-processor on a Cortex-R7.",{"type":284,"tag":292,"props":1061,"children":1062},{},[1063,1065,1071,1073,1079,1081,1087],{"type":290,"value":1064},"Entry is a Bluetooth-triggered heap overflow in the ",{"type":284,"tag":353,"props":1066,"children":1068},{"className":1067},[],[1069],{"type":290,"value":1070},"picserver",{"type":290,"value":1072}," JPEG decoder in the phone contacts service: a crafted PBAP profile photo with a scanline that exceeds the 0x4000-byte allocation (libjpeg's 1/8 scaling can produce up to a 0x7fff-byte scanline) overflows the buffer. From the phone service the team exploited a missing access control check in MIB3's custom IPC mechanism to reach a shell injection primitive in the Networking service, then loaded an unsigned kernel module to obtain root. CARCOM code execution came from patching shared RAM, giving raw CAN3 frame access. Persistence was achieved via a secure-boot bypass in Preh's proprietary image-compression extension to the R-Car BL2 stage of ARM Trusted Firmware: each compressed boot image carries a PCCP header with its own size field, and BL2 uses that header size for LZ4 decompression while verifying the signature over a size taken from the certificate. Appending arbitrary content past the authenticated region therefore still passes secure boot. Concatenating extra CPIO records after the initrd's ",{"type":284,"tag":353,"props":1074,"children":1076},{"className":1075},[],[1077],{"type":290,"value":1078},"TRAILER!!!",{"type":290,"value":1080}," marker let them overwrite the ",{"type":284,"tag":353,"props":1082,"children":1084},{"className":1083},[],[1085],{"type":290,"value":1086},"init",{"type":290,"value":1088}," script that brings up dm-verity, persisting code execution across reboots. Demonstrated capabilities included real-time GPS and speed tracking, in-car microphone access, screen control, and DNS-tunnelled C2 over the embedded eSIM.",{"type":284,"tag":292,"props":1090,"children":1091},{},[1092],{"type":284,"tag":400,"props":1093,"children":1096},{"alt":1094,"src":1095},"Vulnerability chaining diagram for the MIB3 exploit: Bluetooth heap overflow, IPC shell injection, kernel module LPE, CARCOM code execution, and secure boot bypass for persistence. Figure from Parnishchev and Ivachev, 2024 (Over the Air).","/images/knowledge-base/existing-research/infotainment-telematics/pcautomotive-vw-2024-1.png",[],{"type":284,"tag":314,"props":1098,"children":1100},{"id":1099},"nissan",[1101],{"type":290,"value":1102},"Nissan",{"type":284,"tag":321,"props":1104,"children":1106},{"id":1105},"vulnerabilities-in-nissan-infotainment-manufactured-by-bosch",[1107],{"type":290,"value":1108},"Vulnerabilities in Nissan Infotainment Manufactured by Bosch",{"type":284,"tag":292,"props":1110,"children":1111},{},[1112,1117,1118],{"type":284,"tag":331,"props":1113,"children":1114},{},[1115],{"type":290,"value":1116},"Smirnova, Motspan, Evdokimov (PCAutomotive), advisory 2025",{"type":290,"value":337},{"type":284,"tag":339,"props":1119,"children":1120},{"id":258},[],{"type":284,"tag":292,"props":1122,"children":1123},{},[1124],{"type":290,"value":1125},"PCAutomotive published this advisory in March 2025, disclosing ten CVEs affecting the infotainment ECU in the Nissan Leaf ZE1 (2020), manufactured by Bosch. The IVI runs Linux on an NXP i.MX 6 SoC; an RH850 co-processor handles CAN.",{"type":284,"tag":292,"props":1127,"children":1128},{},[1129,1131,1137,1139,1146,1148,1155,1156,1163,1165,1171,1173,1180,1182,1189,1191,1198,1200,1207],{"type":290,"value":1130},"Three stack overflows in the HFP handler within ",{"type":284,"tag":353,"props":1132,"children":1134},{"className":1133},[],[1135],{"type":290,"value":1136},"libevo_stack.so",{"type":290,"value":1138}," (",{"type":284,"tag":298,"props":1140,"children":1143},{"href":1141,"rel":1142},"https://nvd.nist.gov/vuln/detail/CVE-2025-32059",[365],[1144],{"type":290,"value":1145},"CVE-2025-32059",{"type":290,"value":1147},", ",{"type":284,"tag":298,"props":1149,"children":1152},{"href":1150,"rel":1151},"https://nvd.nist.gov/vuln/detail/CVE-2025-32061",[365],[1153],{"type":290,"value":1154},"CVE-2025-32061",{"type":290,"value":1147},{"type":284,"tag":298,"props":1157,"children":1160},{"href":1158,"rel":1159},"https://nvd.nist.gov/vuln/detail/CVE-2025-32062",[365],[1161],{"type":290,"value":1162},"CVE-2025-32062",{"type":290,"value":1164},") allow code execution from a paired Bluetooth device: the library copies custom ",{"type":284,"tag":353,"props":1166,"children":1168},{"className":1167},[],[1169],{"type":290,"value":1170},"+ANDROID",{"type":290,"value":1172}," AT command parameters into fixed stack buffers without bounds checking and has no stack canaries. From the i.MX 6, a stack overflow in the RH850 firmware's INC interface (",{"type":284,"tag":298,"props":1174,"children":1177},{"href":1175,"rel":1176},"https://nvd.nist.gov/vuln/detail/CVE-2025-32058",[365],[1178],{"type":290,"value":1179},"CVE-2025-32058",{"type":290,"value":1181},") gives code execution on the CAN co-processor and unrestricted CAN frame injection on all connected buses. An anti-theft bypass (",{"type":284,"tag":298,"props":1183,"children":1186},{"href":1184,"rel":1185},"https://nvd.nist.gov/vuln/detail/CVE-2025-32056",[365],[1187],{"type":290,"value":1188},"CVE-2025-32056",{"type":290,"value":1190},") exploits a fixed 32-entry seed-to-response lookup table in the startup challenge-response, allowing an IVI removed from its vehicle to bypass anti-theft. A TLS misconfiguration in the Redbend OTA service (",{"type":284,"tag":298,"props":1192,"children":1195},{"href":1193,"rel":1194},"https://nvd.nist.gov/vuln/detail/CVE-2025-32057",[365],[1196],{"type":290,"value":1197},"CVE-2025-32057",{"type":290,"value":1199},") combined with the NXP i.MX 6 boot ROM vulnerability (",{"type":284,"tag":298,"props":1201,"children":1204},{"href":1202,"rel":1203},"https://nvd.nist.gov/vuln/detail/CVE-2017-7932",[365],[1205],{"type":290,"value":1206},"CVE-2017-7932",{"type":290,"value":1208},") enables persistent root and arbitrary firmware delivery. The full chain starts with one-time Bluetooth pairing.",{"type":284,"tag":292,"props":1210,"children":1211},{},[1212],{"type":284,"tag":400,"props":1213,"children":1216},{"alt":1214,"src":1215},"Vulnerability chaining diagram from the PCAutomotive Nissan advisory: Bluetooth RCE, RH850 stack overflow for CAN access, and persistent root via HAB secure boot bypass. Figure from PCAutomotive, 2025 (Nissan Bosch Advisory).","/images/knowledge-base/existing-research/infotainment-telematics/nissan-bosch-2025-1.png",[],{"type":284,"tag":314,"props":1218,"children":1220},{"id":1219},"multi-oem-web-apis",[1221],{"type":290,"value":1222},"Multi-OEM Web APIs",{"type":284,"tag":321,"props":1224,"children":1226},{"id":1225},"web-hackers-vs-the-auto-industry",[1227],{"type":290,"value":1228},"Web Hackers vs. The Auto Industry",{"type":284,"tag":292,"props":1230,"children":1231},{},[1232,1237,1238],{"type":284,"tag":331,"props":1233,"children":1234},{},[1235],{"type":290,"value":1236},"Sam Curry et al., samcurry.net 2023",{"type":290,"value":337},{"type":284,"tag":339,"props":1239,"children":1240},{"id":265},[],{"type":284,"tag":292,"props":1242,"children":1243},{},[1244],{"type":290,"value":1245},"A project targeting the telematics web APIs of more than a dozen automotive brands, applying conventional web application techniques (IDOR, broken access control, SSO misconfiguration, SQL injection) to the backend services owners use to lock, unlock, locate, and start vehicles remotely.",{"type":284,"tag":292,"props":1247,"children":1248},{},[1249],{"type":290,"value":1250},"Findings spanned many brands. Kia, Honda, Infiniti, Nissan, and Acura APIs accepted only a VIN as authorisation for remote start and GPS commands. BMW and Rolls Royce had an SSO portal where a wildcard user query combined with an unauthenticated TOTP-generation endpoint gave full account takeover for any employee. Mercedes-Benz had a repair-shop registration portal writing to the same LDAP as employee SSO, giving access to internal GitHub, Jenkins, and Mattermost with RCE on several services. Ferrari's dealer CMS exposed an API key in client-side JavaScript granting access to all customer records. Spireon's global administration panel, accessible via SQL injection, allowed sending arbitrary telematics commands including starter disable to 15.5 million tracked vehicles.",{"type":284,"tag":292,"props":1252,"children":1253},{},[1254],{"type":284,"tag":400,"props":1255,"children":1258},{"alt":1256,"src":1257},"Spireon global administration portal, accessible via an SQL injection bypass, allowing arbitrary telematics commands to 15.5 million vehicles. Figure from Curry et al., 2023 (Web Hackers vs. The Auto Industry).","/images/knowledge-base/existing-research/infotainment-telematics/curry-web-hackers-2023-1.png",[],{"type":284,"tag":292,"props":1260,"children":1261},{},[1262],{"type":290,"value":1263},"The paper illustrates that the cloud API tier is often the weakest link in vehicle telematics; a backend compromise can be equivalent to a physical connection to every vehicle in a fleet.",{"type":284,"tag":314,"props":1265,"children":1267},{"id":1266},"third-party-telematics",[1268],{"type":290,"value":1269},"Third-Party Telematics",{"type":284,"tag":321,"props":1271,"children":1273},{"id":1272},"attacking-vehicle-fleet-management-systems",[1274],{"type":290,"value":1275},"Attacking Vehicle Fleet Management Systems",{"type":284,"tag":292,"props":1277,"children":1278},{},[1279,1284,1285],{"type":284,"tag":331,"props":1280,"children":1281},{},[1282],{"type":290,"value":1283},"Pareja Veredas, Mehaboobe, DefCamp 2023",{"type":290,"value":337},{"type":284,"tag":339,"props":1286,"children":1288},{"id":1287},"mehaboobe-tbox,mehaboobe-tbox-slides",[],{"type":284,"tag":292,"props":1290,"children":1291},{},[1292],{"type":290,"value":1293},"This DefCamp 2023 work covers aftermarket telematics control units (T-boxes, or TCUs) used in commercial fleet management, targeting two vendors: the SANY Hopechart HQT401 and a second undisclosed vendor. The HQT401 is an Android-based 4G/Wi-Fi/Bluetooth device factory-installed in SANY heavy equipment and sold as an aftermarket unit; the undisclosed vendor supplies a Linux-based TCU to fleet operators across the automotive and logistics sectors. The research began in 2020 as a side project and was conducted entirely black-box.",{"type":284,"tag":292,"props":1295,"children":1296},{},[1297],{"type":290,"value":1298},"Both devices shared a common weakness: unauthenticated MQTT brokers with no access control, discoverable via Shodan and Censys. The HQT401 firmware, obtained by attaching a USB cable to an exposed debug port and pulling a root ADB shell, contained no binary stripping or signature enforcement. The MQTT channel used no authentication or encryption, exposing GPS telemetry, speed, RPM, fuel level, and CAN traffic from the entire connected fleet. The backend accepted CAN injection commands framed as standard MQTT messages, allowing any unauthenticated client to inject arbitrary frames. For the undisclosed vendor, the firmware was retrieved from a URL embedded in an MQTT OTA command, and reverse engineering revealed a privilege escalation path via a web interface buffer overflow and broken token validation, yielding root code execution without physical access to the device. That vendor's platform additionally exposed live video streams, engine immobilisation commands, and CAN read/write. Combined, the two deployments covered approximately 185,000 vehicles; as of the conference date neither vendor had shipped a complete patch.",{"type":284,"tag":292,"props":1300,"children":1301},{},[1302],{"type":284,"tag":400,"props":1303,"children":1306},{"alt":1304,"src":1305},"HopeChart HQT401 T-box device, an Android-based fleet TCU. Figure from Pareja Veredas and Mehaboobe, 2023 ((Re)Playing With Your Keys).","/images/knowledge-base/existing-research/infotainment-telematics/mehaboobe-tbox-1.png",[],{"type":284,"tag":314,"props":1308,"children":1310},{"id":1309},"references",[1311],{"type":290,"value":1312},"References",{"type":284,"tag":1314,"props":1315,"children":1316},"chapter-references",{},[],{"title":172,"searchDepth":16,"depth":16,"links":1318},[1319,1327,1331,1335,1340,1343,1346,1349],{"id":316,"depth":16,"text":319,"children":1320},[1321,1322,1323,1324,1325,1326],{"id":323,"depth":22,"text":326},{"id":415,"depth":22,"text":184},{"id":453,"depth":22,"text":456},{"id":531,"depth":22,"text":534},{"id":601,"depth":22,"text":604},{"id":640,"depth":22,"text":209},{"id":721,"depth":16,"text":724,"children":1328},[1329,1330],{"id":727,"depth":22,"text":730},{"id":758,"depth":22,"text":761},{"id":810,"depth":16,"text":813,"children":1332},[1333,1334],{"id":816,"depth":22,"text":229},{"id":851,"depth":22,"text":235},{"id":873,"depth":16,"text":876,"children":1336},[1337,1338,1339],{"id":879,"depth":22,"text":241},{"id":917,"depth":22,"text":920},{"id":1040,"depth":22,"text":254},{"id":1099,"depth":16,"text":1102,"children":1341},[1342],{"id":1105,"depth":22,"text":1108},{"id":1219,"depth":16,"text":1222,"children":1344},[1345],{"id":1225,"depth":22,"text":1228},{"id":1266,"depth":16,"text":1269,"children":1347},[1348],{"id":1272,"depth":22,"text":1275},{"id":1309,"depth":16,"text":1312},"markdown","content:7.knowledge-base:4.existing-research:5.infotainment-telematics.md","content","md",1779543672142]