Tencent Keen Security Lab: Experimental Security Assessment on Lexus Cars


by Tencent Keen Security Lab

Since 2017, Lexus has equipped several models (including Lexus NX, LS and ES series) with a new generation infotainment, which is also known as AVN (Audio, Visual and Navigation) unit. Compared to some Intelligent connected infotainment units, like Tesla IVI and BMW ConnectedDrive system, the new Lexus AVN unit seems to be a bit more traditional. From a security perspective, it may highly reduce the possibility of being attacked by potential cybersecurity issues. But a new system is always introducing new security risks. After conducting an ethical hacking research on a 2017 Lexus NX300, Keen Security Lab [1] has discovered several security findings in Bluetooth and vehicular diagnosis functions on the car, which would compromise AVN unit, internal CAN network and related ECUs. By chaining the findings, Keen Security Lab are able to wirelessly take control of AVN unit without any user interaction, then inject malicious CAN messages from AVN unit into CAN network to cause a vulnerable car to perform some unexpected, physical actions.
Currently, Toyota is in progress working on the mitigation plans. Therefore, we decided to just make a brief disclosure in this paper, instead of a full disclosure which would be considered as irresponsible to vehicle users. If all goes well, the full technical report will be released at a proper time in the year 2021.

Read More...

Exploiting Wi-Fi Stack on Tesla Model S


by Tencent Keen Security Lab

In the past two years, Keen Security Lab did in-depth research on the security of Tesla Cars and presented our research results on Black Hat 2017 and Black Hat 2018. Our research involves many in-vehicle components. We demonstrated how to hack into these components, including CID, IC, GATEWAY, and APE. The vulnerabilities we utilized exists in the kernel, browser, MCU firmware, UDS protocol, and OTA updating services. It is worth noting that recently we did some interesting works on Autopilot module, we analyzed the implementation details of autowipers and lane recognition function and make an example of attacking in the physical world.

To understand the security of Tesla\’s on-board system more comprehensively, we researched the Wi-Fi module (aka Parrot on Model S) and found two vulnerabilities in the Wi-Fi firmware and Wi-Fi driver. By combining these two vulnerabilities, the host Linux system can be compromised.

Read More...

TenSec 2019


by KeenLab


Tencent Security Conference (TenSec) is an international cybersecurity summit launched by Tencent Security, hosted by Tencent Keen Security Lab and Tencent Security Platform Department, and co-organized by Tencent Security Academy.

Read More...

Exploiting iOS 11.0-11.3.1 Multi-path-TCP:A walk through


by Ian Fang @fongtinyik, Qoobee @Qooobeee

Introduction

The iOS 11 mptcp bug (CVE-2018-4241) discovered by Ian Beer is a serious kernel vulnerability which involves a buffer overflow in mptcp_usr_connectx that allows attackers to execute arbitrary code in a privileged context.

Ian Beer attached an interesting piece of PoC code which demonstrated a rather elegant technique to obtain the kernel task port with this vulnerability. Extending on his brief writeup that comes with the PoC, this blog post will mainly aim at walking through the PoC in great details as well as covering its background. If you are an iOS security researcher who hasn’t looked into the PoC source code yet, hopefully you will find the materials handy when you decide to do so.

Please have a copy of mptcp PoC code before we dive in! You can download it from here: Download

Note: All credits for exploitation techniques, vulnerability PoC code and original writeup belong to Ian Beer at Google Project Zero.

Read More...

New Vehicle Security Research by KeenLab: Experimental Security Assessment of BMW Cars


by Tencent Keen Security Lab

Introduction

The research of BMW cars is an ethical hacking research project. In the research, Keen Security Lab performed an in-depth and comprehensive analysis of both hardware and software on in-vehicle infotainment Head Unit, Telematics Control Unit and Central Gateway Module of multiple BMW vehicles. Through mainly focusing on various external attack surfaces, (including GSM network, BMW Remote Service, BMW ConnectedDrive System, Remote Diagnosis, NGTP protocol, Bluetooth protocol, USB and OBD-II interfaces), Keen Security Lab has gained local and remote access to infotainment components, T-Box components and UDS communication above certain speed of selected multiple BMW vehicle modules and been able to gain control of the CAN buses with the execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely.

Read More...

TenSec 2018


by KeenLab


Tencent Security Conference (TenSec) is an international cybersecurity summit launched by Tencent Security, hosted by Tencent Keen Security Lab and Tencent Security Platform Department, and co-organized by Tencent Security Academy.

TenSec 2018 will be held on October 10 and 11, with the most heated debate in the cybersecurity area, the most famous technology corporations, car manufacturers and security communities of leading experts from all over the world. The summit focuses on Big Data, Artificial Intelligence, Mobile Internet, Cloud Computing, Internet of Things, Block Chain, Virtualization, Intelligent Connected Vehicle and research tools in the security field, and encourages the sharing of the forefront of the international first-class security technologies and research achievements. We look forward to create a platform to discuss the security technology innovation and the development trend in the future for all the experts in the security community.

Since its launch in 2016, TenSec has been committed to exploring international frontier security technologies and research, building a long-term and sustainable communication and cooperation platform for international manufacturers and security communities to safeguard emerging Internet forms and user security.

Read More...

A bunch of Red Pills: VMware Escapes


by Marco Grassi, Azureyang, Jackyxty

Background

VMware is one of the leaders in virtualization nowadays. They offer VMware ESXi for cloud, and VMware Workstation and Fusion for Desktops (Windows, Linux, macOS).
The technology is very well known to the public: it allows users to run unmodified guest “virtual machines”.
Often those virtual machines are not trusted, and they must be isolated.
VMware goes to a great deal to offer this isolation, especially on the ESXi product where virtual machines of different actors can potentially run on the same hardware. So a strong isolation of is paramount importance.

Recently at Pwn2Own the “Virtualization” category was introduced, and VMware was among the targets since Pwn2Own 2016.

In 2017 we successfully demonstrated a VMware escape from a guest to the host from a unprivileged account, resulting in executing code on the host, breaking out of the virtual machine.

If you escape your virtual machine environment then all isolation assurances are lost, since you are running code on the host, which controls the guests.

Read More...

New Car Hacking Research: 2017, Remote Attack Tesla Motors Again


by Keen Security Lab of Tencent

Keen Lab discovered new security vulnerabilities on Tesla motors and realized full attack chain to implement arbitrary CAN BUS and ECUs remote controls on Tesla motors with latest firmware.

Several highlights for 2017 Tesla Research:

  • Realized full attack chain as we did in year 2016 to implement arbitrary CAN BUS and ECUs remote controls.
  • Discovered multiple 0Days in different modules. Currently, Keen Lab is working with Tesla and related manufactures on assigning CVE number of the vulnerabilities.
  • Tesla implemented a new security mechanism “code signing” to do signature integrity check of system firmware that will be FOTAed to Tesla motors in Sept 2016. The code signing was bypassed by Keen Lab.
  • The “Group lighting show of Model X” in our demonstration is technically arbitrary remote controls on multiple ECUs at the same time. It shows Keen Lab’s research capability on CAN BUS and ECUs.

Keen Lab has followed “responsible disclosure” process to reported all security vulnerabilities and related exploitations to Tesla. Tesla Product Security Team has verified and confirmed all the bugs in our report. Security patches have been made and updated to motors via FOTA efficiently in July. The reported issues affect multiple models of Tesla motors. Based on Tesla’s report, most of the active Tesla motors have been updated to new firmware with patches via FOTA. We appreciate Tesla Product Security Team for their quick response, quick fix and efficient patching via FOTA.

Reminder to Tesla car owners: Please check if your car is with the firmware version 8.1 (17.26.0) or later. If NOT, please upgrade to the latest firmware to ensure all the issues are fixed.

The video below demonstrates the impact of our remote attack vector. REMINDER: WHAT YOU ARE ABOUT TO SEE IN THIS VIDEO ARE PERFORMED BY PROFESSIONAL RESEARCHERS, DO NOT TRY THIS AT HOME. Appreciate Tencent Auto for the contributions on publishing this demonstration.