The team chained zero day vulnerabilities, bypassing stack protection and achieving remote code execution to exploit a Tesla X with those vulnerabilities.
Kunnamon published a Tesla hack at CanSecWest last month.
The team used a fuzzing tool to find two new zero days in the open source ConnMan package used by Tesla in their Infotainment unit. By chaining the zero day vulnerabilities they were able to bypass the stack protection mechanisms, including ASLR and Stack Canary. Once they chained their vulnerabilities, they were able to achieve remote code execution over WiFi, by using a drone to provide a WiFi Access Point for a hardwired SSID to exploit a Tesla X with those vulnerabilities and open its doors.
Tesla has fixed this in a timely manner, so if you use ConnMan you might want to upgrade to version 1.39 or higher.
Judging from the slew of IP stack vulnerabilities that were published lately (see below), including Microsoft’s last week, there will be more coming. The entry point for protecting the OS against memory attacks involving stack overflow used to be activation of ASLR and Stack Canary. Those are still a good start, but they are no longer enough.
The fact that attackers can take their time with advanced tools, unearthing zero days in the process, means that self-protection for software is more important than ever. If all that is needed by two (very smart) guys in a garage to find zero days that allow a Tesla takeover is a lot of knowledge, a little time, and access to some open source tools and packages, any safety-impacted IoT developer out there had better add another layer of cybersecurity.
We at Karamba would be happy to show you how our CFI solution helps avoid bugs of this type, to save you bounty prizes, eliminate response cycles, and of course outright lower your risk and make life harder for the next hackers trying to hack you or Tesla. It integrates seamlessly with no need to modify source files.
For a demo of XGuard capabilities, press here.
The hackers’ report: https://kunnamon.io/tbone/tbone-v1.0-redacted.pdf
BadAlloc/25 – Vulnerability in 25 RTOS and Linux OS flavors published by Microsoft, April 2021. CISA advisory here.
Urgent/11 vulnerabilities in VXWorks, found by Armis researchers, June 2019. Since the IPNet stack is used, multiple updates were published to this advisory.
Ripple/20 DNS vulnerabilities discovered by JSOF researchers, June 2020
Amnesia:33 – 33 vulnerabilities in 4 different stacks, published by Forescout researchers, December 2020
Treck Stack – Discovered by Intel researchers, advisory by CISA, January 2021