遠程車輛控制的關鍵：自動駕駛域控制器.pdf

《遠程車輛控制的關鍵：自動駕駛域控制器.pdf》由會員分享，可在線閱讀，更多相關《遠程車輛控制的關鍵：自動駕駛域控制器.pdf（95頁珍藏版）》請在三個皮匠報告上搜索。

1、#BHASIA BlackHatEventsThe Key to Remote Vehicle Control:Autonomous Driving Domain ControllerShupeng Gao,Yingtao Zeng,Yimi Hu,Jie Gao From Baidu Security Lab#BHASIA BlackHatEventsTraditional Cars#BHASIA BlackHatEventsCurrent Cars#BHASIA BlackHatEventsFuture Cars#BHASIA BlackHatEventsThe Evolution of

2、BMW 3 Series Electronic Systems#BHASIA BlackHatEvents關于自動駕駛域控制器關于自動駕駛域控制器#BHASIA BlackHatEventsOur Previous Research On the IVI#BHASIA BlackHatEventsOur Previous Research On the T-Box#BHASIA BlackHatEventsOur Previous Research On the 4G Module#BHASIA BlackHatEvents#BHASIA BlackHatEventsRegarding Aut

3、onomous Driving Domain Controllers#BHASIA BlackHatEventsWhy#BHASIA BlackHatEventsWhy Research ADAS?Smart vehicles may be the most complex and advanced IoT devices accessible to the general public.Compared to the past,smart cars incorporate a myriad of new technologies including new architectures,com

4、munication interfaces,processors,and operating systems.Currently,there is a lack of attention to the security of ADAS,which is relatively poor.Improper design may pose risks of remote vehicle control.Compared to IVI and T-Box devices,this represents a new research area.Involves AI,which is very inte

5、resting and cutting-edge.A new research direction for security researchers and automotive manufacturer security teams.Final goal:Enhancing the security of ADAS devices.#BHASIA BlackHatEventsNIO Center Computing ClusterSystem:4x Linux 1x Android(QNX VM)SoC:4x Nvidia Orin-X 1x Qualcomm SA8155MCU:2x TC

6、399 1x TC3974x EMMC 5x UFSMore than 1000+TOPS int8(RTX4090 660 TOPS int8)Why Research ADAS-High Complexity#BHASIA BlackHatEventsWhy Research ADAS-High Complexityhttps:/cars- BlackHatEventsWhy Research ADAS New Architecture-Ethernet Connectivityhttps:/cars- BlackHatEventsWhy Research ADAS New Archite

7、cture-Ethernet Connectivityhttps:/cars- BlackHatEventsWhy Research ADAS-Controllable VehiclesADAS is connected toPowertrain CAN and Chassis CAN.It Naturally Controls Vehicleshttps:/cars- BlackHatEventsWhat#BHASIA BlackHatEventsMore Than 30+ADAS Devices#BHASIA BlackHatEvents0.5 TOPSThe Development Pr

8、ocess of ADAS Controllers-FPGAACC/LKA#BHASIA BlackHatEventsMobileye Q4M/HHorizon Journey 2 1.12 TOPS4 TOPSArm CPU with AI Inference Capabilities(Front Camera)#BHASIA BlackHatEventsTI TDA4VM8 TOPSLow-Speed Autonomous Driving Domain ControllerMobieye 4H 2 TOPS#BHASIA BlackHatEventsHorizon J31xJ3 5 TOP

9、S3xJ33xJ3#BHASIA BlackHatEvents1x J3 And 1xTDA4 VM#BHASIA BlackHatEvents2x TDA4 VM#BHASIA BlackHatEventsTI TDA4 VH32 TOPS#BHASIA BlackHatEventsHorizon J5#BHASIA BlackHatEventsNvidia Xavier#BHASIA BlackHatEventsNvidia Orin-X254 TOPS#BHASIA BlackHatEventsNvidia Orin-X#BHASIA BlackHatEvents2x Orin-X508

10、 TOPS#BHASIA BlackHatEvents4x Orin-X1016 TOPS#BHASIA BlackHatEventsNvidia Orin-N84 TOPS#BHASIA BlackHatEventsOrin-X VS Orin-NSame Interface#BHASIA BlackHatEvents2x Mobileye 5H#BHASIA BlackHatEvents2x Qualcomm SA8650100 TOPS#BHASIA BlackHatEventsADAS Internal Structure:ADAS Internal Structure:SoC:Inc

11、ludes ARM CPU and AI NPU,runs an operating system,performs AI inferenceMemory:DDRStorage:UFS,EMMC,NorFlashNetwork:Onboard Ethernet chipMCU:Autonomous driving decisions,CAN transmission and reception,fault monitoring and degradation,power management,ultrasonic radar algorithms,AEB decisions,etc.Seria

12、lizer/Deserializer:Camera data input,outputs video signal(e.g.,parking 360 view)to IVIPower management chip,CAN transceiver chip.Various interfaces:Power,Ethernet,CAN,etc.Other:GNSS GPS chip,IMU chip#BHASIA BlackHatEventsControlMarvell SwitchObstacleAEBLaneTraffic LightZMQ/DDS/SOMEIPfrontnarrowleftr

13、ightrearfrontmainfrontfisheyePerception TasksFSDGNSSIMUParkingLocalizationDeserializerHDMapPlanningPredictionLidarMIPI CameraInterfaceMCU TC397Soc Orin-XTime SyncHW DriverMonitorLogNvidia Drive OSHMISPI InterfaceLVDSSteer-by-wireUltrasonic radarFault diagnosisPower managementCAN/FlexRayArbitrationAD

14、ASGWCAN TransceiverIVILVDS DisplayParking ViewFSD ViewUltrasonic radarChassis/Powertrain CAN#BHASIA BlackHatEventsCamerasMCU TC397CANSoc Orin-XGWEth SwitchT-Box4/5G moduleChassis/Powertrain CANVCUCANCANInfo CANIVIAndroid on QNXADASCANCANLinux/QNXTelematics CANCANCANDoIPCANOBDCANDiag CANDisplayPercep

15、tionControlInternetBody CANCANAuto ACCANBody electronicsDoorECUs#BHASIA BlackHatEventsLinuxQNXROS2Nvidia DriveOSOther Auto FrameworkOrinHorizonTIGNSSIMUMCU.SWSer/DesPMICEMMC/UFSProxyZMQSOAOTA.SecurityPerceptionLocalizationControlPlanningPredictionFusionMAP/HMIBEVOCCAEBLaneTraffic LightAPP/TaskSYSHWO

16、bstacleCAN#BHASIA BlackHatEventsHow#BHASIA BlackHatEventsHow to Research ADAS-Analyze as an IoT DeviceFamiliarize with the structure,find entry points,complete the attack.Remote code execution(RCE)may not be achievable,but risks such as information leakage are also significant.Operating System:Opera

17、ting System:Access the file system,for example,through firmware extraction or firmware download.Obtain shell access,for example,through a debugging port.Interface Analysis:Interface Analysis:Assess interfaces:UART,Ethernet ports,JTAG,DAP,etc.Signal Analysis:Signal Analysis:Analyze CAN signals,CAN FD

18、,vehicle Ethernet.#BHASIA BlackHatEventsHow to Research-Acquiring the Device#BHASIA BlackHatEventsHow to Research-Acquiring the Device#BHASIA BlackHatEventsHow to Research-Powering On and Ignitionhttps:/cars- BlackHatEventsRead EMMC/UFS Storage#BHASIA BlackHatEventsRead EMMC Storage#BHASIA BlackHatE

19、ventsUse UFS Programmer to dump/writeEMMC internally integrates a Flash Controller.EMMC internally integrates a Flash Controller.Allows direct editing and deletion.Allows direct editing and deletion.For example,modifying the/For example,modifying the/etcetc/shadow file./shadow file.UFS currently lac

20、ks effective file management UFS currently lacks effective file management methods.methods.SimilarSimilar as as dd.dd.Current use of Current use of UFSUFS programmers:programmers:Complete dump,write(up to 300MB/s).Complete dump,write(up to 300MB/s).Supports specified offset.Supports specified offset

21、.#BHASIA BlackHatEventsUse UFS Programmer to dump/write Slowly Speed#BHASIA BlackHatEventsUse UFS Programmer to dump/write New Tools#BHASIA BlackHatEventsPartition Table DetailsHas a GPT partition table,allowing direct reading of partitions and files:EXT4:Horizon,TIQNX:Mobileye,TI,QualcommHas GPTNo

22、GPT/MBRNvidia devices lack a standard partition table:EXT4(Orin)QNX(Xavier)QNX6:Mount read-only,cant write#BHASIA BlackHatEventsTDA4 EMMC Dump QNX，with GPTJ3 EMMC Dump EXT4，with GPTHas Partition Table#BHASIA BlackHatEventsIf there is no partition table,need rebuildNo Partition Table#BHASIA BlackHatE

23、ventsNvidia QNX/Android IVI QNXThe tool only supports searching for EXT3The tool only supports searching for EXT3EXTEXT4,FAT,and other file systems.4,FAT,and other file systems.QNX requires manual partitioning.QNX requires manual partitioning.binwalkbinwalk-R R xebxeb x10 x10 x90 x90 x00 x00 x00 x00

24、 start_offsetstart_offset=0 x3EF500000=0 x3EF500000end_offsetend_offset=0 x543280000=0 x543280000count=$(count=$(end_offsetend_offset-start_offsetstart_offset)/)/0 x100000)0 x100000)dd if=part3.dd of=new_part3.bin bs=1024 dd if=part3.dd of=new_part3.bin bs=1024 skip=$(0 x80000/1024)skip=$(0 x80000/1

25、024)#BHASIA BlackHatEventsNvidia QNX/Android IVI QNXThen use tools,such asqnxmount#BHASIA BlackHatEventsWhat Can We Obtain From a Storage Dump?Sensitive files:Sensitive files:/etcetc/shadow for cracking passwords/shadow for cracking passwordsEncryption keys(disk encryption,file Encryption keys(disk

26、encryption,file encryption,OTA)encryption,OTA)MQTT private keys,passwordsMQTT private keys,passwordsOTA upgrade packagesOTA upgrade packagesModel filesModel filesMCU firmwareMCU firmware.Used frameworks and technologiesUsed frameworks and technologiesStartup processes,where vulnerabilities can be St

27、artup processes,where vulnerabilities can be discovered in listening port processes through discovered in listening port processes through reverse engineering.reverse engineering.#BHASIA BlackHatEventsHow To GetshellHalf of the devices have SSH enabled:Half of the devices have SSH enabled:Default cr

28、edentials:Default credentials:nvidianvidia/nvidianvidiaBrute force with Brute force with HashcatHashcatWrite a new/Write a new/etcetc/shadow/shadowPassword verification mechanism:Password verification mechanism:Password cracking algorithmPassword cracking algorithmDumpDump flash,flash,modifymodify t

29、he startup process the startup process Serial port loginSerial port loginAnalysis and exploitation of vulnerabilities in listening Analysis and exploitation of vulnerabilities in listening processesprocesses#BHASIA BlackHatEventsHow To Getshell Modify UFSModifying EMMC storage is quite common.Modify

30、ing EMMC storage is quite common.NowNow we:we:1.1.DumpDump all all UFSUFS as as a a.imgimg2.2.ModifyModify.imgimg:0 xd65f03c00 xd65f03c0 is is retret instructioninstructionBypassBypass ChangePasswdChangePasswd()()functionfunctionModifyModify shadowshadow filefile3.3.Write the Write the.imgimg file b

31、ack to UFSfile back to UFS#BHASIA BlackHatEventsHow To Getshell UART Interface#BHASIA BlackHatEventsObtaining Network AccessAll onboard devices use All onboard devices use vehicle Ethernetvehicle EthernetUse twoUse two-core cablescore cablesSupports 100M/1000MSupports 100M/1000M#BHASIA BlackHatEvent

32、sObtaining Network Access-How to Use Vehicle Ethernet AdaptersVehicle Ethernet is divided into four Vehicle Ethernet is divided into four combinations:100M/1000M and combinations:100M/1000M and master/slave.master/slave.Additionally,100M is differentiated by Additionally,100M is differentiated by ca

33、ble sequence.cable sequence.Recommended to use adapters with Recommended to use adapters with autoauto-negotiation capabilities.negotiation capabilities.#BHASIA BlackHatEventsHow to Obtain The IPCapturing packets in promiscuous Capturing packets in promiscuous mode to determine the SOC IP mode to de

34、termine the SOC IP address:address:VLANs are commonly present.VLANs are commonly present.Most devices do not use ARP and Most devices do not use ARP and require MAC address binding.require MAC address binding.Sometimes,setting the local IP Sometimes,setting the local IP and MAC address is necessary

35、and MAC address is necessary based on the UDPs destination IP based on the UDPs destination IP and MAC.and MAC.Some devices use IPv6 addresses.Some devices use IPv6 addresses.#BHASIA BlackHatEventsInterface RiskBoard often has many Board often has many interfaces,especially UART interfaces,especiall

36、y UART and JTAG.and JTAG.Some car manufacturers Some car manufacturers not only have numerous not only have numerous debugging interfaces but debugging interfaces but also also clearly label themclearly label them.These interfaces are often These interfaces are often needed for debugging and needed

37、for debugging and firmware flashing.Hence,firmware flashing.Hence,protection is necessary.protection is necessary.#BHASIA BlackHatEventsSpecial Interfaces：Flash、HDMI、DP、DAP、Ethernet、Recovery#BHASIA BlackHatEventsResearch on Other Related Peripherals-CANEach controller has multiple CAN channels.OneEa

38、ch controller has multiple CAN channels.One supports wakesupports wake-up functionality,such as up functionality,such as TJA1043.TJA1043.CAN interface pins can be determined based on the CAN transceiverCAN interface pins can be determined based on the CAN transceiver pinoutpinout.Some ADAS systems r

39、equire CAN signals for wakeSome ADAS systems require CAN signals for wake-up,either any CAN signal or specific up,either any CAN signal or specific ID and data bits.ID and data bits.MCUMCUCANCAN BUSBUSCANCAN transceivertransceiverCaptureCapture thethe WakeupWakeupCANCAN signalsignal#BHASIA BlackHatE

40、ventsResearch on Other Related Peripherals-LidarAutomotiveAutomotive-grade LiDARgrade LiDARUses EthernetUses EthernetAutomaker added 20 bytes of SOME/IP commandsAutomaker added 20 bytes of SOME/IP commandsReverse engineered automakers driver to enable LiDAR hacking and use.Reverse engineered automak

41、ers driver to enable LiDAR hacking and use.#BHASIA BlackHatEventsResearch on Other Related Peripherals-Serializer/DeserializerIn the automotive field,image transmission does not use HDMI or DisplayPort,UseIn the automotive field,image transmission does not use HDMI or DisplayPort,Use LVDSLVDS for da

42、ta transmission and for data transmission and power supply.power supply.Data transmission is carried out by calculating minor voltage changes.Data transmission is carried out by calculating minor voltage changes.TechnologyTechnology:FPDFPD-LinkLink andand GMSLGMSLIn the field of security:In the fiel

43、d of security:We can perform camera simulation injections and save on display screens(which are generally We can perform camera simulation injections and save on display screens(which are generally expensive).expensive).Instrument display screen(currently has some color issues)Camera Inject Device#B

44、HASIA BlackHatEventsRisks#BHASIA BlackHatEventsFirmware/Deploy Image/Development Document#BHASIA BlackHatEventsFrameworks#BHASIA BlackHatEventsTI/Nvidia/Horizon/Mobieye Model Files#BHASIA BlackHatEventsModel Configuration,Raw ModelConvenient model invocation,training,and fine-tuning#BHASIA BlackHatE

45、ventsDeployment of AI Models on VehiclesLabeled DataTechnical RoadmapAI Compute CenterInference ModelQuantization and OptimizationModel For BoardTrainingDeployedContinuous Road TestingCase OptimizationModel output consumes significant computational and data resources,with extensive post-optimization

46、 iterations.Needs to be protectedOTAAs a security researcher,you can now move beyond using YOLO for model adversarial research(GAN)and paper writing,as you have access to real models.#BHASIA BlackHatEventsSecurity Analysis of Model FilesThe model file contains the model structure and parameter infor

47、mation Model structure is very important as it forms the basis of good results.onnx.pt are original models,FP32,convenient for training and tuning.hbm.trt.engine.bin are quantized models,INT8,suitable for inference on devices with low computing power.Conclusion:Do not deploy/store.onnx models in veh

48、icles,its dangerous.Quantized models like.trt can be directly used for inference.Model structure analysis is also possible.onnx.trt/.plan#BHASIA BlackHatEventsAnalysis and Reconstruction of Model Files+0 First 4 bytes are file magic,+0 First 4 bytes are file magic,ptrtptrt,ftrtftrt+8 Serialized vers

49、ion number,0 xd5,0 xcd,0 xe8+8 Serialized version number,0 xd5,0 xcd,0 xe8+0 x10 Model data size+0 x10 Model data size+0 x18 Serialized data,TRT defines multiple tags,decoded+0 x18 Serialized data,TRT defines multiple tags,decoded with hardcodingwith hardcodingReverse engineering on Reverse engineer

50、ing on libnvinfer.so.8 libnvinfer.so.8 using Frida hooksusing Frida hooksBevnet.onnx#BHASIA BlackHatEventsAnalysis and Reconstruction of Model FilesCompile the Compile the LeNetLeNet model using model using TensorRTTensorRT and parse it and parse it with our script.with our script.Compared to the or

51、iginal model,the structure is similar,Compared to the original model,the structure is similar,some layers merged and optimized.some layers merged and optimized.Parse the acquired model.Parse the acquired model.Multiple tasks and output shapes.Multiple tasks and output shapes.#BHASIA BlackHatEventsAn

52、alysis and Reconstruction of Model Filesm model.hbmodel.hbm:Reverse engineer hxxx-disas and hxxx-sim processes.The first line:magic number;X2A indicates that the following model instructions are for X2A.Otherinstructions,such as X2,B25,etc.X2A BERNOULLI2 X2 BERNOULLI B25 BAYES The offset table start

53、s at 0 xB8,with one entry for each model,each entry occupying 8 bytes.#BHASIA BlackHatEventsAnalysis and Reconstruction of Model FilesUse Frida for reverse engineering.detection_segment_0 contains instruction information.Starting at 0 x472E0,each instruction is 8 bytes,such as some convolution opera

54、tions,which are accelerated in the BPU.#BHASIA BlackHatEventsDemo：A Toy Car Utilizing An Automotive-grade AI Recognition ModelA$50 miniature car,with a NPU.We extracted a set of models from the ADAS controller And deployed them on the miniature car.Now its worth$500#BHASIA BlackHatEventsAbout TC3XX

55、MCUTriCoreTriCore TC3xx or RH850TC3xx or RH850Almost Almost all controllers contain the TC397 and TC399all controllers contain the TC397 and TC399.In.InADAS,Gateway,TADAS,Gateway,T-Box,Box,IVI,IVI,VCU,VCU,otherother controllerscontrollersWhy?Why?Supports ASILSupports ASIL-D safety requirements.D saf

56、ety requirements.SoSo it it cancan sendsendCANCAN signals.signals.Lockstep cores,ECC protection for instructions and Lockstep cores,ECC protection for instructions and data.data.Ethernet,Ethernet,FlexRayFlexRay,CAN,CAN-FD,LIN,SPI.FD,LIN,SPI.In ADAS：MCU TC397Steer-by-wireUltrasonic radarFault diagnos

57、isPower managementCAN/FlexRayArbitrationCAN Transceiver#BHASIA BlackHatEventsTC397 Firmware Analysis-Many systems contain MCU firmware files,even with.elf symbol files.Many systems contain MCU firmware files,even with.elf symbol files.-GhidraGhidra can perform reverse analysis!can perform reverse an

58、alysis!-MCU firmware is MCU firmware is readablereadable!Only a few automakers set read protection,!Only a few automakers set read protection,typically protecting only a few blocks.typically protecting only a few blocks.-Every ADAS circuit board has DAP read pins.Every ADAS circuit board has DAP rea

59、d pins.-We specifically designed a core board reader that can remove the MCU,We specifically designed a core board reader that can remove the MCU,solder,and perform firmware reading,debugging,and signal analysis.solder,and perform firmware reading,debugging,and signal analysis.#BHASIA BlackHatEvents

60、Reverse Engineering of TC397 FirmwareGhidraGhidra can analyze can analyze TriCoreTriCore hex firmware.hex firmware.Analyzing MCU firmware primarily to understand CAN Analyzing MCU firmware primarily to understand CAN control logic better.Because SoC cannot directly control logic better.Because SoC c

61、annot directly send CAN.send CAN.Identify key functions in the MCU to confirm Identify key functions in the MCU to confirm corresponding vehicle control interfaces in the corresponding vehicle control interfaces in the SoC.SoC.Since all controllers have the TC397 MCU,this is a Since all controllers

62、have the TC397 MCU,this is a very good research direction:very good research direction:Analyze the security of basic modules in AUTOSAR Analyze the security of basic modules in AUTOSAR(especially the network modules).(especially the network modules).Examine Examine TriCoresTriCores security mechanis

63、ms(such as security mechanisms(such as encryption,protection),and whether they can be encryption,protection),and whether they can be bypassed.bypassed.UDP receive function#BHASIA BlackHatEventsHow to Control#BHASIA BlackHatEventsUltimate Goal:Achieving Vehicle Control Achieving vehicle control is th

64、e ultimate goal in researching ADAS controllers.We need to:Understand the hardware architecture,workflow,and security risks of ADAS controllers.Understand the principles of vehicle control and control signals.Learn how to achieve complete remote vehicle control,including gaining access to the vehicl

65、e network and ADAS device permissions.Note:Due to the significant impact of related vulnerabilities,we will not we will not demonstrate vehicle control in this demonstrate vehicle control in this talktalk.Mainly:to popularize knowledge and security risks related to ADAScontrollers.#BHASIA BlackHatEv

66、entsWire-controlled Chassis TechnologyGWADASVCUECU1T-BoxIVIECU2DriverADASECU#BHASIA BlackHatEventsHow to Control a VehicleControl the cars throttle,steering,and brakes through electronic signals(CAN).How to control the vehicle:Directly control the ECU(very difficult,as the ECU has no operating syste

67、m and no attack entry points)Directly control Assisted driving module,gateway and VCU(challenging,as most lack an operating system and ETH network interface)Control the autonomous driving domain controller.GWADASVCUECU1T-BoxIVIECU2#BHASIA BlackHatEventsHow to Control a Vehicle-Controlling the Gatewa

68、ySome vehicles with autonomous driving features have complex gateway module:An onboard CPU with a full Linux system and multiple network ports.Functions include CAN signal control,DoIP diagnostic services,OTA services,and Ethernet switch.Gaining shell access to the gateway allows full control over t

69、he vehicle.Limitations:Advanced gateways like these are rare.Controlling the vehicle requires detailed analysis of low-level CAN messages.#BHASIA BlackHatEventsHow to Control a Vehicle Controlling the Assisted Driving ModuleEarly assisted driving cars,such as those with lane-keeping functions,use th

70、e Mobileye Q4M chip.Although steering can be controlled via electronic signals,the limitations include:Only having a CAN interface.A simple operating system on FPGA,without networking capabilities.These factors make it impossible to access assisted driving devices over the network,exploit vulnerabil

71、ities,and gain device permissions.Unable to control the vehicle.#BHASIA BlackHatEventsHow to Control a Vehicle Controlling the ADASA complete computer(usually running Linux)with network connectivity:Various interfaces,including camera,network,and debugging interfaces.AI inference capabilities with s

72、ubstantial computational power.Connected to the powertrain CAN and chassis CAN,it can control the vehicles throttle,brakes,and steering wheel.How can one achieve vehicle control?First,gain control of the ADAS.Invoke relevant APIs.Trigger the MCU to send control CAN signals.#BHASIA BlackHatEventsCame

73、rasMCU TC397CANSoc Orin-XGWEth SwitchT-Box4/5G moduleChassis/Powertrain CANVCUCANCANInfo CANIVIAndroid on QNXADASCANCANLinux/QNXTelematics CANCANCANDoIPCANOBDCANDiag CANDisplayPerceptionControlInternetBody CANCANAuto ACCANBody electronicsDoorECUs#BHASIA BlackHatEventsCamerasMCU TC397CANSoc Orin-XGWE

74、th SwitchT-Box4/5G moduleChassis/Powertrain CANVCUCANCANADASLinux/QNXPerceptionControlInternetECUsT T-Box module is the sole remote attack entry point.Contains many vulnerabilities.Box module is the sole remote attack entry point.Contains many vulnerabilities.Control gateway can manage the vehicle,b

75、ut some gateways lack Linux system,Control gateway can manage the vehicle,but some gateways lack Linux system,only have MCU.Analyzing underlying CAN signals is challenging.only have MCU.Analyzing underlying CAN signals is challenging.Gain network access through TGain network access through T-Box vul

76、nerabilities,control ADAS devices,then use Box vulnerabilities,control ADAS devices,then use upperupper-level API to control the vehicle,which is easy and universal.level API to control the vehicle,which is easy and universal.#BHASIA BlackHatEventsThe Way to Control the VehicleDismantle and analyze

77、the entire vehicle,or Dismantle and analyze the entire vehicle,or ADAS and TADAS and T-Box components.Box components.Identify TIdentify T-Box vulnerabilities to access Box vulnerabilities to access ADAS network.ADAS network.Acquire ADAS shell.Acquire ADAS shell.Analyze ADAS listening processes to de

78、tect Analyze ADAS listening processes to detect vulnerabilities.vulnerabilities.Analyze vehicle control processes.Analyze vehicle control processes.Analyze MCU firmware.Analyze MCU firmware.Locate Locate Control APIControl API/IPC topic/IPC topic/send SPIsend SPI/send send TCP UDP to enable MCU to s

79、end control TCP UDP to enable MCU to send control CAN.CAN.Utilize remote exploits via Fake 2G Utilize remote exploits via Fake 2G BaseBasestationstation/PrivateAPNPrivateAPN/H Hackedacked FemtocellFemtocell/IPV6IPV6.We discovered a command injection vulnerability in a 4G baseband module,a simple vul

80、,have fixed years ago.Typically,ADAS devices do not have firewalls set up.#BHASIA BlackHatEventsThe Way to Control the VehicleUSRP Min i/Raspberry PiYateBTST-Box/4G moduleVulnerability,getshell,Access the networkAccess ADASDowngradeto 2G,noneed auth,GPRSAccess IP10.1.2.3SwitchVulnerability,getshell,

81、send control APIsGatewaySend control CAN dataADASOtherOther ways:ways:IPV6IPV6-IVIIVI-ADASADASWIFIWIFI-IVIIVI ADASADASIVI(IVI(4/5G4/5G onon IVIIVI board)board)-ADASADAST T-BoxBox-GatewayGateway LinuxLinux systemsystem getget shellshellT T-BoxBox-ADASADAS-FlashFlash MCUMCU firmwarefirmwareServerServe

82、r WebWeb-OTAOTA servicesservices-Deploy signed upgrade pkgsDeploy signed upgrade pkgs.#BHASIA BlackHatEventsSummaryADAS controllers can control vehicles,so their security needs to be enhanced.ADAS controllers can control vehicles,so their security needs to be enhanced.Our research shows that most AD

83、AS controllers have poor security.Our research shows that most ADAS controllers have poor security.To automakers:To automakers:Disk encryption,model protection,disable services like SSH,secure listening processes,Disk encryption,model protection,disable services like SSH,secure listening processes,e

84、nable firewalls,MCU firmware read protection,enhance Tenable firewalls,MCU firmware read protection,enhance T-Box entry protection.Box entry protection.To security researchers:To security researchers:MasterMaster new tools and concepts,such as dumping UFS storage,debugging and analyzing new tools an

85、d concepts,such as dumping UFS storage,debugging and analyzing MCUs,using vehicle Ethernet and CANMCUs,using vehicle Ethernet and CAN-FD devices.FD devices.Research on adversarial modeling using real vehicle models.Research on adversarial modeling using real vehicle models.Security analysis of MCUs

86、like TC397.Security analysis of MCUs like TC397.Security analysis of Nvidia Security analysis of Nvidia DriveOSDriveOS,including,including TrustZoneTrustZone,Secure Boot,Disk Encryption,Secure,Secure Boot,Disk Encryption,Secure Storage,and firmware flashing bypass after FUSE blow.Storage,and firmware flashing bypass after FUSE blow.