⚠️Cyber Terror on Wheels: Remotely Hijacking 600+ Indian Automobiles
This writeup discusses CVE-2023-41442, a critical vulnerability that allows an attacker to track over 600+ automobiles as well as remotely controlling them, endangering the safety of the rider.
Electric Vehicles in India, and more
According to the report titled "Inside Indian consumers’ embrace of electric two-wheelers" report by McKinsey, the prospects for electric two-wheelers, including motorcycles and scooters, are promising. Given their widespread availability and cost-effectiveness, these vehicles have played a significant role in India's transportation landscape for a long time, constituting over 70% of all vehicles. Furthermore, consumers are increasingly inclined towards embracing electric alternatives: it is anticipated that electric two-wheelers will make up a substantial portion, ranging from 60% to 70%, of new vehicle sales in India by 2030. What's more, consumers are not only willing to acquire more electric two-wheelers but are also changing their purchasing habits by adopting a more comprehensive shopping experience across various channels.
Background
The initial discovery of CVE-2023-22906 sparked my interest in the Internet of Things, specifically those that were Made in India. Upon searching Shodan.io for protocols often used by IoT devices, several servers were found as shown in the image below.
Among the multitude of servers, one in particular piqued my interest. It contained references to CAN and various other subjects, including Diagnostics, suggesting a connection to the automotive industry. This piqued my curiosity because CAN is a message-based protocol specifically designed to facilitate communication among the Electronic Control Units (ECUs) commonly found in modern automobiles.
The keyword "CAN" was a tip towards mobility IoT devices which could have potential for cyber physical impacts, which motivated me to conduct a more thorough investigation.
Affected Vendor
Upon analyzing the data and traffic from the server, it was discovered that the affected vendor is Tor.AI.
Tor.AI provides end-to-end Industrial IoT (IIoT) solutions that help businesses improve their operations, reduce costs, and increase productivity. Their solutions include edge gateways, platform, application, analytics, and supporting services.
Tor.AI's solutions are used in a variety of industries, including manufacturing, retail, mining and contracting, warehouse and logistics, foundries, construction, chiller, genset, and compressor. Although, this focuses on the Tor Loco Gateway, which is designed for heavy equipment fleet management. It can track the location, speed, and fuel consumption of heavy equipment, as well as provide alerts for safety and maintenance issues.
The website indicated that their solution was deployed in several companies as shown below, one of which is an Indian Government-owned aerospace and defense electronics company, followed by large multinational companies.
C.I.A. Triad and a crash course on automotive security
C.I.A. Triad
Modern cars have evolved into complex computers on wheels. They are equipped with advanced electronic control systems, sensors, and software that manage everything from engine performance and safety features to entertainment and connectivity. These systems make vehicles smarter, more efficient, and more connected than ever before.
As a result, the automotive industry is investing heavily in cybersecurity measures to protect vehicles from cyberattacks, ensuring that the data and systems within these "computers on wheels" remain secure.
The CIA triad is a foundational concept in information security and cybersecurity that consists of three core principles, which are essential for safeguarding information and data:
Confidentiality: This principle ensures that information is only accessible to those who have the proper authorization or permission to view it. Confidentiality involves protecting sensitive data from unauthorized access, disclosure, or exposure.
Integrity: The integrity principle focuses on the accuracy and reliability of data. It ensures that data remains unchanged and uncorrupted during storage, transmission, and processing. Any unauthorized or accidental modifications or alterations to data should be detected and prevented.
Availability: Availability ensures that information and resources are consistently accessible and operational for authorized users. This means that information should be available when needed, without disruptions caused by issues like downtime, system failures, or cyberattacks.
The CIA triad, a fundamental framework in information security, guides organizations in designing and implementing security measures to safeguard their data and systems. This triad emphasizes the principles of confidentiality, integrity, and availability. In the context of automotive cybersecurity, where cars have transformed into highly sophisticated computers on wheels, these principles are crucial. Safeguarding vehicle systems and data ensures that they remain confidential, integral, and available, thereby guaranteeing the safety and security of both the vehicle and its passengers.
Crash course on Automotive security
Automotive security is crucial in today's connected and autonomous vehicle landscape to protect against cyber threats that could compromise the safety and functionality of vehicles.
Some of the different attack vectors are as seen in the image below, through which an attacker could compromise a connected vehicle.
In order for functions like unlocking the doors, braking, steering, and many other vital operations to work seamlessly, the car must be able to communicate with multiple sensors and electronic control units (ECUs) via the Controller Area Network (CAN bus). This intricate network of interconnected components ensures that the vehicle operates safely, efficiently, and in harmony with the driver's inputs and the surrounding environment.
Some of the most well known attacks on connected cars are the Jeep Hack, Web Hackers vs. The Auto Industry and Ready, Fire Aim : Hacking State and Federal Law Enforcement Vehicles
CAN bus
The Controller Area Network (CAN) bus, often referred to as the "nervous system" of a vehicle, is a fundamental component in modern automotive technology. This analogy draws a parallel between the CAN bus and the human nervous system, emphasizing its crucial role in facilitating communication between various parts of a vehicle, similar to how the nervous system coordinates and transmits signals throughout the human body.
Quoting Dr. Tindell from Canis Labs, one major drawback to CAN is that it has no security features and is vulnerable to all kinds of attacks, many that would have been inconceivable when CAN was created in 1986. The CAN bus can be accessed either through physically accessing the wiring, or remotely through systems such as the TPMS, Infotainment, Telematics etc.
Some of the attacks as discussed in CANAttack: Assessing Vulnerabilities within Controller Area Network are as follows
Spoofing attack: Occurs when a compromised node sends CAN data frames with a changed (forged) ID field to masquerade as data or a command from a valid-source ECU node.
Injection attack: Direct or indirect access points to inject messages into the CAN bus, suppress valid communications (i.e., genuine messages with higher-priority IDs than injected ones are ignored), or penetrate an ECU to perform malicious actions.
Denial of Service (DoS) attack: CAN’s arbitration system allows higher-priority nodes to talk first. Because of the prioritization on the CAN bus, if a malicious node with the highest priority is always active, the other nodes cannot interact. This may be achieved by flooding the bus with smallest feasible arbitration ID (0x00)
The Vulnerability
The vulnerability in write-up focuses on the Tor IoT Gateway solution's MQTT backend, which has been repeatedly been found to have no authentication required, in order to subscribe and publish to it.
The vulnerability was first discovered and reported to CERT-In in May 2023, tracked as CERTIn-41501723, after which the vendor had reported that the issue had been mitigated. Unfortunately, the same issue persisted a few months later in August 2023, now with more automobiles that are subscribed to the MQTT broker.
Since then, the vulnerability has been patched, and is tracked by MITRE as CVE-2023-41442, which affects the following products and versions
Tor Loco Mini version 1.0 through 3.1
Tor Equip Gateway version 1.0
Tor Shield version 1.0
Tor Lenz version 0.0.1
The Common Weakness Enumeration's(CWE) that are associated with this are as follows
CWE-287 : Improper Authentication
CWE-345: Insufficient Verification of Data Authenticity
CWE-319 : Cleartext Transmission of Sensitive Information
CWE-306 : Missing Authentication for Critical Function
Logging Data
To further analyze what data was being sent, and to log all the data on the MQTT broker, a simple python script was written which saves all traffic as shown below.
When executed, the python script establishes a connection to the MQTT broker and saves all data being sent on it, an example is shown below.
Breaking down the payload
Using the following payload as an example
The topic indicates that it is for the Omega Seiki scooter, followed by the date, time, and mention of version 1.3.
Following this, the longitude and latitude 28.650064,77.200174 is within, after which there are multiple CAN ID's follow that are 8 bytes in length, and each frame is separated by a (^) caret sign.
Impact
Confidentiality
Upon connecting to the MQTT server, location data is made available which impacts the confidentiality of the end user's locations and potentially can be used to track an individual/group's movements over a period of time. A map of the logged locations is as shown below.
The plotted map of all logged locations may be seen here. Please note that all the data has been anonymized and only contains longitudes and latitudes that have been mapped.
Integrity
This section focuses on affecting the integrity of the end-user devices using the Tor IoT Gateway, by tampering the location and CAN data.
Modifying location data
In order to test for the ability to maliciously modify payloads, the longitude and latitudes were changed in the following.
Original Payload
Topic : Bgauss/MQTT_v1/Payload
Malicious Payload
Coordinates are set to 41.633331,-71.006882 ( University of Massachusetts Dartmouth)
Topic : Bgauss/MQTT_v1/Payload
Results
Upper window is the subscriber, and is listening to that topic, whereas the bottom one is the publisher, that sends the modified payload with the changed coordinates.
As one of the main features of the gateway is the ability to add geofencing, it could cause the vehicle's anti-theft feature to trigger, thereby causing a denial of service and disabling the vehicle.
CAN Injection
As discussed in the BlackHat presentation on Advanced CAN Injection techniques for Vehicle Networks, this section highlights the ability to remotely inject CAN frames to any/all connected vehicles.
As shown below, the Gateway lists Remote Immobilization as a feature, which is done through CAN.
As the entire attack and research was conducted remotely, a target vehicle that had been at a same location for a significant time during the early hours had been selected to ensure there was no utilization of the vehicle itself.
By using the DoS attack mentioned in the previous section, where flooding the bus with 0's, a crafted MQTT payload was sent in order to test for CAN Injection.
It was noticed that the vehicle stopped sending CAN/location data to the MQTT server for some time, indicating that the vehicle went offline before connecting back again, hence proving that CAN injection is possible.
Conclusion
Given the remote location of the target vehicle and the limited access, it was evident that attempting to reverse engineer the CAN messages through physical access would have necessitated the time-consuming process of locating a physical target, gaining possession of the vehicle, and then proceeding with the reverse engineering. However, considering the gravity of the vulnerability and the substantial risks it posed, it was paramount to promptly report it to the concerned authority(CERT-In), even though the option of obtaining physical access might have been feasible but would have taken some time as all vehicles were located in India.
C-DOT (Centre for Development of Telematics) and the Telecommunication Engineering Centre (TEC), both integral components of the Ministry of Communications in the Government of India, have made substantial contributions to the domain of telecommunications and telematics. Their focus on shaping and regulating the burgeoning IoT (Internet of Things) and M2M (Machine-to-Machine) communication sectors has culminated in the publication of comprehensive documents and recommendations such as this. These resources serve as indispensable guidelines for the secure development of IoT devices and M2M systems.
Covering a diverse array of concerns, these recommendations encompass stringent security standards, spectrum management to ensure seamless connectivity, promotion of interoperability between devices, robust privacy and data protection measures, and the definition of network architectures and protocols geared toward the pillars of security and reliability.
By adhering to the guidance provided by these organizations, the majority of vulnerabilities and risks inherent in IoT can be effectively mitigated by. This collaborative effort involving industry stakeholders, governmental bodies, and international partners not only establishes a robust regulatory framework but also fosters best practices that are instrumental in ensuring the secure and dependable implementation of IoT and M2M technologies, both in India and on a global scale. Lastly, C-DoT provides the C-DoT Common Service Platform (CCSP) which is based on the one M2M standard which may be used by several IoT vendors to provide reliable and secure services.
Acknowledgements
I am deeply grateful to Block Harbor for their invaluable guidance, and I want to extend my heartfelt appreciation to all those who have supported me throughout my journey, with a special emphasis on my esteemed professors and mentors
Last updated