Hacking the Infotainment system, WIP thread (it runs Linux)

Dumping some of my notes on this:

First - the .kwi update files that you can download from Toyota have proven a bit useful towards identifying what these devices run (past just AGL). The format is proprietary, but `binwalk` and `strings` still managed to spit out some interesting findings.

I think the best non-physical weakness would probably be in the Bluetooth implementation, as Bluetooth itself is a mess. From investigating the strings of some kwi file, I found that they use the BlueSDK Bluetooth Stack. Sadly most Bluetooth vulnerabilities in Linux are for BlueZ, which will be ineffective here.

However, I did find this vulnerability that enables arbitrary code execution with BlueSDK: CVE-2018-20378 (also known as Hell2CAP). Sadly, the author doesn't give a full proof of concept, so I think the next step is to fully understand the vulnerability, and craft my own.

Even though BlueSDK has since patched it, I do not trust that Toyota or whomever is responsible for updating head unit firmware would ever get around to integrating the patch.

If Hell2CAP or another vulnerability can get code execution on the head unit, escalating to root shouldn't be too difficult due to CVE-2021-33909.

I'd post relevant links here, but of course the forum won't let me. Mods pls.

 

you need more posts

 

Great find! To add to that, I see some South-Park-fan hackers figured out how to exploit Hell2CAP:
Set Low MTU -> Integer Underflow -> Buffer Overflow = Profit

Youtube - #HITBGSEC COMMSEC: Modern Automotive Attack Surfaces - Lior Yaari and Yonatan Migdal
PDF - Cymotive: The Future Is Here -Modern Attack SurfaceOn Automotive