当前位置:首页 > 报告详情

远程操控日产聆风:通过互联网控制关键车身部件.pdf

上传人: 竿*** 编号:981843 2025-11-29 118页 6.04MB

1、#BHAS BlackHatEventsRemote Exploitation of Nissan Leaf:Remote Exploitation of Nissan Leaf:Controlling Critical Body ElementsControlling Critical Body Elementsfrom the Internetfrom the InternetMikhail EvdokimovRadu MotspanAgenda1.Introduction2.Testbench and anti-theft3.Bluetooth RCE4.Persistence and

2、data exfiltration5.CAN communication6.Gateway filtering7.Leaf-specific UDS commands8.Vulnerability disclosure2Introduction3Who Are We?Radu Motspan_moradek_Reverse-EngineeringVulnerability ResearchExploit Development4Polina Smirnovamoe_hwReverse-EngineeringVulnerability ResearchHardware EngineeringMi

3、khail EvdokimovkonatabrkReverse-EngineeringVulnerability ResearchExploit Development and our teammatesTarget:Nissan Leaf ZE1Nissan Leaf 2nd Gen produced in 2020Gateway Unit:284U15SN0ACAN messages filteringTelematic Unit:282755SN0ECellular communicationInfotainment Unit:259155SR0BWLAN client mode onl

4、yBluetooth(phonebook/calls)USB(updates/communication)Apple CarPlay/Android AutoNavigation(Maps and GPS)5TestbenchBought several units from ebayComponent mutual-authentication is enabledWent to the closest auto junkyard in BudapestIVI,Gateway,BCM,IC,wiring harnessThe result is a working testbench6Ant

5、i-Theft:General InformationAnti-Theft protection is used to prevent theft of the IVI,or unauthorized access to the vehicles systemsLocking mechanismsFirmware authenticationVIN encodingDisable if mismatch is detectedFunctionality reductionDisturbance during usage7Anti-Theft:Nissan IVI LogicWhen IVI i

6、s switched on,the anti-theft challenge must be solvedIVI communicates with the specific ECU over CAN busError GREEN:No response receivedError RED:Incorrect response receivedIf successful,the anti-theft is passed8CAN-IDMessage0 x71e:IVI ECU(seed)14 03 f05bb5 17 ffff0 x72e:IVI ECU(solution)14 c826e381

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据《Remote Exploitation of Nissan Leaf: Controlling Critical Body Elements from the Internet》的内容,以下是全文关键点的概括: 1. **研究目标**:针对2020年生产的第二代Nissan Leaf,特别是其网关单元、车载通信单元和娱乐信息单元。 2. **测试平台**:从eBay购买多台车辆,并从报废车场获取相关组件,构建了测试平台。 3. **防盗系统**:分析了防盗逻辑和CAN消息结构,并成功绕过防盗保护。 4. **蓝牙远程代码执行**:发现蓝牙HFP协议中的栈溢出漏洞,实现了远程代码执行。 5. **持久性和数据泄露**:通过SSH服务器和HAB漏洞实现持久性,并利用DNS请求进行数据泄露。 6. **CAN通信**:利用合法接口和RH850固件更新机制,实现了对CAN总线的任意访问。 7. **攻击总结**:识别了多个漏洞,包括CVE-2025-32056至CVE-2025-32062,以及PCA_NISSAN_009至PCA_NISSAN_012。 8. **披露时间线**:从2023年8月开始与Nissan和 Bosch 进行沟通,最终于2025年3月公开。
黑客如何入侵?" Nissan Leaf的隐患大揭秘!" Nissan Leaf远程攻击全解析!"
客服
商务合作
小程序
服务号
折叠