腾讯安全科恩实验室：梅赛德斯-奔驰汽车信息安全研究综述报告（英文版）（71页）.pdf

1、科恩实验室KEENSecuritY labMercedes-Benz mBUX SecurityResearch Report#page#Contents1 IntroductionArchitecture Overview4242.1Hardware2.1.1Head Unit 4102.1.2112.1.3Electronic Ignition Switch2.1.4Instrument Cluster122.2Software132.2.113Head Unit2.2.2T-Box132.313CAN Network Overview53 Research Environment Set

2、upConnecting ECUs15163.2Wake Up Test Bench173.3Anti-Theft184 Attack Surfaces Analysis4.1Head Unit184.1.1Attack Through Browser184.1.2Wi-Fi194.1.3Kernel194.1.4Ports on MMB194.1.5Bluetooth194.1.6USB204.1.720APp4.2T-Box204.2.1Attack Through Wi-Fi Chip20Attack Through GNSS4.2.2204.2.3CAN.204.2.421Baseba

3、nd4.2.5GSM hijack2123Compromise Head Unit235.1 Access to the Intranet of Head Unit235.1.1Connect to Head Unit as T-Box5.1.2Connect to MMB as CSB242#page#Mercedes-Benz MBUX Security Research Report25Remote Code Execution on Head Unit265.2.1Implementation of HiQnet Protocol295.2.2Vulnerabilities in Hi

4、Qnet Protocol5.2.334Exploit HiQnet Protocol Vulnerability5.3Exploit the Browser.375.3.1QtWebEngine 3737Exploit the QtWebEngine5.4Local Privilege Escalation38395.4.1Kernel LPE with A perf Bug5.4.2CVE-2017-6786,6001395.4.3Bypass Cgroups Restriction39416 Post Attack in Head Unit416.1 Anti-Theft Unlock.

5、Unlocking Vehicle Functions436.3Engineering Mode446.4Persistent Backdoor.46466.5Display Screen Tampering6.6RH850 Denial of Service47486.7Perform Vehicle Control Actions50Compromise T-Box507.1Compromise Host from Wi-Fi chip7.251Trigger Memory Corruption From SH2A Chip.517.2.1Message Format between SH

6、2A MCU and Host7.2.252Out-of-bound Vulnerability in RemoteDiagnosis538 Post Attack in T-Box538.1Sending Arbitrary CAN message from T-Box 8.1.1CAN Bus Message Transmit Logic53548.1.2Vulnerability in SH2A Firmware548.1.3Transmit Arbitrary CAN Message to CAN Bus558.2558.2.1Firmware Downgrade Vulnerabil