1、#BHAS BlackHatEventsRemote Exploitation of Nissan Leaf:Remote Exploitation of Nissan Leaf:Controlling Critical Body ElementsControlling Critical Body Elementsfrom the Internetfrom the InternetMikhail EvdokimovRadu MotspanAgenda1.Introduction2.Testbench and anti-theft3.Bluetooth RCE4.Persistence and
2、data exfiltration5.CAN communication6.Gateway filtering7.Leaf-specific UDS commands8.Vulnerability disclosure2Introduction3Who Are We?Radu Motspan_moradek_Reverse-EngineeringVulnerability ResearchExploit Development4Polina Smirnovamoe_hwReverse-EngineeringVulnerability ResearchHardware EngineeringMi
3、khail EvdokimovkonatabrkReverse-EngineeringVulnerability ResearchExploit Development and our teammatesTarget:Nissan Leaf ZE1Nissan Leaf 2nd Gen produced in 2020Gateway Unit:284U15SN0ACAN messages filteringTelematic Unit:282755SN0ECellular communicationInfotainment Unit:259155SR0BWLAN client mode onl
4、yBluetooth(phonebook/calls)USB(updates/communication)Apple CarPlay/Android AutoNavigation(Maps and GPS)5TestbenchBought several units from ebayComponent mutual-authentication is enabledWent to the closest auto junkyard in BudapestIVI,Gateway,BCM,IC,wiring harnessThe result is a working testbench6Ant
5、i-Theft:General InformationAnti-Theft protection is used to prevent theft of the IVI,or unauthorized access to the vehicles systemsLocking mechanismsFirmware authenticationVIN encodingDisable if mismatch is detectedFunctionality reductionDisturbance during usage7Anti-Theft:Nissan IVI LogicWhen IVI i
6、s switched on,the anti-theft challenge must be solvedIVI communicates with the specific ECU over CAN busError GREEN:No response receivedError RED:Incorrect response receivedIf successful,the anti-theft is passed8CAN-IDMessage0 x71e:IVI ECU(seed)14 03 f05bb5 17 ffff0 x72e:IVI ECU(solution)14 c826e381