Pwning my Friends New Car: Digital Cockpit sKiddie Rooting

I would like to thank my friend for letting me run a few experiments on his newly bought SUV which by the way is very awesome to drive and one of the best cars here.

With the limited time I had with this vehicle I just wanted to check a bunch of things and try to pwn the Infotainment quick and dirty

The infotainment in this is hypervisor based and supports dual OS – Android for Media and Linux or QNX for Safety functions. Our obvious target was to start with the Media OS – The OS which gives the HMI and user functions.

I did my reconnaissance for this vehicle prior to getting access to this vehicle –

It has wifi – so that was an obvious target for me.

This vehicle runs an access point(SSID: OEMXXXXrandomnum) with a default password for all vehicle released to be as ‘0000000000’ – when the vehicle is released in the field. Which makes it straight forward for anyone to connect to the wifi AP using these default credentials. Most users don’t bother to change the WiFi password as the randomly generated password is hard to remember and difficult to share with friends.

As seen below:

The WiFi password can also be randomly generated but most users prefer to connect using default password. A simple script with war-driving equipment can be developed to autopwn this vehicle who have default credentials – of-course you will have to stalk them \m/

Identifying the Hotspot AP IP:

As I was using my macbook – the below simple command shows me the route for wifi interface which points us to the IP of the AP.

#route -n get default |grep gateway
192.168.20.229 (AP IP)

Apparently the AP IP keeps changing if you re-connect over wifi – weird but ok !

Once we are on the hotspot and simple nmap shows a bunch of available ports: Cheap enough telnet is open

Lets try

nc 192.168.20.229 23 or telnet to 192.168.20.229

This drops us directly into the shell of the device: Not even anonymous prompt for creds.

Once we are rooted we can do almost anything like uploading your own script/code etc.

Apparently, this vehicle also has internet connectivity by some telematics device integrated into the digital cockpit – If this is the case then all the other vehicles that are part of the subnet must be accessible unless the ISP has provided M2M isolation on a subnet – which apparently was not the case.

Rooting Other vehicles:

This vehicle builds a tun tunnel so is part of some OEM intranet via a VPN – using this thought we can just do netcat or telnet into all those other ip addresses in the same subnet – This worked and I won’t be sharing any details on this – but unfortunately I could not capture any screenshots due to lack of time as my friend wanted to go out.

Update: 5th August,2023

The vehicle vendor fixed this issues by deploying a firewall at least. Other than telnet 7000 (Carplay RTSP), 8080 (BYOD Server), 53 (dnsmasq 2.51) was found to be running and nothing else on the entire port range. Bloody hell \m/ – Good for the OEM and its vendor that they were able to patch this trivial vulnerability(maybe someone told them). It is however, unclear, whether they fixed the other vulnerability to reach other vehicles in the subnet over tun. This can be validated back if we get access via some exploit over dnsmasq or RTSP protocol.

Now I will try to conduct some more research on what else I can do – Till then – Chao !

Recommendation to OEM/Tier I's: Start a goddam bug bounty for this stuff or make your systems accesible for some security research.