《2022特斯拉安全漏洞.docx》由会员分享,可在线阅读,更多相关《2022特斯拉安全漏洞.docx(71页珍藏版)》请在课桌文档上搜索。
1、特斯拉安全漏洞Tencent开究背景工安全彳KEENsecuritylab车联网安全研究背景Tencent智能网联汽车将成为汽车行业的核心重点“网联”汽车:具有互联网接入功能的汽车,具备车载系统和车云之间的数据同步功能,以及面向用户的互联网访问服务功能。大规模上市期:2017-2020“智能”汽车:具有自动驾驶或者无人驾驶功能的汽车,完全改变坐乘人员的体验,车内用户场景发生剧烈改变。大规模上市期:2020-2025行业领军品牌沃尔沃:“智能”汽车领域行业标杆,已经在2016年实现自动驾驶,并计划在2020年实现量产全无人驾驶车。特斯拉:“网联”汽车领域的行业标杆,并已经在2016年在量产车上实
2、现辅助驾驶功能。帝一大量新技术和网联功能引入,带来信息安全机遇环境感知层激光雷达、毫米波雷达、摄像头、传感器、红外测距、卫星导航、路侧系统等,信息融合层行人隙碍物识别、车辆识别、场景重构、精准定位等数据采集层智能决策层路径规划、人机共驾等控制执行层自动驾驶、无人驾驶、轨迹跟踪、转向制动、耦合动力学全状态参数识别等安全体系功能安全(FUnCtiOnaISafety)和信息安全(CyberSeCUrity)智能控制系统架构通讯架构和控制架构整车集成与标定整车硬件集成(底盘、车身、电机、电池系统等)和智能控制系统集成测试模块性能测试(测试机理)和整车功能测试(测试方法)摘自:上海市政府汽车行业规划发
3、展内部报告车联网安全市场前景2017NoteOuetorounng.rw11tmh11heremayMaMUPlSourceP*CSlrMegyAnfnExhibit7Connectedcarrevenuepotential,byregion,2017-22WesternE.U.UnitedStatesJapanS12.4(2i,WhilethosetypesofvehiclesareonlybecomingmoreprominentReuterssharesdatafrommarketresearcherIDATEshowingthatthenumberofconnectedcarsonth
4、eroadhasrisen57percentannuallysince2013andthatthetotalnumberisexpectedtoreach420millionby2018keepingthemsafefromhackersisbecomingabigbusiness.,Weviewthisasapotential$10billionmarketopportunityoverthenextfiveyears,ReutersquotesDanielIves,ananalystwithFBRCapitalMarketsinNeWYork,asstating.”“TheReuterss
5、toryaddsthatHannanInternationalIndustries,amakerofconnectedcarsystems,boughtIsraeli-foundedcyberdefensestartupTowerSecforthepurposeofprotectingitsproductsandthatglobaltechcompanies,likeIBMandCISCO,arealsoemployingtheirteamsinIsraeltoworkonthesecurityofconnectedcars.,-2016/1/12国际和国内安全行业:网联汽车安全研究成为新热,
6、kncem2015年7月,黑客可以通过远程方式入侵克莱斯勒自由光JEEP并对行车和车身进行远程控制,其中涉及了多个TSP模块、互联网通讯模块、车机模块中多个安全漏洞。影响:克莱斯勒召回北美地区140万辆自由光2015年7月,黑客实现对美国通用OnStar移动APP的劫持,可以远程控制车门开关、发动机启动和鸣号。主要涉及移动APP模块和TSP模块的安全漏洞。影响:通用紧急修复相关漏洞2016年2月,黑客实现对尼桑EV1.EAF移动APP的劫持,可以远程控制空调开关,闪灯等。主要涉及移动APP模块和TSP模块的安全漏洞。影响:尼桑临时关闭1.EAF云端服务:、汽车安全基础与工具K)KEENsecu
7、ritylabCarHackersHandbookhttp:/opengarages.org/handbook/ExposingtheVulnerabilitiesandRisksofHighTechVehicles http:/icitech.org/wp-content/uploads/2015/09/ICIT-Brief_Whos-Behind-the-Wheel_Car-Hacking2.pdfASurveyofRemoteAutomotiveAttackSurfaces AdventuresinAutomotiveNetworksandControlUnitsTencentI试工具1
8、.20.0/24-p80):/nmap.org)at2016-06-1107:OlPDTJ3.20.0J3.20.10.J3.20.33204J3.20.50-IOKEENsecuritylab汽车安全双 Nmap Wireshark CANalyzer BinwalkIDA$sudonnap-Pn-sS10.32StartingNmap6.40(htNmapscanreportforIO.二Hostisup.PORTSTATESERVICE80/tcpfilteredhttpNmapscanreportfor10.2Hostisup(0.84slatencyPORTSTATESERVICE8
9、0/tcpclosedhttpNmapscanreportfor10.2Hostisup.PORTSTATESERVICE80/tcpfilteredhttpNmapscanreportfor10.3Hostisup.PORTSTATESERVICE80/tcpfilteredhttpNmapscanreportfor10.2Hostisup(0.84slatencyPORTSTATESERVICE80/tcpclosedhttpNmapscanreportfor10.3Hostisup(0.84slatencyPORTSTATESERVICE80/tcpclosedhttp Nmap Wir
10、eshark CANalyzer BinwalkIDA420100.pcapnq文件(F)编痛视图(V)/桀(G)际(C)分析(八)统计(三)电话(Y)无线(W)ZS(T)帮助(三)鼻|应用显示过滤器立”i-/於0QT够震布现国圜40A至NoSource1192.168.90.1002192.168.90.1003192.168.90.1024192.168.90.1025192.168.90.1026192.168.90.1027192.168.90.1028192.168.90.1009192.168.90.10210192.168.90.10211192.168.9.10212192.1
11、68.90.10213192.168.90.10014192.168.90.10215192.168.90.10216192.168.9.102Destination224.0.0.26224.0.0.26192.168.90.255192.168.90.255192.168.90.255192.168.90.255192.168.90.255224.0.0.26192.168.90.255192.168.9.255192.168.90.255192.168.90.255224.0.0.26192.168.90.255192.168.90.255192.168.90.255Protocol1.
12、engthJD,UDPJ2PJAUDPPpppUDUOUDUDJzpUDPInfo450407414031160407414031622l2ll622l00-201016220100-201016220100-201016220100-201016234020-49996220100210162201002010162201002ll622l0-201018840741-40316220100-201016220100201016220100-201011.en=4061.en=1161.en=121.en三121.en-121.en-121.en三121.en=41.en=121.en=12
13、1.en=121.en-121.en-441.en三121.en三8q3表达式+InternetProtocolVersion4,Src:192,168.90.102,Dst:192.168.90.255UserDatagramProtocol,SrcPort:20100(20100),DstPort:20101(20101)Data(12bytes)Data:0000008313lcl090000000 Nmap Wireshark CANalyst BinwalkIDA3SEND17:54:36.7710x0000064cDATAFrame0x080227Oil00000000004REC
14、V17:54:36.7810x0000065cDATAFrame0x08101267Ol00QlQ2035SEND17:54:36.9810x0000064cDATAFrame0x0830000000000000006RECV17:54:36.9810x0000065cDATAFrame0x0821040506070809Oa7RECV17:54:36.9810x0000065cIMOVdncererbeunqDATAFrame0x0822ObOcOdQeOf0000-CAN-CAN(st)DefaU1.istj口田。9Q*Ui;IndexDrecbonITirnlOlO10101010Evu
15、rQNmapWiresharkCANalyzerDECIMA1.HEXDESCRIPTION1288x58CFEbootloader,littleendian65536xlBroadcom96345firmwareheader,headersize:256,firmwareversion:8,board-CRC32headerchecksum:0x7FBD17C6,CRC32datachecksum:xF44DBF79id:6348GW-10,65792xllSquashfsfilesystem,bigendian,version2.,size:2623358bytes,42inodes,by
16、tes,created:ThuSep1718:07:36209blocksize:65536342636634483ESercommfirmwaresignature,versioncontrol:,downloadcontrol:,hardwareID:DG834GT,hardwareversion:x41,firmwareversion:16,startingcodesegment:x,codesize:x73BinwalkIDAOFFSETftrmwarel.binftrmware2.binftrnware3.bte2700084G00180O18024COO02872367003800
17、51956877A35201614ID696E756E656C6580606456OF960OEF863862BOO68OS05020378284B652496D6108OOOOOO.VdV.1.inux.Kernel.Inage27OS4A678006SE914C69726E6765OO001956DD4F00IE066E75656C0OOC69OOOE80315S782020490B73FF4F7802034B656D61O,.V.?3g.0.I1.inux.KeIrnel.InaIge27054DAB8OOFEF94C69726E6765OO01956FC7A289ZF6E75656C0
18、OOOOOl90OE802B5S78202049OO0OOFB9BFDSF22034B656D61OO1.inuxrnel.:ge.:.KeInaNmapWiresharkCANalyzerBinwalkIDA?-CUSfEAd咆吧”吧nffbWdfej吧吧;db,竺史今33空包332fileEditJumpSearchViewDebuggerOptionsWindowsHelpH8,。牡嗑4,wW。C显凸产了点硒XS口Mdebucr1.ibrftryfunctionDaMReCUI钞functionUnexploredInstructionExternalsymbol7PimctionsYi
19、xidow口(5K1IDAVlareA哨Pseudocode-AQW1.OCaTypesFunctionnameaccumulateHeBytesDoorHandlefIendUpdaterOrAppDoorHandleUDSegetNodeVendor7jpareBlock1.engthfIdata.download71UDS.accumulateHex8ytes1UDSeSend1.dstPiecefconti_end_$b1.oreapp刁jlr.end.$b1.or.appZPektrOQend-Sb1.OjaPPZtesla.end.sb1.or.app7valeo.end.sbl.
20、or.appTlhella.end.sbl.or.appTjUDS.Operation.controlDTC7d。WnloadOPeratiOnS.7111odelnPrivateVariablesForDownload/ComputeKeyeTesIaElComputeKeyeBaolongjcomputeKey.BitronComputeKeyeBoschJComputeKeyeContinentaIComputeKeyeDeIphijComputeKeyeHaIIajComputeKeyJ1.R/iComputeKeyeKostaIComputeKeyePanasonicMCompute
21、KeyePektronMComputeKeyeVaIeo工nodeComputeSecurityKeyWHodeRequestSecurityAcessjjUDSJESlAegerwateKeyJUDS.bitron-generateKeyUDSeCont1.generateKey7UDS.bosch,generateKeyTjUDShalla.generateKeyTlUDSPanasonicQenerateKev282930313233343536373839404142434564789SQ515253555565758596061626364dowhile(u-16);if(u5-1)
22、seruerSeedSize;while(u9u10)elsenodeID,plainTettCiPherTeXt);u12=8cipherTet-1;u13=(int)fcu1-seruerSeed15;dowhile(u12?-(cipherText15);u2三16;1特斯拉系统架构K)KEENsecuritylabIC InstrumentCluster Tegra31.inux 192.168.90.101CID CenterInformationDisplay Tegra41.inux 192.168.90.100Gateway VehicleGateway FreeRTOS 19
23、2.168.90.102CIDIn-VehicleNetworkETHChannelIC192.168.90.100CID192.168.90.101DIAG192.168.90.102四、特斯拉网关安全研究K)KEENsecuritylab 汽车网关系统是汽车车电网络中的重要一环,它用于在车载多路CAN总线之间进行数据转发。 特斯拉在车载总线中引入了以太网,所以特斯拉汽车网关还负责以太网与CAN总线之间的数据过滤与转发。 典型案例 吉普自由光(NECV850) 特斯拉(FreeSCaIeMPC5668G) 本土车企(NEC78K0R)特斯拉汽车网关TencentETHChannelIC192
24、.168.90.100CID192.168.90.101DIAG192.168.90.102+QUOTapacheguysaid:Ingineer,Aug21,2015TheMCUneversleeps.Itisalwaysonforlogging.Thatswhythecenterscreenimmediatelycomsecondstowakeup.3G,Bluetooth,andWifiareclearlydisabledwhileasleep,butIveneverseeniIngineerElectricalEngineerIjustfiguredthatthe1.TEradiomi
25、ghtbefastertowakeupthantheolderradio.Joined:Aug9,2012REPORTThisisnottrue.TheMCUhas2separateanddistinctsystemsinitshousing;the(performstheloggingfunction,anditrunsFreeRTOSonaFreescaleMPC5668G.TlwhiletheGatewaycanstayawake.Thttp:WWW.nxpcomproductsmicocontrollers-and-processorspower-architecture-pocess
26、orsmpc5xxx-5xxx32bitmcus/mpc56xx-mcus/ultra-reliablempc5668g-mcu-for-automotive-industrial-gateway-applications:MPC5668GTencent固件特性硬件与booted.imghwidacq.logconfighwids.acqdtchwids.txtSD4GBmkdirreleasetar:ErrorisTSD4GBIs空11forest)nforest:/workspace/tesla/SD_4GBTSD4GBIslogOrigint.datupdate.logmodhwid.l
27、ogIreIease.tgzmodinfo.logudsdebug.log&tarxfrelease.tgz-Crelease/gzip:stdin:decompressionOK,trailinggarbageignoredtar:Childreturnedstatus2notrecoverable:exitingnowrelease/gtw,hdhndfd.hexhndfp.hexhndrd.hexhndrp.hexic.hexIft.hexlog.cfgmanifestmsm.hexpark.hexdhfd.hexdhfp.hexdhrd.hexdhrp.hexdifpga.hexdi.
28、hexdsp.hexeas.hexepb.hexepbm.hexesp.hexbdy.hexbmscpld.hexbmshexChgphlcpldhexchgphlhexchgph2cpld,hexchgp2.hexchgph3cpld.hexchgph3.hexChgsphlcpldhexchgsphl.hexSD_4GBIchgsph2cpldhexchgsph2,hexchgsph3cpld.hexchgsph3.hexChgsvicpldhexchgsvihexchgvicpld.hexchgvi.hexcp.hexdcdc.hexddm.hexpdm.hexpm.hexptc.hex
29、rccm.hexsec.hexsun.hexthe.hextpms_hard_cal.hextunercalhextunerdsp.hextuner.hex系统内存布局AddressRegionNameTeslaSpecificsStartEnd0x000000000x00020000F1.ASHBootloaderandInternalFiles0x000200000x00IFFFFFF1.ASH2CODERegionDATARegion0x400000000x400FFFFFSRAMUpdaterSystemwheninProgrammingModeProgramSegmentation回
30、NameStartEndRWXD1.AlignBaseTyPeClassADviedsi三F1.ASH0000000000020000Xbyte00publicCODE32FFFFFFFFFFFFFFFF蔡F1.ASH200020000001F7AB8X1.byte00publicCODE32FFFFFFFFFFFFFFFF靠BAMOOFFOOOOOOFFFFFFRWbyte01publicREG32FFFFFFFFFFFFFFFFlQ1RAM4000000050000000RWbyte00publicDATA32FFFFFFFFFFFFFFFF匐AIPS.AC3000000C4000000R
31、Wdword01publicREG32FFFFFFFFFFFFFFFF崩AIPS.BFFFOOOOOFFFFFFFFRW*dword01publicREG32FFFFFFFFFFFFFFFF1.ine3of6寄存器内存布局TencentTableA-1.ModuleBaseAddresses(continued)ModuleNameBaseAddressPageI2C-AOXFFF8_8000PageA-55I2C-B0xFFF8.C0PageA-56DSP1_A0xFFF9-00PageA-56DSP1.B0xFFF9,40PageA-57eSCI_AOXFFFAJXx)OPageA-58e
32、SC1.B0xFFFA_40pageA-58eSCI.C0xFFFA_80pageA-59eSCI_DOxFFFA.COPageA-59eSCI.EOXFFFBJX)OOpageA-60eSCI.F0xFFFB_40PageA-60eSCI.G0xFFFB_80oageA-61eSCi_HOxFFFB.CO三,ageA-6lFIexCaneAOXFFFCJ)OOOoageA62FteXCan_B0xFFFC_40PagA66FleXCan_C0xFFFC_80PageA71FtexCaneDOXFFFjCoPageA76FIeXCan_EOXFFFDjX)OOPageA80FIexCaneFO
33、XFFFD_4000PageA85CTU_A0xFFFD_80PageA-89DMAMultiplexer0xFFFD-C0PageA91PrTOxFFFE.OOPageA-92eMIOS.A0xFFFE_4(XX)PageA-93SlUOXFFFJ80PagA-100CRPOxFFFE_C(XX)PagA-110FMP1.1.OxFFFF-O(XX)PageA-111PFlashConfiguration0xFFFF_80PageA-111BAMOXFFFF_COOoPageA-112Nameswindow回Name7Address,QCANA,ECRFFFC001C三0CANA.ESRFF
34、FC0020f3CANA.IF1.AG1FFFC0030鱼CANA.MCRFFFCOOOOQCANA-RXIMR62FFFC0978BCANA_RXIMR63FFFC097CQCANB.ECRFFFC401CQCANB.IF1.AG1FFFC4030mCANBjMASKIFFFC4028QCAN8_MCRFFFC4000mCANC.ECRFFFC801Cf11CancjflagiFFFC8030何CancjmaskiFFFC8028OCANjMCRFFFC8000CAND.ECRFFFCC01Cf3CandjflagiFFFCC030f3CANDJMASiaFFFCC028dCAND.MCRF
35、FFCCOOO!3CANE.ECRFFFD001C何CANE_1F1.AG1FFFD0030f11CanejmaskiFFFDOO28包CANE_MCRFFFDOOOOElCANE.ECRFFFD401Cf3CANFJF1.AGIFFFD4030(3CANFJMASKIFFFD4028(3CANF_MCRFFFD400041.ine46of346http:CaCTmrSvc”是定位FreeRTOS的关键.197198199200201202203204205206207208209210211212213214215216217218219220221222223224225PortBASE_
36、TYPEXTimerCreateTimerTask(void)PortBASEJrYPExRturn-pdFAI1.;*ThisfunctioniscalledwhentheschedulerisstartedifCheckthattheinfrastructureusedbythetimerservicetaskhasbeencreated/initia1ised.Iftimershavealreadybeencreatedthentheinitialisationwillalreadyhavebeenperformed./PrvcheckForValid1.istAndQueue();(X
37、TimerQueuei-NU1.1.)(INC1.UDE_xTImerGetTimerDaemonTaskHandle1)*Createit.canbeXReturn=telse*CreateXReturn-Iendif)thetimertask,storingitshandleinXTimerTaskHandlesoreturnedbytheXTimerGetTinierDaenjonTaakHandle()jXTaskCreate(prvTimerTaskr(thGtimertaskwithoutstoXTaskCreate(PrVTimerTask,(configASSERT(XReturn);Return;itssignedchar*):TmrSvc,(unsignedhandle.*/signedchar*)TmrSvc,(unsignedtTasks代码及其执行状态组成了一个任务,FreeRTOS自身提供任务管理调度模块。Queues队列是FreeRToS中的消息传递形式,包括任务间的消息机制以及任务与中断的消息传递。etc.IOKEENsecurityIabhttp:/www.freertos.org
