Overview

PoC for vulnerability in real cars vehicle infotainment system

The research was presented at the DEFCON31 Car Hacking Village, you can watch additional footage at the link below!

Video: DEFCON31_CarHackingVillage_Automotive-USB-Fuzzing

Description

This research could lead to a crash of the vehicle infotainment system via USB in produced vehicles.

It has been tested on some produced vehicles, but we believe it can be tested on any vehicle that supports USB input and could have an impact.

First, we used the syzkaller tool, a well-known fuzzing tool.

The syzkaller fuzzing tool supports fuzzing tests against Linux subsystem. In addition to fuzzing the Linux subsystem, this fuzzing tool also provides the ability to fuzz the USB stack.

In the article below, we describe how to do USB-based fuzzing with syzkaller. https://github.com/google/syzkaller/blob/master/docs/linux/external_fuzzing_usb.md

Next, we prepared the following steps to build a fuzzing environment with the syzkaller fuzzing tool

  1. Choose hardware
  2. Set up a fuzzing test environment
  3. Run fuzzing test!

Choose hardware

Whilst the documentation above recommends well known hardware tools such as Facedancer21 that can be programmed and emulated for USB devices,

hardware is not readliy available, so we used the Raspberry PI, a hardware that supports the ‘USB OTG’ feature through testing on other hardware devices.

img
[Figure 1] Raspberry PI

The Raspberry PI hardware above includes USB OTG functionally on a port that supplies 5V power, so it can be connected using a USB-C cable

Set up a fuzzing test environment

To build the fuzzing environment, we used the official documentation of the syzkaller tool mentioned above. An additional tool called raw-gadget was used here.

raw-gadget is a module for implementing a low-level interface to the Linux USB gadget subsystem, which can be used to emulate physical or virtual USB devices.

Run fuzzing!

Next, we’ll describe the general configuration of the fuzzing environment we’ve built, before going into the steps to start fuzzing.

The diagram below shows how the syzkaller fuzzer works on the Raspberry Pi hardware, and the fuzzer is based on the input from the reproduction code.

These inputs are sent by syzkaller to the Target ECU (USB port)

img
[Figure 2] Fuzzing Overview

The reproduction code used here is to reproduce the vulnerabilities of 300+ known USB stacks in syzkaller, The data was collected from the link below.

https://syzkaller.appspot.com/upstream?manager=ci2-upstream-usb

img
[Figure 3] Syzbot Reprodution

Vehicle Affected

Tools

raw-gadget: https://github.com/xairy/raw-gadget
syzbot: https://syzkaller.appspot.com/upstream

Demo Video

References

  • Updated. Thu Dec 7, 2023
  • Author. Donghyeon Jeong
  • Contact. dhje0ng(at)naver.com