At the end of the video, you heard a click - this was the unlocking of the mechanical steering wheel lock, which we cannot bypass electronically. You need to use something mechanical, break the lock cylinder by hand or do something similar, which I was not going to do with her car. All the firmware shown in these videos will be available on GitHub after my talk, so you just go to the address on the slide and download the OpenRemoteStart file.
Let's talk about what exactly happens when we add the Internet to this system, because it should be beneficial, right? As I said, I purchased an alarm remote control module called MyCar. It is available in various modifications, I had a Linkr LT-1 model.
MyCar is just a brand and such modules are sold under the names Linkr LT-1, MyCar KIA, Visions MyCar, Carlink (CL6), etc. As it turns out, for a while, KIA dealerships in Canada installed this system, or at least an app called MyCar KIA, on cars. Interestingly, this application is no longer available for download in the AppStore. I also want to note that I opted for Fortin and MyCar products, but according to user reviews on the freelance car alarm thematic forums, other systems behave no better and have similar problems.
I have an important question: why is the aftermarket car alarm selling a product with security problems and no one cares? Therefore, if any of you are interested in remote starter systems, pay attention to a couple of important facts. Firstly, as I mentioned earlier, if the DS system is not properly installed on a car with a manual transmission, it is quite possible that after remote starting the car, the car will simply go without a driver if some gear is engaged in the box. It's really dangerous. The second danger is that if someone parks a car in an attached garage and the engine is accidentally turned on remotely, you can suffocate from the accumulated carbon monoxide. So if you have a DC system and an attached garage, you should definitely have carbon monoxide detectors.
If you are using DC systems, never try to start a car without knowing exactly where it is, because the consequences can be catastrophic.
The MyCar device, a small black box with two wires coming out of it, has 8 ports, two of which are for the debugger interface. Connecting to this interface showed that the device is running Linux, which the manufacturer is silent about. Getting into the firmware shell is elementary using the password oelinux 123, but you can use the AE Engine without logging in, which allows you to enter AT commands from the command line, including the command to change the IP address of the device with which this module communicates.
If we look at the lines below, we can see the IP address of the server from which the MyCar module receives firmware updates. The device is equipped with an L-port, which allows you to "listen" to the commands received by the module. Using the AE Engine and changing the IP of the paired device, I was able to determine that this device communicates with the DS using the unencrypted UDP protocol.
I didnβt go into it much, but I think itβs a pretty significant and interesting fact. If you are interested in more information about this device, take a look at this slide - it shows the supply voltage of 3,3V, baud rate of 115200, the server address for updating the firmware, root password and a link to the user manual.
The device can "tolerate" a higher supply voltage.
Like I said, it gets pretty cold here. About a month after I gifted this system to my girlfriend, I decided to take the unit out of the car and give it a good go. The fact is that all this month I drove myself away from thinking about the vulnerability of this device. The next week was promised frost down to -30FΒ°, so I had to hurry. I connected to the shell and made it work, but since the cellular connection in my home lab is not very good, I decided to work with the block on another computer. The FTDI device I'm using has a short cord, so I found another longer one, hooked it up to the DC box, hooked it up to my computer, and as soon as I turned on the power, my module smoked!
The lesson to be learned from this is that if you're into hardware hacking, have a spare block ready! My girlfriend put the moral of the story this way: if your significant other is a hacker, don't let him play with your Christmas presents! And now let's look at the software, I think nothing will smoke here.
I started a man-in-the-middle proxy, disabled SSL verification on my phone, and started looking at what traffic the app was sending to the backend. When I signed up, I noticed that the system takes my email address and sends it to a web service to make sure it's linked to an existing account. Interestingly, the system was using basic authentication because I hadn't created an account yet. I did not know what to do with this information, so I just wrote it down in a notebook and moved on. I created my account and logged in, and the first thing the application does when logging in is calling a web service to check the current user. So I just called this webserver with the credentials I had seen before that were used to check if my email address existed and got Mycar Admin access in response.
I doubted that this was a real system administrator account, because, despite the loud sound, it had low privileges. After all, we all know these people.
So I create another request - the EngineStart command to start the car from this account, click "Send", I get the command status - "200 OK" in response, and after about three seconds my car starts moving.
As it turns out, the Mycar Admin account was indeed an admin account hardcoded into the mobile app. But that is not all. On one of the previous slides, you saw such a thing as an API key. Again, from monitoring the traffic of my fake proxy, I learned that these API keys can be used in place of a username and password. If you use "API" as the username and one of these keys, you can authenticate the user.
So I copied the contents of the βAPIKeyβ line, pasted it into the Password line of the POST application, and clicked the βSendβ button.
However, it didn't work and for 5 long minutes I couldn't figure out why. Finally, it dawned on me that I forgot to strip the quotes and the comma from the copied API key, which is what I was told: "You made a mistake in the SQL syntax." It became clear to me that one could just use basic SQL injection to bypass the entire login process and become an administrator or whatever user you want. I don't think anyone has tried to steal a car using SQL injection, so let's try it.
In general, I logged in under my account, clicked "Send" and received a status of "200 OK" in response. This time I thought to record a video. It's a bit dark because I shot late at night from my office window. So, I enter the command, and you see through the window that the headlights of the car are flashing down in the yard. At first, their light is weak, but then the headlights begin to shine at full power - this is the engine turned on. So, I started the car using SQL injection (audience applause).
But that is not all. SQL injection can be used not only for authorization, but also for replacing other parameters such as URL, query string body parameters, etc. In fact, this system uses SQL injections everywhere. Looking at the error messages, we can see that what we enter as a password is compared directly to the password column in the database.
This means that they use plain text passwords in SQL injection. As the saying goes, "this is not good at all, and even very bad!". But enough about SQL, let's see what else can be done to remotely start a car. You simply send the "EngineStart" command and in return receive an integer identifier representing the identifier of this command, in this case it is ID = 3. Knowing the identifier, you can "pull" a service that will report the status of this command.
Thus, by incrementing or decrementing the value of the ID, I am "pulling" the status of any command that has ever been sent on this system.
However, there is nothing particularly interesting about this, and I wonder if there is a direct reference to an object that I can use to start my car. So I ran the "EngineStart" command as a legitimate user from my account, and then tried to call it through another user's account, which should not have access to the system. In response, I received an error message: "This account is outside the context of the hierarchy." So maybe this hack won't work. However, if you look at this API, you will see that it duplicates information - the user's email address is comparable to their account ID.
If you are developing an API or hacking an API, this kind of duplication of information that we see in this URL can be a source of errors. In this case, API bugs can manifest themselves in four different ways.
If you look at cases 2 and 3, circled in red, you can see direct references to the object. In both cases, the system does not check whether you are authorized to execute the given command. I tried case 2 and it didn't work, what about case 3? Here we just have to replace the USER_EMAIL account ID in the URL, since it is directly related to the account ID ACCOUNT_ID. Previously, we used the victim account ID, and now we use the attacker's account. So I used the hacker's account ID and the victim's device ID, sent the command, and expectedly got the command status "200 OK" and took control of the MyCar app.
Thus, with the help of three different attack vectors, we were able to do everything that a legitimate user of the application can do. This means that you can find any car in the city, set its make and model in the application, and then remotely unlock the car and start it. We can turn off or turn on the alarm, make changes to the car's service menu and check the status of any command. And all this can be done in three different ways.
Obviously, the developers of MyCar tried to somehow fix the bugs of the system. So, in the case of hardcoded passwords, they simply put a reverse proxy in front of the application to hide the credentials that are used for authorization. The problem is that reverse proxies are not magic and cannot fix all problems. They kept the SQL injection in a third party service so even without the password I can still use it through the user verification procedure.
I decided to take a closer look at the URL structure. You may have noticed that all addresses used by the system contain m2m. Deciding that this was some type of internal interaction for the authorization mechanism in the MyCar app, I entered these letters into Google and found the M2M Suite site. The only thing left for you to do when you see this form is to insert a couple of single quotes there and see what happens. What happens is that you get the right SQL injection (audience applause).
And this comes a few months after the developers reported the SQL injection problem. If the application has such problems, they need to be fixed as soon as possible, but as you can see, the developers have not done anything. Such a disregard for users, I find offensive.
The MyCar module has a GPS unit so it can track the location of your car and display it on the app. But, as it turned out, they store not only the current location of cars. They store a hell of a lot of information, much more than is needed in order to keep track of the current location of the car. In my case, in 13 days of using the application, they accumulated a little less than two thousand geolocation points of places that my car visited. The privacy policy of the developer company MyCar does not say a word about such collection of information.
However, it gets even worse. You might argue that this is just a side effect of implementing a location service. But the thing is, instead of just creating a list of the places your car has been, they use another API that analyzes this data and determines the places your car has been to most often. Again, to my knowledge, there is no hint of such a feature in the privacy policy. Perhaps this is not so surprising, because after a bunch of searching, I found the parent company of MyCar called Procon Analytics, went to their website and visited the FAQ section. Here I came across the question: "How do you ensure data security?". The company's response was: βUnlike public clouds that compete for storage priority, Procon Analytics uses its own virtual cloud that is used exclusively by our application users and protected from interference by other users. It is a special cloud environment with a high degree of protection, which ensures easy accessibility and fast delivery of services. By partnering with Procon Analytics, you can be confident that your data is secure." I don't even know what to say to that...
If you go to their Facebook page, you can find out even more interesting things. Here they write directly: βProtecting your vehicle information is vital!β. Well, I can only agree with such a statement.
So, back to the question I started with: βHow does this happen and how can this be avoidedβ? And more importantly, how can we, as a community, prevent this from happening?
This concludes my report, but I will still be able to answer a couple of questions (audience applause).
Are you asking if they fixed everything? At this point, I think they have fixed all the bugs that I reported to them, with the exception of the privacy policy flaws that I mentioned at the end of the speech. The last time I checked it, everything was unchanged. When asked if I can edit the parameters of the car's ECU in this way, I will answer that my task was to edit the car's parameters only in the MyCar application. It stores a digital representation of the car, which is edited using direct object access, SQL injection, or another attack vector.
The last question is: do I have a keyless engine start system with the βStartβ button in my car and how is the steering wheel lock in this case? I will answer that MyCar has such a button, so this system does not have a steering wheel lock. I suspect that if you install this system, you will definitely not be able to rely on the steering wheel lock.
Some ads π
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, , a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper in Equinix Tier IV data center in Amsterdam? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com