Umnini we-Hyundai Ioniq SEL uye wapapasha uluhlu lwamanqaku achaza indlela akwazi ngayo ukwenza utshintsho kwi-firmware esetyenziswa kwi-infotainment system (IVI) esekelwe kwinkqubo yokusebenza ye-D-Audio2V esetyenziswa kwiimoto ze-Hyundai kunye ne-Kia. Kuye kwafumaniseka ukuba yonke idatha eyimfuneko yokuguqulelwa kwentsokolo kunye nokuqinisekisa yayifumaneka esidlangalaleni kwi-Intanethi kwaye yimibuzo embalwa kuphela kaGoogle efunekayo ukuyicacisa.
Uhlaziyo lwe-firmware olunikezelwa ngumenzi wenkqubo ye-IVI luhanjiswe kwifayile ye-zip efihliweyo kunye negama lokugqitha, kwaye imixholo ye-firmware ngokwayo yabhalwa nge-algorithm ye-AES-CBC kwaye yaqinisekiswa ngesignesha yedijithali esekelwe kwizitshixo zeRSA. Igama lokugqitha lendawo yokugcina ye-zip kunye nesitshixo se-AES sokuguqulela uguqulelo kwi-updateboot.img umfanekiso ufunyenwe kwiskripthi se-linux_envsetup.sh, esasikho ngendlela ecacileyo kwi-system_package package enamacandelo e-OS e-D-Audio2V evulekileyo, isasazwe kwiwebhusayithi ye IVI umenzi wenkqubo.
Nangona kunjalo, ukulungisa i-firmware, iqhosha labucala elisetyenziselwa ukuqinisekiswa komsayino wedijithali lalilahlekile. Kuyaphawuleka ukuba isitshixo seRSA sifunyenwe yinjini yokukhangela yeGoogle. Umphandi uthumele isicelo sokukhangela esibonisa isitshixo se-AES esifunyenwe ngaphambili kwaye sadibana nento yokuba isitshixo asiyodwa kwaye sikhankanywe kuxwebhu lwe-NIST SP800-38A. Ukuqiqa ukuba iqhosha le-RSA libolekwe ngendlela efanayo, umphandi ufumene isitshixo sikawonkewonke kwikhowudi ehamba ne-firmware kwaye wazama ukufumana ulwazi kuyo kwiGoogle. Umbuzo ubonise ukuba isitshixo sikawonke-wonke esikhankanyiweyo sikhankanyiwe kumzekelo osuka kwincwadi ye-OpenSSL, equka neqhosha labucala.
Emva kokufumana izitshixo eziyimfuneko, umphandi wakwazi ukwenza utshintsho kwi-firmware kunye nokongeza i-backdoor, okwenza kube lula ukudibanisa kude kwi-shell ye-software ye-system ye-device ye-IVI, kunye nokudibanisa izicelo ezongezelelweyo kwi-firmware.
umthombo: opennet.ru