Umnikazi weHyundai Ioniq SEL ushicilele uchungechunge lwezihloko ezichaza ukuthi ukwazile kanjani ukwenza izinguquko ku-firmware esetshenziswa ku-infotainment system (IVI) esekelwe ohlelweni lokusebenza lwe-D-Audio2V olusetshenziswa ezimotweni zakwaHyundai neKia. Kuvele ukuthi yonke imininingwane edingekayo ukuze kususwe ukubethela nokuqinisekisa ibitholakala esidlangalaleni ku-inthanethi futhi imibuzo embalwa ye-Google kuphela ebidingeka ukuyicacisa.
Isibuyekezo se-firmware esinikezwa umenzi wohlelo lwe-IVI salethwa ngefayela le-zip elibethelwe nephasiwedi, futhi okuqukethwe kwe-firmware ngokwayo kwabethelwa kusetshenziswa i-algorithm ye-AES-CBC futhi yaqinisekiswa ngesiginesha yedijithali esekelwe kokhiye be-RSA. Iphasiwedi yengobo yomlando ye-zip kanye nokhiye we-AES wokususa ukubethela kwesithombe se- updateboot.img kutholwe kusikripthi se-linux_envsetup.sh, esasikhona ngendlela ecacile kuphakheji ye-system_package enezingxenye ze-D-Audio2V OS ezivulekile, esatshalaliswa kuwebhusayithi ye- Umkhiqizi wesistimu ye-IVI.
Nokho, ukuze ulungise i-firmware, ukhiye oyimfihlo osetshenziselwa ukuqinisekiswa kwesiginesha yedijithali ubungekho. Kuyaphawuleka ukuthi ukhiye we-RSA utholwe yinjini yokusesha yakwaGoogle. Umcwaningi uthumele isicelo sosesho ekhombisa ukhiye we-AES owatholwa ngaphambilini futhi wahlangana neqiniso lokuthi ukhiye awuhlukile futhi ushiwo kudokhumenti ye-NIST SP800-38A. Ecabanga ukuthi ukhiye we-RSA ubolekwe ngendlela efanayo, umcwaningi uthole ukhiye osesidlangalaleni kukhodi ehambisana ne-firmware futhi wazama ukuthola ulwazi kuyo ku-Google. Umbuzo ubonise ukuthi ukhiye osesidlangalaleni oshiwo ishiwo esibonelweni esivela kumanuwali e-OpenSSL, nawo afaka ukhiye oyimfihlo.
Ngemva kokuthola okhiye abadingekayo, umcwaningi wakwazi ukwenza izinguquko ku-firmware futhi wengeza i-backdoor, okwenza kube nokwenzeka ukuxhuma ukude kugobolondo lesofthiwe yemvelo yesistimu yedivayisi ye-IVI, kanye nokuhlanganisa izinhlelo zokusebenza ezengeziwe ku-firmware.
Source: opennet.ru