By Spencer Hsieh (Staff Threat Researcher, Automotive), Aaron Luo (Sr. Staff Engineer, Automotive) and Vit Sembera (Sr. Threat Researcher, Automotive)
The vulnerabilities discovered at Pwn2Own Automotive 2024 underscore significant cybersecurity concerns impacting automotive systems and their supporting infrastructure. These issues highlight the importance of following secure coding practices and strict compliance with industry standards, among other best practices. In this blog entry, we examine two of the vulnerabilities from Pwn2Own Automotive 2024, both of which were identified by researchers from Synacktiv in the firmware of the Autel MaxiCharger electric vehicle (EV) charger: CVE-2024-23959 and CVE-2024-23958.
At a glance: CVE-2024-23959 and CVE-2024-23958
CVE-2024-23959, a stack-based buffer overflow vulnerability, is a textbook example of a common flaw in embedded systems. These systems often use streamlined operating systems that might lack key security features such as stack protection. Without these safeguards, these systems are highly vulnerable to overflow attacks. The problem is further exacerbated by the fact that most integrated development environments (IDEs) do not automatically perform security checks. To catch such vulnerabilities early, developers must employ static application security testing (SAST). The emergence of CVE-2024-23959 suggests that such tools were either not used or improperly configured.
The second vulnerability, CVE-2024-23958, stems from the presence of hard-coded credentials within the system. Typically added for development and debugging, these credentials can be mistakenly left in production code, posing a critical security risk. Such an oversight offers attackers an easy entry point to bypass authentication and gain unauthorized access.
Both vulnerabilities have been patched by Autel in the latest release of the Autel MaxiCharger firmware. For more information on these vulnerabilities and insights into the reverse-engineering techniques used to uncover them and how Autel patched them, read the relevant blog entry by the Zero Day Initiative (ZDI), VicOne’s co-host for Pwn2Own Automotive and partner in vulnerability discovery and disclosure.
Security implications of compromised EV chargers
The risks of a compromised EV charger go beyond the device itself. It could serve as an entry point for attacks on connected vehicles and other electric vehicle supply equipment (EVSE) systems through communication protocols such as the Open Charge Point Protocol (OCPP). OCPP facilitates communication between EV chargers and their central systems, supporting remote management and billing functions. If an attacker gains control of the charger, they could exploit OCPP vulnerabilities to disrupt or manipulate the vehicle’s systems during the charging process.
Fundamentals of secure coding in embedded systems
The vulnerabilities identified at Pwn2Own Automotive 2024 are stark reminders that the secure coding fundamentals in embedded systems are no different from those in the broader IT landscape. Secure coding practices, such as rigorous input validation, avoiding hard-coded secrets, and implementing proper authentication mechanisms, are as paramount in embedded systems as in any other software development context. Combined with comprehensive security frameworks, standards, and regulations like the OWASP, ISO/SAE 21434, and UN R155, these practices are vital for ensuring the security and resilience of vehicles and connected infrastructure systems.
Compliance with security frameworks, standards, and regulations
To further mitigate cybersecurity risks, adhering to security frameworks, standards, and regulations is important. Key examples include:
- The Open Worldwide Application Security Project (OWASP), which offers vital resources and tools, including SAST, which is beneficial for identifying and mitigating vulnerabilities during development, such as buffer overflows and hard-coded credentials.
- ISO/SAE 21434, which provides a structured approach to managing cybersecurity risks throughout the vehicle life cycle, emphasizing cybersecurity considerations from design to decommissioning.
- UN Regulation No. 155 (UN R155), which mandates that automakers implement cybersecurity management systems, ensuring vehicles remain protected against evolving threats.
Conclusion
The cybersecurity challenges highlighted at Pwn2Own Automotive 2024 in turn underscore the need for a comprehensive approach to security in the automotive industry. By applying secure coding principles, effectively using tools such as those recommended by OWASP, and adhering to industry standards and regulations such as ISO/SAE 21434 and UN R155, the automotive industry can significantly reduce the risk of vulnerabilities being exploited. These recommendations are key not only to protecting connected vehicles but also to securing the connected infrastructure that supports them.
A background on responsible disclosure timelines
Most might wonder why there is often a delay from the time the ZDI announces that a team has successfully hacked or “pwned” a device or software at Pwn2Own events until the subsequent publication of the techniques used in the hacks. This delay is part of the coordinated vulnerability disclosure (CVD) process, which is designed to manage zero-day vulnerabilities more responsibly.
In the 1990s, only a few hackers actively hunted for vulnerabilities, and many vendors were unprepared to handle them. Both white hat hackers and vendors had concerns, such as, “Are hackers submitting vulnerabilities in exchange for benefits?” or “Will the vulnerabilities be fixed, or will the submission be a waste of time?” It came to this compromise: Hackers first submit the vulnerabilities to the vendors, who then release a patch and publicly acknowledge the hackers for their discovery.
According to the ZDI’s disclosure policy, a submitted vulnerability is disclosed once a patch is available or after a certain period if the vendor is unresponsive. This approach prevents or lowers the risk of vulnerability exploitation by either resolving the issue or making the public aware of a threat that has no known fix. This explains the time gap between the initial submission of vulnerabilities and the detailed disclosure.