從資訊外洩到命令注入:汽車產業常見漏洞

VicOne 網路威脅研究實驗室VicOne 網路威脅研究實驗室

我們在這篇文章中重點介紹影響現代互聯車輛的常見漏洞,包括類似拒絕服務、硬編碼憑證和堆疊溢出的漏洞。Pwn2Own Automotive 等措施在暴露更多未公開漏洞並正面解決這些漏洞方面發揮著不可或缺的作用。

從資訊外洩到命令注入:汽車產業常見漏洞

In cybersecurity parlance, a vulnerability is a weakness within a system or network that can be exploited by hackers or other threat actors to gain unauthorized access, cause harm, or engage in other malicious actions. Vulnerabilities are often categorized based on public awareness. Publicly known vulnerabilities are widely acknowledged within the global cybersecurity community. This knowledge is shared with relevant stakeholders, enabling those responsible for the affected system’s security to patch the vulnerabilities promptly. In contrast, zero-day vulnerabilities are often discovered and exploited by malicious actors before defenders become aware of them. Such vulnerabilities pose significant risks, impacting the entire supply chain.

In this blog entry, we highlight the types of vulnerabilities common to the automotive industry. While some of these may share commonalities with those in other industries, the complexity of modern connected cars demands a more comprehensive understanding of their evolving threat landscape. Initiatives such as Pwn2Own Automotive play an indispensable role in exposing more undisclosed vulnerabilities and addressing them head-on.

Here are common vulnerabilities in the automotive industry and some of their specific examples:

  • Information leakage vulnerabilities: Information leakage is the exposure of sensitive information, inadvertent or otherwise. This may not seem critical at the onset, but even minor leaks, like those involving vehicle identification numbers (VINs), user email addresses, or time zones, can have significant consequences. For instance, in 2022, researchers demonstrated how a vehicle could be unlocked using just the VIN, exploiting flaws in a service provider’s cloud service.
  • DoS vulnerabilities: Denial of service (DoS) occurs when a system’s resources are overwhelmed, making it unavailable to its intended users by any means necessary. In an automotive context, DoS vulnerabilities often stem from poor system design or insufficient capacity. For example, in early 2023, a researcher discovered that inserting a USB pen drive with a specially crafted media file into an infotainment system could shut it down, demonstrating a DoS vulnerability.
  • Hard-coded credential vulnerabilities: Hard-coded credentials are embedded, unchangeable credentials within a system, which can be a security risk. These are common in higher-level devices within vehicles. Examples include passwords or keys used for debugging or developer functions, which are often identical across devices, families, or product lines. The uniformity of access across multiple devices typically arises from a lack of security awareness and can lead to various breaches.
  • Stack overflow vulnerabilities: Stack overflow is a programming error where a program writes more data to a buffer located on the stack, a memory structure found in almost all electronic devices, than what is actually allocated, leading to a breach. When a program exhausts its allocated memory, it can behave unpredictably or even execute malicious scripts. Stack overflow vulnerabilities often result from improper software design. VicOne’s research team has successfully exploited a stack overflow in an automotive head unit to run arbitrary code.
  • Command injection vulnerabilities: Command injection enables a malicious actor to execute arbitrary commands on the host operating system via a vulnerable application. Command injection vulnerabilities can lead to severe consequences due to inadequate security mechanisms upholding the basic principles of confidentiality, integrity, and availability (CIA). An example is the CAN bus injection attack where attackers can exploit vulnerabilities in the CAN bus through a car’s headlights.

These vulnerabilities emphasize the importance of robust and resilient automotive cybersecurity in protecting connected vehicles against various forms of cyberattacks. Addressing these vulnerabilities is crucial to ensuring the security and safety of automotive systems and networks.

To read more research on other possible vulnerabilities in connected vehicles and learn best security practices, visit our resource center.

About the Author

VicOne 網路威脅研究實驗室
VicOne 網路威脅研究實驗室

VicOne 資安威脅研究實驗室(CyberThreat Research Lab)致力於探索聯網車輛、軟體定義車輛(SDV)、電動車充電基礎設施(EV Charging Infrastructure)及 Physical AI 系統所面臨的新興威脅與風險。研究範疇涵蓋零日漏洞(Zero-Day Vulnerability)發掘、深網與暗網威脅情資分析、Auto-ISAC Automotive Threat Matrix(ATM)威脅模型對應,以及 AI 安全風險分析等領域。實驗室研究成果曾於 RSAC、ESCAR USA、ELIV 等國際產業論壇發表,並獲 Auto-ISAC 等國際組織引用與參考。透過持續的威脅研究與情資分析,VicOne 資安威脅研究實驗室協助汽車製造商(OEM)、供應商、產品安全事件應變團隊(PSIRT)及車聯網安全決策者,將技術洞察轉化為可執行的防禦策略與風險管理措施,提升整體資安韌性。