At the beginning of 2022, we started a vulnerability assessment of the In-Vehicle Infotainment (IVI) system Gen5W _L firmware which is part of Hyundai, Kia, and Genesis vehicles. In October 2022, as result, we have found different issues, like a memory leak vulnerability, that allow us to create our customized firmware. This study is part of one of our research activities to identify vulnerabilities in complex computer systems and publish the achieved results following the responsible disclosure process. Thus, in November 2022 we have started with Hyundai Motor Group the responsible disclosure process.Leveraging the experience got with the Gen5 ([CVE-2020-8539]2 and KOFFEE - Kia OFFensivE3 exploit), we analyzed a Gen5W firmware and we were able to find several security issues. The main finding is the possibility to leak data from the memory during the decryption process and, consequently, we can retrieve the AES-CBC 128 key, the initialization vectors, the method to generate the SHA 256 of each file, and bypass the check of the digital signature. We also identify the specific structure of the firmware files, which is necessary to modify them.
CHIMAERA - Custom Hyundai Motor group infotAinmEnt fiRmwAre
G Costantino;M De Vincenzi;I Matteucci
2023
Abstract
At the beginning of 2022, we started a vulnerability assessment of the In-Vehicle Infotainment (IVI) system Gen5W _L firmware which is part of Hyundai, Kia, and Genesis vehicles. In October 2022, as result, we have found different issues, like a memory leak vulnerability, that allow us to create our customized firmware. This study is part of one of our research activities to identify vulnerabilities in complex computer systems and publish the achieved results following the responsible disclosure process. Thus, in November 2022 we have started with Hyundai Motor Group the responsible disclosure process.Leveraging the experience got with the Gen5 ([CVE-2020-8539]2 and KOFFEE - Kia OFFensivE3 exploit), we analyzed a Gen5W firmware and we were able to find several security issues. The main finding is the possibility to leak data from the memory during the decryption process and, consequently, we can retrieve the AES-CBC 128 key, the initialization vectors, the method to generate the SHA 256 of each file, and bypass the check of the digital signature. We also identify the specific structure of the firmware files, which is necessary to modify them.File | Dimensione | Formato | |
---|---|---|---|
prod_476323-doc_194651.pdf
accesso aperto
Descrizione: CHIMAERA
Licenza:
Creative commons
Dimensione
1.29 MB
Formato
Adobe PDF
|
1.29 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.