Listen to this Post
Security researchers Radu Motspan, Mikhail Evdokimov, and Polina Smirnova demonstrated how to remotely exploit a Nissan Leaf, uncovering nine vulnerabilities that allow full control of the vehicle. Their research, presented in a 118-slide deck, details attacks ranging from Bluetooth exploitation to persistence, data exfiltration, and lateral movement within the car’s systems.
Key Findings:
- The vulnerabilities have been unpatched since 2023 despite ethical disclosure attempts.
- Attackers can manipulate critical functions like door locks, climate control, and infotainment.
- Exploits leverage outdated Bluetooth protocols and insecure API endpoints.
Resources:
You Should Know:
1. Bluetooth Exploitation (CVE-2023-XXXX)
The attack begins by exploiting weak Bluetooth authentication. Researchers used Bluetooth Low Energy (BLE) sniffing tools to intercept handshakes.
Commands to Test BLE Security:
Scan for BLE devices sudo hcitool lescan Capture BLE packets sudo btmon Use Gatttool to interact with BLE services gatttool -b <MAC> --interactive
2. Gaining Persistence via CAN Bus
After initial access, attackers inject malicious CAN messages to maintain control.
CAN Bus Tools:
Install CAN utilities sudo apt install can-utils Monitor CAN traffic candump can0 Inject CAN frames cansend can0 123DEADBEEF
3. Data Exfiltration via OBD-II Port
The OBD-II port was used to extract vehicle telemetry.
OBD-II Commands:
Query OBD-II data using obd.py python3 obd.py --port /dev/ttyUSB0 --cmd "ATZ"
4. Lateral Movement via Infotainment System
The infotainment system’s Linux OS was compromised via privilege escalation.
Linux Privilege Escalation Checks:
Check kernel version uname -a List SUID binaries find / -perm -4000 2>/dev/null
What Undercode Say:
Car hacking is no longer theoretical. The Nissan Leaf case highlights critical IoT security flaws:
– Bluetooth Hardening: Always disable unnecessary BLE services.
– CAN Bus Segmentation: Isolate critical CAN networks from infotainment.
– OBD-II Security: Implement port authentication.
– Patch Management: Nissan’s failure to patch for two years is unacceptable.
Relevant Commands for Defenders:
Block unauthorized CAN messages sudo ip link set can0 up type can bitrate 500000 triple-sampling on Monitor suspicious BLE connections sudo wireshark -k -i bluetooth0 Check for vulnerable kernel modules lsmod | grep -i nissan
Expected Output:
A fully documented attack chain from Bluetooth to CAN bus takeover, emphasizing the need for automotive security reforms.
Further Reading:
References:
Reported By: Dlaskov Automotive – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
