part1
点击上方蓝字关注我们
0x01 Introduction
After purchasing a car, one would hope to understand and become familiar with it as much as possible. But what if your car could be unlocked and driven away by someone else at will? Currently, mainstream car brands offer convenient car networking services, allowing owners to remotely control their vehicles through mobile apps and official accounts.
However, if there are vulnerabilities and security issues in the car networking platform, it could give unauthorized control over other people's vehicles, leading to significant security risks and privacy breaches. Therefore, safeguarding vehicle cyber security is crucial. Car manufacturers and related platforms must pay close attention to security vulnerabilities, strengthen data encryption and identity verification measures to ensure the safety of vehicle and owner information. Additionally, owners should regularly update software, change default passwords, enhance personal cybersecurity awareness to avoid unnecessary risks and losses.
![Arbitrarily control the vehicle (fixed)]( "Arbitrarily control the vehicle (fixed)")
0x02 Unlock/lock
First of all, I personally purchased a car and logged into the relevant mobile app and official account as the owner, with the goal of understanding how to remotely control and manage my vehicle. After a period of research, I gradually understood the entire control process and discovered that I can remotely control all connected car models under the same car manufacturer.
By capturing the function of unlocking the car through the car app and fuzzing the interface, the interface documentation related to the interface is obtained. Through the interface documentation, the manageLockUnlockDoor interface is discovered, which is not intended for use by vehicle owners.
https://127.0.0.1/xxx/xxxxxx/api/v1/xxxxx/manageLockUnlockDoor
This interface requires two parameters.
1.VIN(The Vehicle Identification Number (VIN), also known as the chassis number or frame number, is a group of 17 alphanumeric characters that can identify the manufacturer, engine, chassis number, and other performance data of a vehicle. In order to avoid confusion with the digits 1 and 0, the English letters "I", "O", and "Q" are not used. Each VIN is unique and does not repeat.)
2.stationId(Use the VIN to query the corresponding stationId value through other interfaces.)
Through this mechanism, any vehicle can be unlocked without authorization.
curl -X POST "https://127.0.0.1/xxx/xxxxxx/api/v1/xxxxx/manageLockUnlockDoor"
-H "accept: application/json;charset=UTF-8"
-H "Content-Type: application/json"
-d "{ "stationId": "xxx", "type": "UNLOCK", "vin": "xxx"}"
{"data":"xxxx"}%
![Arbitrarily control the vehicle (fixed)]( "Arbitrarily control the vehicle (fixed)")
![Arbitrarily control the vehicle (fixed)]( "Arbitrarily control the vehicle (fixed)")
0x03 Security Control
Through further exploration of the APP, it was discovered that there are more serious issues with the APP. When the car owner uses the APP to unlock and start the vehicle, there is a verification PIN step. The PIN is used to verify if you are the actual owner by matching it with the vehicle's identification number (VIN). If someone can easily look up the PIN associated with a VIN, they can impersonate the owner of the corresponding VIN and take complete control of the vehicle.
![Arbitrarily control the vehicle (fixed)]( "Arbitrarily control the vehicle (fixed)")
By fuzzing the vehicle control interface, it was discovered that the relevant interface document, through debugging via the interface document, reveals that the getAccountByVin interface can obtain the PIN.
https://127.0.0.1/xxx/xxx/api/v1/xxx/getAccountByVin?vin=xxxx
![Arbitrarily control the vehicle (fixed)]( "Arbitrarily control the vehicle (fixed)")
By obtaining the corresponding PIN through any VIN, we can directly control all operations of the corresponding vehicle, such as starting, unlocking, closing windows, and opening the trunk.
![Arbitrarily control the vehicle (fixed)]( "Arbitrarily control the vehicle (fixed)")
![Arbitrarily control the vehicle (fixed)]( "Arbitrarily control the vehicle (fixed)")
![Arbitrarily control the vehicle (fixed)]( "Arbitrarily control the vehicle (fixed)")
0x01 Introduction
After purchasing a car, one would hope to understand and become familiar with it as much as possible. But what if your car could be unlocked and driven away by someone else at will? Currently, mainstream car brands offer convenient car networking services, allowing owners to remotely control their vehicles through mobile apps and official accounts.
However, if there are vulnerabilities and security issues in the car networking platform, it could give unauthorized control over other people's vehicles, leading to significant security risks and privacy breaches. Therefore, safeguarding vehicle cyber security is crucial. Car manufacturers and related platforms must pay close attention to security vulnerabilities, strengthen data encryption and identity verification measures to ensure the safety of vehicle and owner information. Additionally, owners should regularly update software, change default passwords, enhance personal cybersecurity awareness to avoid unnecessary risks and losses.
0x02 Unlock/lock
First of all, I personally purchased a car and logged into the relevant mobile app and official account as the owner, with the goal of understanding how to remotely control and manage my vehicle. After a period of research, I gradually understood the entire control process and discovered that I can remotely control all connected car models under the same car manufacturer.
By capturing the function of unlocking the car through the car app and fuzzing the interface, the interface documentation related to the interface is obtained. Through the interface documentation, the manageLockUnlockDoor interface is discovered, which is not intended for use by vehicle owners.
https://127.0.0.1/xxx/xxxxxx/api/v1/xxxxx/manageLockUnlockDoor
This interface requires two parameters.
1.VIN(The Vehicle Identification Number (VIN), also known as the chassis number or frame number, is a group of 17 alphanumeric characters that can identify the manufacturer, engine, chassis number, and other performance data of a vehicle. In order to avoid confusion with the digits 1 and 0, the English letters "I", "O", and "Q" are not used. Each VIN is unique and does not repeat.)
2.stationId(Use the VIN to query the corresponding stationId value through other interfaces.)
Through this mechanism, any vehicle can be unlocked without authorization.
curl -X POST "https://127.0.0.1/xxx/xxxxxx/api/v1/xxxxx/manageLockUnlockDoor"
-H "accept: application/json;charset=UTF-8"
-H "Content-Type: application/json"
-d "{ "stationId": "xxx", "type": "UNLOCK", "vin": "xxx"}"
{"data":"xxxx"}%
0x03 Security Control
Through further exploration of the APP, it was discovered that there are more serious issues with the APP. When the car owner uses the APP to unlock and start the vehicle, there is a verification PIN step. The PIN is used to verify if you are the actual owner by matching it with the vehicle's identification number (VIN). If someone can easily look up the PIN associated with a VIN, they can impersonate the owner of the corresponding VIN and take complete control of the vehicle.
By fuzzing the vehicle control interface, it was discovered that the relevant interface document, through debugging via the interface document, reveals that the getAccountByVin interface can obtain the PIN.
https://127.0.0.1/xxx/xxx/api/v1/xxx/getAccountByVin?vin=xxxx
By obtaining the corresponding PIN through any VIN, we can directly control all operations of the corresponding vehicle, such as starting, unlocking, closing windows, and opening the trunk.
part1
扫码获取更多精彩
原文始发于微信公众号(朱厌安全):Arbitrarily control the vehicle (fixed)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论