Posted on August 7, 2023 at 9:01 AM
Researchers Launch Technique To Exploit AMD-Based Infotainment Systems
Researchers from the Technical University of Berlin have launched a technique to jailbreak AMD-based infotainment systems. These systems are found within all the recent Tesla car models. The researchers made these systems run on any software they selected.
Researchers jailbreak Tesla infotainment systems
The hacking attack allows the threat actors to extract a unique hardware-bound RSA key available on Tesla vehicles. The RSA key is used for car authentication within the service network. It can also be used as voltage glitching to activate software-locked traits like seat heating and “Acceleration Boost.”
Tesla owners usually have to pay for these features, but the researchers found a way around the payment firewall by accessing them without making any payment. The researchers managed to unlock the infotainment system using tools based on the team’s previous AMD research.
The team detected a potential for fault injection exploits in its previous research on these infotainment systems. Such exploits are used to extract secrets from the platform and possibly access information vital to the system.
The entire research and the successful hack of the infotainment system will be released at a presentation at the BlackHat 2023 event slated to take place on August 9, 2023. The presentation is titled “Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla’s x86-Based Seat Heater.”
The Tesla infotainment APU runs on a vulnerable AMD Zen 1 CPU. As such, the security researchers could not conduct an experiment exploiting the weaknesses discovered previously to achieve a jailbreak.
The brief summary by the researchers also noted that in this hacking campaign, they used a known voltage fault injection attack against the AMD Secure Processor (ASP). This attack serves as the base of trust for this system. The summary conducted by the BlackHat researchers noted that the AMD Secure Processor was used to obtain access to the system.
The summary demonstrates how the researchers adopted low-cost and off-the-shelf hardware to conduct the glitching attack and avert the early boot code launched by this ASP. The researchers will also show how they reverse-engineered the boot flow to access a root shell on the recovery and production of Linux distribution.
“We will present an attack against newer AMD-based infotainment systems (MCU-Z) used on all recent models. It gives us two distinct capabilities: First, it enables the first unpatchable AMD-based “Tesla Jailbreak”, allowing us to run arbitrary software on the infotainment. Second, it will enable us to extract an otherwise vehicle-unique hardware-bound RSA key used to authenticate a car in Tesla’s internal service network,” the team said.
Accessing sensitive information within the car’s system
Once the hackers have obtained the root permissions, they became free to conduct arbitrary changes that will remain even after infotainment system reboots and over-the-air updates by Tesla.
The researchers could also access sensitive information stored within the car’s system and decrypt the same information. This information includes the owner’s personal data, phonebook, calendar data, call logs, Spotify and Gmail session cookies. The hackers could also access WiFi passwords and locations visited.
The jailbreak also allows the threat actor to extract the TPM-protected attestation key that Tesla can use to authenticate a car while verifying the integrity of the hardware platform and later migrate it to another vehicle.
Besides impersonating the car ID on the Tesla network, the move might also aid in using the car across unsupported regions while conducting independent repair while modding. One of the researchers at BlackHat noted that some tools used to perform the jailbreak were $100 worth of electronic equipment and a soldering iron.
The researcher said that Tesla had informed them that the proof-of-concept supporting rear seat heating was developed from an old firmware version. Updates to the configuration item can only be done using a valid signature by Tesla. The BlackHat researchers’ research laid the groundwork for tweaking the entire system.
The key extraction exploit still runs on the latest Tesla software update. As such, the issue is still vulnerable to exploitation by hackers. While white hat hackers have done the current exploit, malicious actors might launch similar campaigns and cause significant damage. The researcher has also refuted previous claims that this jailbreak can compromise Full-Self Driving (FSD).