DH.J
šŸ—ŗļø

šŸ’» Research

How to fuzzing USB stack in real cars

How to fuzzing USB stack in real cars

Donghyeon JeongĀ·Ā·37 min read

Overview

PoC for vulnerability in real cars vehicle infotainment system

The research was presented at the DEFCON31 Car Hacking Village

Description

This research could lead to a crash of the vehicle infotainment system via USB in produced vehicles.

It has been tested on some produced vehicles, but we believe it can be tested on any vehicle that supports USB input and could have an impact.

First, we used theĀ syzkallerĀ tool, a well-known fuzzing tool.

TheĀ syzkallerĀ fuzzing tool supports fuzzing tests against Linux subsystem. In addition to fuzzing the Linux subsystem, this fuzzing tool also provides the ability to fuzz the USB stack.

In the article below, we describe how to do USB-based fuzzing with syzkaller.

Next, we prepared the following steps to build a fuzzing environment with theĀ syzkallerĀ fuzzing tool

1. Choose hardware

1. Set up a fuzzing test environment

1. Run fuzzing test!

Choose hardware

Whilst the documentation above recommends well known hardware tools such asĀ Facedancer21Ā that can be programmed and emulated for USB devices, hardware is not readliy available, so we used theĀ Raspberry PI, a hardware that supports the ā€˜USB OTGā€™ feature through testing on other hardware devices.

[Figure 1] Raspberry PI4

TheĀ Raspberry PIĀ hardware above includes USB OTG functionally on a port that supplies 5V power, so it can be connected using a USB-C cable

Set up a fuzzing test environment

To build the fuzzing environment, we used the official documentation of theĀ syzkallerĀ tool mentioned above. An additional tool calledĀ raw-gadgetĀ was used here.

raw-gadgetĀ is a module for implementing a low-level interface to the Linux USB gadget subsystem, which can be used to emulate physical or virtual USB devices.

Run fuzzing!

Hereā€™s a general description of the fuzzing environment we've built. The diagram below illustrates how the syzkaller fuzzer operates on Raspberry Pi hardware. The inputs used by the fuzzer are based on syzkallerā€™s reproduction values.

These input values are transmitted through a USB port connected by syzkaller.

[Figure 2] Fuzzing Overview

The reproduction code collected various USB input data from over 300 known USB vulnerabilities identified by syzkaller.

[Figure 3] Syzbot Reprodution

Vehicle Affected

- GM Chevrolet Equinox 2021 (at version, 2021.03.26 build ver)

- Renault ZOE EV 2021 (at versions, 283C35202R ~ 283C35519R)

- Volkswagen Jetta 2021 (Hardware 724, Software 0876)

- ā€¦

References

- https://github.com/google/syzkaller

- https://github.com/google/syzkaller/blob/master/docs/linux/external_fuzzing_usb.md

- https://github.com/xairy/raw-gadget

- https://syzkaller.appspot.com/upstream?manager=ci2-upstream-usb

- https://nvd.nist.gov/vuln/detail/CVE-2023-39076

- https://nvd.nist.gov/vuln/detail/CVE-2023-39075

  • Automotive
  • Vulnerability
  • Pinned