SEC Consult Vulnerability Lab Security Advisory < 20180529-0 >
===
title: Unprotected WiFi access & Unencrypted data transfer
product: Vgate iCar 2 WiFi OBD2 Dongle
vulnerable version: Vgate iCar 2 WiFi OBD2 Dongle
fixed version: -
CVE number: CVE-2018-11476
CVE-2018-11477
CVE-2018-11478
impact: Critical
homepage: http://www.vgate.com.cn
found: 2018-04-24
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Based in Shenzhen, China, Vgate Technology.co ltd. specializes in the
development, design and manufacture of diagnostic equipment, tools and
accessories in the automotive aftermarket industry.
We offers a selective range of products from automotive diagnostic tools
including code readers and scan tools, to test and inspection equipment such as
sensor testers and battery testers. Aside from the above, we also carry garage
equipment like infrared paint dryers and pipe expanders, and automotive
diagnostic accessories such as OBD diagnostic cable assemblies, SAE J1962
connectors, and vehicle to PC (or PDA) interface adapters (VAG-COM interfaces).
Though the company is young in age, we are strong in experiences in that all of
our major engineers have extensive R experience in the automotive aftermarket
technology. With the combination of our experienced and distinguished
specialists, low-cost manufacturing and exceptional customer service, M.B is
able to become the supplier of choice who delivers high quality products,
user-friendly designs and most competitive prices to both professional and
amateur (or DIYers) automotive technicians.
We are proud of ourselves in providing cost effective, timely and innovative
solutions with a first class service."
Source: http://www.vgate.com.cn/en/Aboutus.html
Business recommendation:
By using the vulnerabilities which are documented in this advisory an attacker
can easily send arbitrary messages to the automotive communication bus
(CAN/FlexRay/...) of the car electronics and potentially take over
safety-critical car functions.
The vendor told SEC Consult in a phone call that our identified security
issues are common practice for such hardware and therefore will not be fixed!
SEC Consult recommends not to use this product until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.
Vulnerability overview/description:
---
1) Unprotected WiFi Access (CVE-2018-11476)
The dongle opens an unprotected wireless LAN which cannot be configured with an
encryption / password. This enables anyone within the range of the WLAN to
connect to the network without authentication.
2) Unencrypted Data Transfer (CVE-2018-11477)
The data packets which are sent between the App and the OBD dongle are not
encrypted. The combination of this vulnerability with the lack of a wireless
network protection exposes all transferred car data to the public.
3) Unauthenticated Access to On-board Diagnostics (OBD) (CVE-2018-11478)
The OBD port is used to receive measurement data and debug information from the
car. This on-board diagnostics can also be used to send commands to the car
which is different for every vendor / car product line / car.
The mentioned features are usually needed for maintenance purposes but can be
abused by attackers. This is possible because the OBD interface is directly
accessible through port 35000 on the (unprotected) wireless access point of the
OBD device.
Because of the fact that it is never intended that other people have access to
the data bus (e.g. CAN) of your car while you are driving, this vulnerability is
seen as highly critical and a safety-critical threat to the public.
Proof of concept:
-
Detailed of proof of concepts have been removed as the vendor did not provide
a patch.
1) Unprotected WiFi Access (CVE-2018-11476)
The unprotected wireless LAN is named "V-LINK". To create it, the "Fn-Link
(6110R-IF)" is used. It acts as wireless UART bridge to hand over the commands
of the App to the ELM327 compatible "iCar-2" chip.
2) Unencrypted Data Transfer (CVE-2018-11477)
All commands starting with "AT" and the "0100"/"0120" are strings which were
sent from the App to the OBD Dongle. The "X" character is a wildcard for an
arbitrary hexadecimal value and is used to anonymize car data in responses
for this advisory.
The following plain-text co