Double Tap at the Blackbox: Hacking a Car Remotely Twice with MiTM
Description
Security researchers demonstrate how to compromise a major Chinese car manufacturer's vehicles remotely using Man-in-the-Middle (MiTM) attacks. The presentation details two significant vulnerabilities that allow full remote vehicle control by exploiting insecure update mechanisms and flawed HTTPS implementations.
Double Tapping the Blackbox: Remote Automotive Compromise via MiTM
Automotive security is often perceived as an elite domain, reserved for researchers with deep pockets and the ability to disassemble expensive vehicles. However, as the world moves toward connected vehicles, the attack surface has shifted significantly toward the network. At Black Hat Asia, researchers Yingjie Cao and Xinfeng Chen demonstrated that you don't always need a soldering iron to hack a car. By focusing on the 'Blackbox'—the vehicle as a connected entity—they uncovered critical Man-in-the-Middle (MiTM) vulnerabilities in a major Chinese car manufacturer that allowed for total remote control.
This post explores the technical details of their 'Double Tap' attack, showing how a sequence of seemingly minor misconfigurations can lead to a full system compromise. Whether you are a mobile security researcher or an IoT enthusiast, these findings highlight the critical importance of secure communication and robust privilege boundaries in the automotive sector.
The Landscape of Modern Car Hacking
Traditional car hacking involves purchasing ECUs, dumping firmware, and hunting for memory corruption. This is expensive and time-consuming. The researchers in this study opted for a more practical approach: renting vehicles and analyzing their mobile ecosystems. They tracked a manufacturer with over 140,000 annual sales, observing their security evolution over three years. Despite the introduction of standards like ISO 21434 and UN R155, fundamental implementation errors persisted, particularly in how the vehicles communicated with the cloud and app stores.
Exploit 1: The HTTP Update Trap
In the first scenario, the researchers targeted an older infotainment system. The entry point was deceptively simple: the car's built-in app store updated its applications over plain HTTP. By positioning themselves as a Man-in-the-Middle, the team could intercept the update request and provide a modified APK. This malicious app granted them an initial, low-privilege shell on the Android-based infotainment system.
Breaking the Factory Mode
Once they had a shell, the goal was to enable ADB (Android Debug Bridge). They focused their reverse engineering efforts on the BDPone (Bluetooth Phone) application. Inside the APK, they found logic for a 'Factory Mode' triggered by secret dialer codes. The codes followed a format of *#NUMBER#*.
Through static analysis, they identified two key strings:
9925111: Triggered OS/Hardware version displays.9387141: Triggered system settings.
However, entering these codes required an authentication response. The researchers reversed the 'encryption' logic used to verify the response. Instead of using standard libraries like OpenSSL, the manufacturer had implemented a custom algorithm using simple addition and multiplication based on the device's hardware ID. This was trivial to crack, allowing the researchers to unlock Factory Mode and enable ADB.
Privilege Escalation: From User to Root
Even with ADB, the shell was restricted to user 2000. To control the vehicle's hardware, root access was mandatory. The target system ran an older kernel vulnerable to two classic exploits: CVE-2015-1805 (Pipe Read) and Dirty Cow (CVE-2016-5195).
Because the vehicle's system partition was read-only, Dirty Cow could not be used to gain persistence or directly overwrite /system/bin/sh. Instead, the researchers used Dirty Cow to patch a logging binary that was already running with system privileges. By hijacking this process, they elevated their shell to system status. From this vantage point, they could read /proc/kallsyms to bypass KASLR (Kernel Address Space Layout Randomization). With the kernel offsets in hand, they executed the Pipe Read exploit to gain a full root shell.
Exploit 2: The Illusion of HTTPS Security
In newer models, the manufacturer moved to HTTPS. However, 'using HTTPS' is not the same as 'using HTTPS correctly.' The researchers analyzed the car's mobile control app and found a critical flaw in its SSL/TLS implementation.
Flawed Trust Managers
The application utilized a custom X509TrustManager. In a secure implementation, this manager should strictly validate the server's certificate against a known root CA. In this case, the implementation was broken in two ways:
- User Certificate Trust: The app trusted certificates installed in the user's certificate store, rather than just the system store.
- Null Validation: The
checkServerTrustedmethod was improperly implemented, effectively allowing any certificate that looked remotely valid to pass.
By performing ARP spoofing and presenting a self-signed certificate, the researchers could intercept and decrypt the traffic. They discovered the app used MQTT and HTTPS to send control commands. By analyzing the JSON payloads, they identified the command structure:
targetId: The vehicle's VIN.commandType: The action to perform (e.g., open windows, unlock trunk).
Since the commands lacked a robust timestamp or challenge-response mechanism, the researchers could simply replay the intercepted packets to control the vehicle at will.
Mitigation and Defense
The researchers noted that while the manufacturer did eventually patch these issues, the lifecycle of automotive vulnerabilities is dangerously long. Patches often took over a year to reach vehicles. To defend against these attacks, manufacturers must:
- Enforce Certificate Pinning: Mobile apps should only trust a specific, hardcoded certificate for cloud communication.
- Use Whitebox Cryptography: Hidden codes and authentication logic should not rely on simple arithmetic that can be reversed from an APK.
- Implement Secure Boot: Root-level privilege escalation becomes much harder if the kernel and system partitions are cryptographically verified at boot.
- Remove Legacy Debugging: Factory modes and ADB should be entirely removed from production builds or protected by strong, per-device asymmetric authentication.
Conclusion
The 'Double Tap' research serves as a wake-up call for the automotive industry. It proves that even without disassembling a car, researchers can find devastating vulnerabilities by looking at the gaps in network implementation. As cars become more like 'smartphones on wheels,' they inherit all the security risks of the mobile world—often without the rapid patch cycles we expect from our phones. For researchers, this means that the 'Blackbox' approach is not only viable but highly effective for uncovering the next generation of automotive threats.
AI Summary
In this research presentation from Black Hat Asia, Yingjie Cao and Xinfeng Chen detail their three-year journey tracking and exploiting the security of a major Chinese automotive manufacturer. The talk begins by highlighting the high barrier to entry in automotive security, often requiring expensive hardware or physical access to vehicles. To overcome this, the researchers adopted a blackbox testing methodology, utilizing rented vehicles and intercepted network traffic to find vulnerabilities remotely. Their research identified two primary Man-in-the-Middle (MiTM) entry points that could lead to full vehicle compromise. The first exploit chain targeted a car model from 2018. The researchers discovered that the vehicle's app store downloaded updates over unencrypted HTTP. By hijacking this traffic, they replaced a legitimate application with a malicious one that provided a low-privilege remote shell. From there, they reverse-engineered the system's 'factory mode' by analyzing the Bluetooth phone application (BDPone). They uncovered hidden dialer codes—specifically 9925111 for system info and 9387141 for settings—which were protected by a weak custom encryption algorithm. After cracking this algorithm (which used simple addition and multiplication of device IDs), they enabled Android Debug Bridge (ADB) access. To escalate from a low-privilege shell to root, they utilized a combination of CVE-2015-1805 (a pipe read TOCTOU vulnerability) and 'Dirty Cow' (CVE-2016-5195). Because the car's filesystem was read-only, Dirty Cow was used to overwrite a system-privileged logging binary in memory to gain system-level access, which then allowed them to find kernel offsets necessary for the Pipe Read exploit to gain full root privileges. Once root was achieved, they used the Android Binder mechanism to send CAN messages via Java and Python, achieving full remote control over vehicle functions like door locks and lights. The second exploit targeted newer models that had implemented HTTPS. However, the implementation was flawed. The researchers found that the car control application used a custom X509TrustManager that failed to properly validate certificate chains and trusted user-added certificates. By performing ARP spoofing and using a self-signed certificate, they were able to decrypt the HTTPS and MQTT traffic between the mobile app and the cloud. Analysis of the decrypted traffic revealed a simple command structure based on the vehicle's VIN. They demonstrated that replaying these commands allowed them to control the windows, lights, and trunk of the vehicle remotely. The talk concludes with a discussion on the slow patching cycles in the automotive industry, where vulnerabilities can remain unpatched for years, and a call for the community to use their open-source tools for identifying similar MiTM flaws in other vehicles.
More from this Playlist
Dismantling the SEOS Protocol
