
Exploiting Wi-Fi Stack on Tesla Model S - DyslexicAtheist
https://keenlab.tencent.com/en/2020/01/02/exploiting-wifi-stack-on-tesla-model-s/
======
castratikron
So this exploit is not specific to Tesla but rather any Linux 2.6.36 (and
maybe up) that uses the 88W8688 (and maybe others), which could be a pretty
common combination. And all that's required is an AP running the exploit,
everything is automatic. Very impressive.

~~~
jchw
Q: How come Teslas are running kernels from 2008?

~~~
cjbprime
It appears that: Tesla bought this all-in-one ARM board from Parrot, and
Parrot gave them a 2.6.36 kernel with thousands of custom patches in, and
Tesla's not in much of a position to port it to a newer kernel, and then
Parrot presumably went on to building other stuff and ignored keeping this
kernel up to date and now we're here.

They (probably Parrot) might have updated it in the last year since the
vulnerability was discovered though, it's hard to tell.

~~~
NullPrefix
If it's not in mainline kernel - it's abandonware.

------
cjbprime
> As Linux Kernel 2.6.36 does not support NX

Does the Model S really run 2.6.36, first released ten years ago? I'm sure
they're using a stable branch and keeping up with security patches in general
[1], but that's still shocking to me.

[1]: although not 100% of security patches are going to end up in the stable@
queue or have their effect on 2.6.36 considered.

~~~
slg
It looks like a car would need to be over 2 years behind Tesla's OTA updates
for it to still have version 2.6.36 and be vulnerable to this exploit.

[https://electrek.co/2017/06/30/tesla-new-linux-kernel-
update...](https://electrek.co/2017/06/30/tesla-new-linux-kernel-update-ui-
improvements/)

EDIT: See nils2014's comments below. The WiFi chip is connected to the
entertainment system which received an updated kernel, but it is seems like
the kernel on the WiFi chip itself may not have been updated.

~~~
nils2014
The kernel version of the information center is irrelevant.

The Wi-Fi stack is running on a _separate_ module (the Parrot module, as
mentioned in the article), which runs its own obsolete linux version.

~~~
cjbprime
I wonder if there's a way to find out which kernel version Parrot runs today.

~~~
stefan_
Do they even still exist? It's impossible to find anything on these modules
beyond FCC filings; some pixelated datasheets show the modules with
"www.parrot.com" printed on them but going as far back as 2017 in the WWW
archive, that site belongs to some drone startup.

~~~
cjbprime
What do you mean by "still exist"? Obviously a vuln was found in one that was
inside a Model S, reported to Tesla and fixed.

~~~
stefan_
Marvel fixed the bug in their firmware and apparently Tesla shipped some sort
of update, I don't see anything that necessarily requires Parrot, the obscure
maker of these modules, to do anything.

~~~
cjbprime
Oh! You misunderstood my question: I meant to ask whether Tesla's latest
software update continues to ship a 2.6.36 kernel on Parrot, or a newer kernel
instead, as they do for their other modules.

(Tesla uses the name Parrot to refer to this system in the car.)

A reason for them not to still be on 2.6.36 is that it's deeply exploitable.

~~~
stefan_
I think the root of the confusion here is that you think Parrot is just a
Tesla nickname. But Parrot is the name of the manufacturer of the fully-
integrated WiFi+Bluetooth module so Tesla likely have nothing to do with the
firmware that runs on that module with the ancient kernel.

As far as I can tell, Parrot-the-module-maker split from Parrot-the-drone-
company and is now [http://parrot-faurecia-automotive.com](http://parrot-
faurecia-automotive.com)

~~~
cjbprime
Oh, I didn't get that impression. Keen's previous Black Hat paper made it
sound like Tesla is dual-maintaining 2.6.36 and 4.x kernels, because they're
unable/unwilling to upgrade from 2.6.36 on the Parrot board but are still
issuing kernel fixes for it.

~~~
stefan_
Looking at the datasheet some more, it does seem like the intention is for
Tesla (or some other customer) to develop userland software and integrate that
with Parrots SDK into a final firmware image for the module. But in that case,
their situation is much the same as it is with the nVidia Tegra entertainment
board: you are totally dependent on nVidia and Parrot to provide the basic
infrastructure from bootloader to a Linux kernel with drivers to interface all
the functionality they are selling you (a BSP). None of their hardware has any
part upstreamed.

In Teslas position, as the ultimate vendor that is shipping this stuff on
thousands of cars, you might decide that your supplier isn't forthcoming with
security updates and decide to backport some isolated fixes to the kernel, but
an upgrade from 2.6 to say even 4.4 is entirely out of the question; there are
thousands of lines of hacked-together proprietary vendor code in those kernels
where just going up a minor version will break the build. For a 2.6 based
system in particular, you would essentially need to convert the entire board
support to a device tree based system.

~~~
mschuster91
> there are thousands of lines of hacked-together proprietary vendor code in
> those kernels where just going up a minor version will break the build. For
> a 2.6 based system in particular, you would essentially need to convert the
> entire board support to a device tree based system.

What I don't get with these cases at all: by the GPL manufacturers are forced
to provide the full (!) Linux kernel source code, same goes for u-boot. But
while Tesla at least seems to provide source code
([https://github.com/teslamotors](https://github.com/teslamotors)), why the
fuck and how can Android phone and other embedded device makers get away with
not publishing anything?

Let's just take two examples of hardware that I know run Linux because I
managed to root them:

\- Sony A7S2 camera: the firmware is at
[https://www.sony.com/electronics/support/downloads/00016077](https://www.sony.com/electronics/support/downloads/00016077),
but no mention _at all_ about contained open-source code, licenses, or build
instructions

\- HP Z2100 24-inch plotter: firmware is at [https://support.hp.com/sg-
en/drivers/selfservice/hp-designje...](https://support.hp.com/sg-
en/drivers/selfservice/hp-designjet-z2100-photo-printer-series/3204963) (you
have to select Windows XP 32-bit to see the firmware download, even though the
firmware can be installed via anything capable of running a browser), and
again, no mention of anything regarding Linux.

~~~
mirashii
It's important to remember that the GPL does not require that the modified
source be publicly accessible, only available to those who you've distributed
the modified program to. How that's verified and distributed is unspecified.

~~~
cjbprime
> only available to those who you've distributed the modified program to

That's not true. GPLv2 text:

> Accompany it with a written offer, valid for at least three years, to give
> _any third party_ , for a charge no more than your cost of physically
> performing source distribution, a complete machine-readable copy of the
> corresponding source code

(Emphasis mine.)

~~~
mirashii
There's two issues with that. First, that's only one of three available
options (two for commercial entities) that satisfy the license. The other is
to include a copy of the source code with the software distribution. However,
separately, this does not require that the source code be posted in a public
place for anyone to access. You only must give with the distribution a written
offer. That offer is valid to anyone, but it doesn't need to be posted in
public and the source code does not need to be posted in public.

------
avisaven
If you find WiFi-based attacks on devices to be interesting, you may be
interested in the following research from Google Project Zero on attacking the
iPhone’s WiFi stack (and linked are articles on Android):

[https://googleprojectzero.blogspot.com/2017/04/over-air-
expl...](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-
broadcoms-wi-fi_4.html)

------
explorigin
Technically interesting and also interesting that this comes from Tencent.

> Tencent Holdings Limited is a Chinese multinational conglomerate holding
> company founded in 1998, whose subsidiaries specialise in various Internet-
> related services and products, entertainment, artificial intelligence and
> technology both in China and globally.

~~~
netsharc
I'd say it's no different to Google Project Zero.

Of course since it's China, there'd be worries. I'd guess the Chinese
government also employs crack hackers, like the NSA probably does?

~~~
monocasa
Yeah, but they don't share 0 days like this, just like the NSA doesn't.

~~~
close04
From the article:

> Responsible disclosure

> All the two vulnerabilities we presented above are reported to Tesla in
> March 2019. Tesla already fixed them in version 2019.36.2, and the Marvell
> also has deployed a fix and published a security advisory[4] to the issue.
> The disclosure of the vulnerability research report had been communicated to
> Tesla, and Tesla is aware of our release.

~~~
monocasa
Right... They shared the 0 day.

NSA and Comment Crew just sit on them like a dragon hording gold.

~~~
rrdharan
I believe it’s less black and white than that - all of these organizations
have both offensive and defensive priorities and sometimes choose to disclose
exploits publicly after calculating their remaining value. See e.g.

[https://foreignpolicy.com/2017/09/25/is-the-nsa-doing-
more-h...](https://foreignpolicy.com/2017/09/25/is-the-nsa-doing-more-harm-
than-good-in-not-disclosing-exploits-zero-days/)

[https://www.npr.org/sections/alltechconsidered/2017/11/17/56...](https://www.npr.org/sections/alltechconsidered/2017/11/17/564755961/government-
outlines-when-it-will-disclose-or-exploit-software-vulnerabilities)

~~~
monocasa
Can you give an example of a recent (say last decade) exploit the NSA or PLA
Unit 61398 have publicly disclosed?

~~~
spiorf
In a way NSA did publicly disclosed Eternalblue.

~~~
monocasa
Lol, not quite what I meant.

------
punnerud
By only connecting Tesla to AP with PMF (encrypted management frames) enabled,
this exploit would not work? Because then you can not force a reconnect to AP
using Deauthenticate frames.

The problem is more explained here in a recent HN post:
[https://news.ycombinator.com/item?id=21889837](https://news.ycombinator.com/item?id=21889837)

~~~
stefan_
The DEAUTH thing is entirely incidental to the fully remote kernel code
execution exploit chain.

~~~
punnerud
I can agree on the Deauth, though it would maybe make it less receiptable to
automated attack. I see that Action frames also is encrypted and verified when
enable PMF, so it is still viable to avoid the exploit?

------
e2le
I'm not sure why firefox thinks I need DRM enabled to play the video on there.

------
solotronics
Would having a Rust based embedded OS help with attacks such as this?

~~~
saagarjha
Yes, it would panic when the copy reached outside the bounds of the buffer.

------
Shivetya
Good to see at end all were reported and acted upon before release.

------
hwj
With this "wardriving" gets a whole new meaning ;)

~~~
natch
The MCU is pretty well decoupled from any driving controls other than helping
to display a bit of info like the speedometer. I mean it can even be rebooted
anytime while driving. So I suspect the larger effect would be on things like
entertainment features. Not really driving. But yes harhar, nice play on
words.

~~~
cjbprime
It sounds like you missed that the exploit wasn't in the MCU. That's not the
system the wifi chip's connected to.

~~~
natch
Hmm ic, thanks.

------
jaimex2
Patched already but good to know if you're restoring a write off.

