TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC

Tesla and Blueborne - any exposure?

Discussion in 'Model S' started by tls, Sep 12, 2017.

  1. tls

    tls Member

    Joined:
    May 17, 2015
    Messages:
    164
    Location:
    New York, New York
    It appears very likely that Tesla vehicles are impacted by Blueborne • armis specifically CVE-2017-1000251 which is a remote-code-execution hole in Linux kernels from 3.3-rc1 (October 2011) through today.

    I'm not sure it's possible to completely disable Bluetooth on my Model S (@JonMc, would appreciate an answer on this) as opposed to simply unpairing all devices, which is not enough -- this vulnerability allows remote code execution even from an unpaired attacking device.

    I would hope an emergency software update with a new kernel will be made available ASAP, or a definitive explanation of why Tesla's not impacted will be provided.
     
  2. tls

    tls Member

    Joined:
    May 17, 2015
    Messages:
    164
    Location:
    New York, New York
    #2 tls, Sep 12, 2017
    Last edited: Sep 12, 2017
    Edit: According to @llavalle, the Bluetooth chip's on a separate "Parrot" board that itself runs Linux. If so, only that board may be subject to remote compromise.

    There are several vulnerabilities:
    • CVE-2017-100251 which is a buffer overflow in L2CAP, one of the lowest layer protocols in the Bluetooth stack. If the Tesla kernel is built with stack protection enabled, and if that protection is truly effective (on embedded platforms sometimes it is not) this may only allow crashing, not remotely running code as root on, the 15" display.
    • CVE-2017-0781 which allows the overwriting of arbitrary kernel or user memory. This flaw is in BNEP, a protocol used for tethering. If BNEP is not present in Tesla's kernel we may be safe on this one, but if it's present, even if not used, probably not.
    • CVE-2017-0782 another BNEP hole, this one specifically in the PAN profile. It may be that if PAN is not enabled, we're safe from this one even if the kernel has BNEP support.
    Numerous related holes are rumored but not presently disclosed. Any of the 3 above would allow, at least, full takeover of the 15" display and associated systems -- if present. If nothing else, the simple fact that they could be used to steal a $100,000 car makes me think active exploitation is likely if not promptly patched. A response from Tesla ASAP would certainly ease my mind.
     
  3. llavalle

    llavalle Member

    Joined:
    Sep 9, 2013
    Messages:
    626
    Location:
    Somewhere around Montreal in Quebec, Canada
    Just so you know, the Bluetooth chips is on a separate board called the "Parrot". Get root on there and you can't do much. It's another computer running Linux. It is connected via ethernet but this won't give the attacker a direct mean to do anything on the car...
     
    • Informative x 2
    • Like x 2
  4. mspohr

    mspohr Active Member

    Joined:
    Jul 27, 2014
    Messages:
    2,527
    Location:
    California
    Looks like systems compiled with CONFIG_CC_STACKPROTECTOR=y will just crash (and not become infected). Don't know if the Tesla system was compiled with that switch.
    Turning off Bluetooth will block the intrusion.
     
  5. tls

    tls Member

    Joined:
    May 17, 2015
    Messages:
    164
    Location:
    New York, New York
    Is it the case that there are in fact three separate Linux systems for the IC, the 15" display, and the Parrot connectivity module? If so I guess it'd be the Parrot kernel that mattered. Embeded-system kernels often aren't built with stack smash protection, or it's not fully effective because of insufficient boot-time entropy.

    I can't seem to get a real datasheet for the Parrot 6050 but the sell sheet for the 6000+ series lists out a feature set that looks like most of the connectivity and media features of the car (plus tethering over Bluetooth or USB, and a few other goodies). Is all that stuff implemented by the display puppet-stringing the Parrot?
     
  6. tls

    tls Member

    Joined:
    May 17, 2015
    Messages:
    164
    Location:
    New York, New York
    • Like x 1
  7. demundus

    demundus Member

    Joined:
    Jul 5, 2015
    Messages:
    467
    Location:
    Oceanside, CA
    They'd gain access to the parrot and nothing would happen, as previously stated. Still cool to look at the 6050 GPL, so godspeed with that... but this BT exploit doesn't affect Tesla at all.
     
  8. tls

    tls Member

    Joined:
    May 17, 2015
    Messages:
    164
    Location:
    New York, New York
    Well, I don't know about "nothing" -- I hardly regard eavesdropping on the people in my car, or interception/MITM of its WiFi communications as benign. If the Parrot is vulnerable (and I see little reason to think it's not, since all Linux systems with Bluetooth seem to be) then it would still seem incumbent on Tesla to fix this; if not, since Tesla sold the thing it seems incumbent on them to provide a persuasive explanation of why it's not vulnerable.

    The Parrot does not, from the datasheet, seem to be Ethernet-connected, by the way -- if it's an actual 6050, at least the one I posted the manual link for, it's USB.
     
  9. appleguru

    appleguru Member

    Joined:
    Mar 15, 2017
    Messages:
    143
    Location:
    US
    This is correct; the parrot on the car connects to the CID via USB.
     
  10. llavalle

    llavalle Member

    Joined:
    Sep 9, 2013
    Messages:
    626
    Location:
    Somewhere around Montreal in Quebec, Canada
    #10 llavalle, Sep 12, 2017
    Last edited: Sep 12, 2017

    There are 3 devices on the ethernet in the car.
    1-The CID (main 17in screen) runs Linux, recently upgraded to Kernel in the 4.x line
    2-The IC (instrument cluster) runs Linux, still on 2.6
    3-The Gateway (communication to CAN bus) doesn't run linux. Don't quote me on that but looks like a powerpc device of some sort running a realtime type of OS.

    Then there's USB connected stuff :
    a-The 3G/LTE modem
    b-The Parrot. It is, as you said, as USB device but inside the car, it exposes an USB Ethernet adapter on the host, in this case the CID. This thing does WiFi and Bluetooth. It also appears to take over some audio mixing, probably for Bluetooth calls... but it seems to be handling more than that on the audio side. This things runs a 2.6 kernel but unlike the CID and IC, it doesn't seem to run a heavily modified version of Ubuntu. It's very limited in functionality (linux wise) and is more akin to a router (busybox, etc).

    The full model name is "FC6050W"

    As for a spec sheet, found this on the FCC's website.

    edit : forgot to mention that since the refresh in 2016, there's an additional device connected. Unsure if ethernet or USB. It's some kind of hub that does WiFi too. There was an article on Electrek about it.
     
    • Informative x 2
  11. tls

    tls Member

    Joined:
    May 17, 2015
    Messages:
    164
    Location:
    New York, New York
    If the Parrot is acting as a USB target and exposing a USB Ethernet to the CID as a host, then it's not wired up the way that "user manual" you and I both found describes. The manual says the Parrot is always the USB master and its "host" must be wired up as a target, with any additional devices connected via a hub.

    Are the car's USB ports connected via the Parrot, or directly to the CID?

    The example configurations show, for instance, the Parrot reading USB media and mixing/streaming out audio under control of the "host" which commands it, gets song titles etc. via a rather quaint AT-command interface.

    If the Parrot's the USB target and the CID is the USB master, then it also may not be running the software load described in that manual. I wonder what Bluetooth stack it's using, and whether it's vulnerable or not.

    Apologies for the '15" screen' braino before, I was searching for "CID" in my head and it just never quite got to the threshold of consciousness -- never mind 15"/17". Early start, long day on this end.

    I wonder if a change to the thread title would be justified at this point. I don't want to be alarmist (though people being able to eavesdrop on conversations in my car is not cool, it's also a lot less serious than if they could take over the CID). Changing the thread title requires contacting the mods, right?
     
    • Helpful x 1
    • Like x 1
  12. mspohr

    mspohr Active Member

    Joined:
    Jul 27, 2014
    Messages:
    2,527
    Location:
    California
    I just installed the Blueborne vulnerability tester (Armis) from the Google Play store. It told me that my phone (Nexus 5) was vulnerable.
    It also scans for nearby bluetooth devices. It found the Tesla bluetooth adapter and said it was "Low Risk".
     
    • Informative x 1
  13. llavalle

    llavalle Member

    Joined:
    Sep 9, 2013
    Messages:
    626
    Location:
    Somewhere around Montreal in Quebec, Canada
    The car's usb port, at least pre-refresh, are directly connected to the CID. They don't go though the Parrot module.
     
    • Informative x 1
  14. demundus

    demundus Member

    Joined:
    Jul 5, 2015
    Messages:
    467
    Location:
    Oceanside, CA
    It's an elegant solution really... a just-barely-long-enough-cable that runs under the "cubby" between the seats, to the back of the CID. The tension on mine felt like I had a 30lb fish on the line LOL
     
  15. bmah

    bmah Obscure Member

    Joined:
    Mar 17, 2015
    Messages:
    1,123
    Location:
    Lafayette, CA
    One easy way to do this is just to click the "Report" link for one of your posts (well I guess it could be any post in this thread) and explain what you want to have done.

    Bruce.
     
  16. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    4,419
    Location:
    So Cal
    The additional post-refresh device is the ape I believe. This is used for AP2.
     
  17. llavalle

    llavalle Member

    Joined:
    Sep 9, 2013
    Messages:
    626
    Location:
    Somewhere around Montreal in Quebec, Canada
    That's not the one I was referring to... but you're right. On AP2 cars, you have the AP2 hardware running the GPU and it's called the "ape". The device I was referring to is some sort of USB hub with wifi antennas... looked like Tesla was about to offer in-car wifi hotspot with it. It is still, to this date, unused (except the USB hub part)
     
  18. verygreen

    verygreen Curious member

    Joined:
    Jan 16, 2017
    Messages:
    914
    Location:
    TN
    Qualcomm Atheros QCA6234 - WikiDevi + usb-serial
     
    • Informative x 1
  19. tls

    tls Member

    Joined:
    May 17, 2015
    Messages:
    164
    Location:
    New York, New York
    Wifi hotspot is an advertised feature of the Parrot 6050, as well -- perhaps more evidence that Tesla may not be running the same software load described in that Parrot manual -- or perhaps they can't get the network isolation they want if they run the Parrot, whose manual says it does no firewalling, both as a client and as an AP, or perhaps it's not flexible enough to run in both modes at the same time or switch when needed...
     
  20. ggr

    ggr Roadster R80 537, SigS P85 29

    Joined:
    Mar 24, 2011
    Messages:
    2,997
    Location:
    San Diego, CA
    Don't forget that Tesla has to have a service agreement with someone (AT&T here) for their 3G/LTE connectivity, and that someone probaby doesn't allow tethering for the rate that Tesla pays.
     

Share This Page