Tesla and Blueborne - any exposure?

[tls]

It appears very likely that Tesla vehicles are impacted by Blueborne • armis specifically CVE-2017-1000251 which is a remote-code-execution hole in Linux kernels from 3.3-rc1 (October 2011) through today.

I'm not sure it's possible to completely disable Bluetooth on my Model S (@JonMc, would appreciate an answer on this) as opposed to simply unpairing all devices, which is not enough -- this vulnerability allows remote code execution even from an unpaired attacking device.

I would hope an emergency software update with a new kernel will be made available ASAP, or a definitive explanation of why Tesla's not impacted will be provided.

 

[tls]

Edit: According to @llavalle, the Bluetooth chip's on a separate "Parrot" board that itself runs Linux. If so, only that board may be subject to remote compromise.

I would hope an emergency software update with a new kernel will be made available ASAP, or a definitive explanation of why Tesla's not impacted will be provided.

There are several vulnerabilities:

• CVE-2017-100251 which is a buffer overflow in L2CAP, one of the lowest layer protocols in the Bluetooth stack. If the Tesla kernel is built with stack protection enabled, and if that protection is truly effective (on embedded platforms sometimes it is not) this may only allow crashing, not remotely running code as root on, the 15" display.
• CVE-2017-0781 which allows the overwriting of arbitrary kernel or user memory. This flaw is in BNEP, a protocol used for tethering. If BNEP is not present in Tesla's kernel we may be safe on this one, but if it's present, even if not used, probably not.
  
• CVE-2017-0782 another BNEP hole, this one specifically in the PAN profile. It may be that if PAN is not enabled, we're safe from this one even if the kernel has BNEP support.

Numerous related holes are rumored but not presently disclosed. Any of the 3 above would allow, at least, full takeover of the 15" display and associated systems -- if present. If nothing else, the simple fact that they could be used to steal a $100,000 car makes me think active exploitation is likely if not promptly patched. A response from Tesla ASAP would certainly ease my mind.

 

[llavalle]

Just so you know, the Bluetooth chips is on a separate board called the "Parrot". Get root on there and you can't do much. It's another computer running Linux. It is connected via ethernet but this won't give the attacker a direct mean to do anything on the car...

 

[mspohr]

It appears very likely that Tesla vehicles are impacted by Blueborne • armis specifically CVE-2017-1000251 which is a remote-code-execution hole in Linux kernels from 3.3-rc1 (October 2011) through today.

I'm not sure it's possible to completely disable Bluetooth on my Model S (@JonMc, would appreciate an answer on this) as opposed to simply unpairing all devices, which is not enough -- this vulnerability allows remote code execution even from an unpaired attacking device.

I would hope an emergency software update with a new kernel will be made available ASAP, or a definitive explanation of why Tesla's not impacted will be provided.

Looks like systems compiled with CONFIG_CC_STACKPROTECTOR=y will just crash (and not become infected). Don't know if the Tesla system was compiled with that switch.
Turning off Bluetooth will block the intrusion.

 

[tls]

Looks like systems compiled with CONFIG_CC_STACKPROTECTOR=y will just crash (and not become infected). Don't know if the Tesla system was compiled with that switch.
Turning off Bluetooth will block the intrusion.

Is it the case that there are in fact three separate Linux systems for the IC, the 15" display, and the Parrot connectivity module? If so I guess it'd be the Parrot kernel that mattered. Embeded-system kernels often aren't built with stack smash protection, or it's not fully effective because of insufficient boot-time entropy.

I can't seem to get a real datasheet for the Parrot 6050 but the sell sheet for the 6000+ series lists out a feature set that looks like most of the connectivity and media features of the car (plus tethering over Bluetooth or USB, and a few other goodies). Is all that stuff implemented by the display puppet-stringing the Parrot?

 

[tls]

Parrot 6050 user's manual is at FC6050W Bluetooth Module Users Manual FC6050 Datasheet_V1_68 PARROT . I think I'l send them a request for the source to the GPL software on the module.

 

[demundus]

They'd gain access to the parrot and nothing would happen, as previously stated. Still cool to look at the 6050 GPL, so godspeed with that... but this BT exploit doesn't affect Tesla at all.

 

[tls]

Well, I don't know about "nothing" -- I hardly regard eavesdropping on the people in my car, or interception/MITM of its WiFi communications as benign. If the Parrot is vulnerable (and I see little reason to think it's not, since all Linux systems with Bluetooth seem to be) then it would still seem incumbent on Tesla to fix this; if not, since Tesla sold the thing it seems incumbent on them to provide a persuasive explanation of why it's not vulnerable.

The Parrot does not, from the datasheet, seem to be Ethernet-connected, by the way -- if it's an actual 6050, at least the one I posted the manual link for, it's USB.

 

[appleguru]

Well, I don't know about "nothing" -- I hardly regard eavesdropping on the people in my car, or interception/MITM of its WiFi communications as benign. If the Parrot is vulnerable (and I see little reason to think it's not, since all Linux systems with Bluetooth seem to be) then it would still seem incumbent on Tesla to fix this; if not, since Tesla sold the thing it seems incumbent on them to provide a persuasive explanation of why it's not vulnerable.

The Parrot does not, from the datasheet, seem to be Ethernet-connected, by the way -- if it's an actual 6050, at least the one I posted the manual link for, it's USB.

This is correct; the parrot on the car connects to the CID via USB.

 

[llavalle]

Is it the case that there are in fact three separate Linux systems for the IC, the 15" display, and the Parrot connectivity module? If so I guess it'd be the Parrot kernel that mattered. Embeded-system kernels often aren't built with stack smash protection, or it's not fully effective because of insufficient boot-time entropy.

The Parrot does not, from the datasheet, seem to be Ethernet-connected, by the way -- if it's an actual 6050, at least the one I posted the manual link for, it's USB.

There are 3 devices on the ethernet in the car.
1-The CID (main 17in screen) runs Linux, recently upgraded to Kernel in the 4.x line
2-The IC (instrument cluster) runs Linux, still on 2.6
3-The Gateway (communication to CAN bus) doesn't run linux. Don't quote me on that but looks like a powerpc device of some sort running a realtime type of OS.

Then there's USB connected stuff :
a-The 3G/LTE modem
b-The Parrot. It is, as you said, as USB device but inside the car, it exposes an USB Ethernet adapter on the host, in this case the CID. This thing does WiFi and Bluetooth. It also appears to take over some audio mixing, probably for Bluetooth calls... but it seems to be handling more than that on the audio side. This things runs a 2.6 kernel but unlike the CID and IC, it doesn't seem to run a heavily modified version of Ubuntu. It's very limited in functionality (linux wise) and is more akin to a router (busybox, etc).

The full model name is "FC6050W"

As for a spec sheet, found this on the FCC's website.

edit : forgot to mention that since the refresh in 2016, there's an additional device connected. Unsure if ethernet or USB. It's some kind of hub that does WiFi too. There was an article on Electrek about it.

 

[tls]

If the Parrot is acting as a USB target and exposing a USB Ethernet to the CID as a host, then it's not wired up the way that "user manual" you and I both found describes. The manual says the Parrot is always the USB master and its "host" must be wired up as a target, with any additional devices connected via a hub.

Are the car's USB ports connected via the Parrot, or directly to the CID?

The example configurations show, for instance, the Parrot reading USB media and mixing/streaming out audio under control of the "host" which commands it, gets song titles etc. via a rather quaint AT-command interface.

If the Parrot's the USB target and the CID is the USB master, then it also may not be running the software load described in that manual. I wonder what Bluetooth stack it's using, and whether it's vulnerable or not.

Apologies for the '15" screen' braino before, I was searching for "CID" in my head and it just never quite got to the threshold of consciousness -- never mind 15"/17". Early start, long day on this end.

I wonder if a change to the thread title would be justified at this point. I don't want to be alarmist (though people being able to eavesdrop on conversations in my car is not cool, it's also a lot less serious than if they could take over the CID). Changing the thread title requires contacting the mods, right?

 

[mspohr]

I just installed the Blueborne vulnerability tester (Armis) from the Google Play store. It told me that my phone (Nexus 5) was vulnerable.
It also scans for nearby bluetooth devices. It found the Tesla bluetooth adapter and said it was "Low Risk".

 

[llavalle]

The car's usb port, at least pre-refresh, are directly connected to the CID. They don't go though the Parrot module.

 

[demundus]

The car's usb port, at least pre-refresh, are directly connected to the CID. They don't go though the Parrot module.

It's an elegant solution really... a just-barely-long-enough-cable that runs under the "cubby" between the seats, to the back of the CID. The tension on mine felt like I had a 30lb fish on the line LOL

 

[bmah]

I wonder if a change to the thread title would be justified at this point. I don't want to be alarmist (though people being able to eavesdrop on conversations in my car is not cool, it's also a lot less serious than if they could take over the CID). Changing the thread title requires contacting the mods, right?

One easy way to do this is just to click the "Report" link for one of your posts (well I guess it could be any post in this thread) and explain what you want to have done.

Bruce.

 

[apacheguy]

There are 3 devices on the ethernet in the car.
1-The CID (main 17in screen) runs Linux, recently upgraded to Kernel in the 4.x line
2-The IC (instrument cluster) runs Linux, still on 2.6
3-The Gateway (communication to CAN bus) doesn't run linux. Don't quote me on that but looks like a powerpc device of some sort running a realtime type of OS.

Then there's USB connected stuff :
a-The 3G/LTE modem
b-The Parrot. It is, as you said, as USB device but inside the car, it exposes an USB Ethernet adapter on the host, in this case the CID. This thing does WiFi and Bluetooth. It also appears to take over some audio mixing, probably for Bluetooth calls... but it seems to be handling more than that on the audio side. This things runs a 2.6 kernel but unlike the CID and IC, it doesn't seem to run a heavily modified version of Ubuntu. It's very limited in functionality (linux wise) and is more akin to a router (busybox, etc).

The full model name is "FC6050W"

As for a spec sheet, found this on the FCC's website.

edit : forgot to mention that since the refresh in 2016, there's an additional device connected. Unsure if ethernet or USB. It's some kind of hub that does WiFi too. There was an article on Electrek about it.

The additional post-refresh device is the ape I believe. This is used for AP2.

 

[llavalle]

The additional post-refresh device is the ape I believe. This is used for AP2.

That's not the one I was referring to... but you're right. On AP2 cars, you have the AP2 hardware running the GPU and it's called the "ape". The device I was referring to is some sort of USB hub with wifi antennas... looked like Tesla was about to offer in-car wifi hotspot with it. It is still, to this date, unused (except the USB hub part)

 

[verygreen]

That's not the one I was referring to... but you're right. On AP2 cars, you have the AP2 hardware running the GPU and it's called the "ape". The device I was referring to is some sort of USB hub with wifi antennas... looked like Tesla was about to offer in-car wifi hotspot with it. It is still, to this date, unused (except the USB hub part)

Qualcomm Atheros QCA6234 - WikiDevi + usb-serial

 

[tls]

That's not the one I was referring to... but you're right. On AP2 cars, you have the AP2 hardware running the GPU and it's called the "ape". The device I was referring to is some sort of USB hub with wifi antennas... looked like Tesla was about to offer in-car wifi hotspot with it. It is still, to this date, unused (except the USB hub part)

Wifi hotspot is an advertised feature of the Parrot 6050, as well -- perhaps more evidence that Tesla may not be running the same software load described in that Parrot manual -- or perhaps they can't get the network isolation they want if they run the Parrot, whose manual says it does no firewalling, both as a client and as an AP, or perhaps it's not flexible enough to run in both modes at the same time or switch when needed...

 

[ggr]

Wifi hotspot is an advertised feature of the Parrot 6050, as well -- perhaps more evidence that Tesla may not be running the same software load described in that Parrot manual -- or perhaps they can't get the network isolation they want if they run the Parrot, whose manual says it does no firewalling, both as a client and as an AP, or perhaps it's not flexible enough to run in both modes at the same time or switch when needed...

Don't forget that Tesla has to have a service agreement with someone (AT&T here) for their 3G/LTE connectivity, and that someone probaby doesn't allow tethering for the rate that Tesla pays.