{"uuid": "21f63dda-f998-4c51-b7ce-6efc09015c56", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "A vulnerability report for BYD (Chinese car maker)", "description": "# Vulnerability Report - BYD QIN PLUS DM-i - Dilink OS - Incorrect Access Control\n\n**Product:** BYD QIN PLUS DM-i - Dilink OS\n\n**Vendor**: https://www.byd.com/\n\n**Version**:  3.0_13.1.7.2204050.1.\n\n**Vulnerability Type:** Incorrect Access Control\n\n**Attack Vectors**: The user installs and runs an app on the IVI system that only requires normal permissions.\n\n## Introduction\n\n\u200b\tThe BYD QIN PLUS DM-i with Dilink OS contains an Incorrect Access Control vulnerability. Attackers can bypass permission restrictions and obtain confidential vehicle data through **Attack Path 1**: **System Log Theft** and **Attack Path 2**: **CAN Traffic Hijacking**.\n\n## Attack Path 1 : System Log Theft\n\n\u200b\tIncorrect access control in BYD QIN PLUS DM-i Dilink OS  3.0_13.1.7.2204050.1 allows unaithorized attackers to access system  logcat logs.\n\n### Description\n\n\u200b\tThe DiLink 3.0 system\u2019s /system/bin/app_process64 process logs system logcat data, storing it in zip files in the /sdcard/logs folder. These logs are accessible by regular apps, allowing them to bypass restrictions, escalate privileges, and potentially copy and upload sensitive vehicle data (e.g., location, fuel/energy consumption, VIN, mileage) to an attacker\u2019s server. This poses a serious security risk, as the data is highly confidential for both users and manufacturers.\n\n### Detailed Steps\n\n1. Check the system-collected and stored system logs.\n\n![log.png](https://s2.loli.net/2025/01/26/MRTCqKnv1aEIpQZ.png)\n\n2. The malicious app copies system files to its own private directory. The main code is as follows:\n\n<img src=\"https://s2.loli.net/2025/01/26/EqxHDSX9O5Ibhr4.png\" alt=\".png\">\n\n3. The malicious app successfully steals system logs to its private directory.\n\n   ![.png](https://s2.loli.net/2025/01/26/r7vsY93LgTb6coF.png)\n\n4. Extract the file and search for sensitive confidential information in the system logs.\n\n\u200b\t\t(a) Fuel consumption, energy consumption, and seatbelt status.\n\n![111.png](https://s2.loli.net/2025/01/26/6jkmACTRwxaX7sb.png)\n\n\u200b\t\t(b) ICCID, VIN (Vehicle Identification Number), and model code.\n\n![vin.png](https://s2.loli.net/2025/01/26/nJWl3fq5QKVNuEx.png)\n\n\u200b\t\t(c) Diagnostic command format.\n\n![.png](https://s2.loli.net/2025/01/26/jc3xCTkUd8a4ZF2.png)\n\n\u200b\t\t(d) Various detailed vehicle status information.\n\n![.png](https://s2.loli.net/2025/01/26/lSTFK7thceQJ16b.png)\n\n### **Ethical Considerations**\n\n\u200b\tThe vulnerability has been reported to the manufacturer and confirmed. It has been addressed and fixed in in the latest versions, with the logs now encrypted.\n\n### Additional Notes\n\n\u200b\tOur vulnerability discovery was conducted on a standalone in-vehicle system, and due to the absence of a real vehicle, the logs collected by the system were quite limited. In a real vehicle, we expect to collect a much richer and larger volume of logs. Due to device limitations, we were unable to conduct further verification. Additionally, only one version of the in-vehicle system was tested, but other versions may also contain the same vulnerability, with the actual impact potentially being more severe.\n\n### Disclaimer\n\n\u200b\tThis vulnerability report is intended solely for informational purposes and must not be used for malicious activities. The author disclaims any responsibility for the misuse of the information provided.\n\n\n\n## Attack Path 2 : CAN Traffic Hijacking\n\n\u200b\tThe attacker can remotely intercept the vehicle's CAN traffic, which is supposed to be sent to the manufacturer's cloud server, and potentially use this data to infer the vehicle's status.\n\n### Description\n\n\u200b\tIn the DiLink 3.0 system, the /system/priv-app/CanDataCollect folder is accessible to regular users, allowing them to extract CanDataCollect.apk and analyze its code. The \"com.byd.data_collection_notify\" broadcast, not protected by the system, lets apps set the CAN traffic upload URL. This enables attackers to:\n\n1. Set the upload URL to null, preventing cloud data collection.\n2. Set the upload URL to an attacker\u2019s domain for remote CAN traffic collection.\n\n\u200b\tAdditionally, the encoded upload files can be decrypted using reverse-engineered decoding functions, enabling attackers to remotely analyze CAN traffic and infer the vehicle's status.\n\n### Detailed Steps\n\n1. The vulnerability code for the broadcast handling in CanDataCollect.apk.\n\n<img src=\"https://s2.loli.net/2025/01/26/RanvVwJZYUuq9i8.png\" alt=\".png\">\n\n2. The exploitation code for the malicious app vulnerability.\n\n<img src=\"https://s2.loli.net/2025/01/26/QBC8cxEkKtuY5XT.png\" alt=\".png\">\n\n3. The malicious app successfully modifies the uploaded CAN traffic URL.\n\n![.png](https://s2.loli.net/2025/01/26/sugvP14iSFrAhHW.png)\n\n4. After the attack on the IVI system, the logcat logs route CAN traffic to the attacker\u2019s server.\n\n<img src=\"https://s2.loli.net/2025/01/26/2Cxtc3UvFe9X7pn.png\" alt=\".png\">\n\n5. The CAN traffic collected by the attacker and the decoded results.\n\n<img src=\"https://s2.loli.net/2025/01/27/YqinPrht6S8CFBW.png\" alt=\".png\">\n\n### **Ethical Considerations**\n\n\u200b\tThe vulnerability has been reported to the manufacturer and confirmed. It has been addressed and fixed in the latest versions.\n\n### Additional Notes:\n\n\u200b\tOur vulnerability discovery was conducted on a standalone in-vehicle system, and due to the absence of a real vehicle, the logs collected by the system were quite limited. In a real vehicle, we expect to collect a much richer and larger volume of logs. Due to device limitations, we were unable to conduct further verification. Additionally, only one version of the in-vehicle system was tested, but other versions may also contain the same vulnerability, with the actual impact potentially being more severe.\n\n### Disclaimer\n\n\u200b\tThis vulnerability report is intended solely for informational purposes and must not be used for malicious activities. The author disclaims any responsibility for the misuse of the information provided.", "description_format": "markdown", "vulnerability": "CVE-2024-54728", "creation_timestamp": "2025-01-26T17:57:50.934368+00:00", "timestamp": "2025-01-26T17:57:50.934368+00:00", "related_vulnerabilities": [], "meta": [{"tags": ["vulnerability:exploitability=documented", "vulnerability:information=PoC"]}, {"ref": ["https://gist.github.com/xu-yanbo202000460009/00dacd7bfede713a0f052a531da4fabd"]}], "author": {"login": "sync_user", "name": "sync_user", "uuid": "4f29edb9-4c4b-44ca-b041-9b050656b6ae"}}