2022特斯拉安全漏洞.docx

资源ID：1340298 资源大小：713.97KB 全文页数：71页
资源格式： DOCX 下载积分：5金币

快捷下载

会员登录下载

三方登录下载：

下载资源需要5金币

邮箱/手机：
温馨提示：	用户名和密码都是您填写的邮箱或者手机号，方便查询和重复下载（系统自动生成）
支付方式：
验证码：	换一换

加入VIP免费专享

账号：
密码：
验证码：	换一换
当日自动登录忘记密码？

友情提示

1、下载资料失败解决办法

2、PDF文件下载后，可能会被浏览器默认打开，此种情况可以点击浏览器菜单，保存网页到桌面，就可以正常下载了。

3、本站不支持迅雷下载，请使用电脑自带的IE浏览器，或者360浏览器、谷歌浏览器下载即可。

4、本站资源下载后的文档和图纸-无水印,预览文档经过压缩，下载后原文更清晰。

5、试题试卷类文档，如果标题没有明确说明有答案则都视为没有答案，请知晓。

网站客服

侵权投诉

2022特斯拉安全漏洞.docx

特斯拉安全漏洞Tencent开究背景工安全彳KEENsecuritylab车联网安全研究背景Tencent智能网联汽车将成为汽车行业的核心重点“网联”汽车：具有互联网接入功能的汽车，具备车载系统和车云之间的数据同步功能，以及面向用户的互联网访问服务功能。大规模上市期：2017-2020“智能”汽车：具有自动驾驶或者无人驾驶功能的汽车，完全改变坐乘人员的体验,车内用户场景发生剧烈改变。大规模上市期：2020-2025行业领军品牌沃尔沃：“智能”汽车领域行业标杆,已经在2016年实现自动驾驶，并计划在2020年实现量产全无人驾驶车。特斯拉：“网联”汽车领域的行业标杆，并已经在2016年在量产车上实现辅助驾驶功能。帝一大量新技术和网联功能引入，带来信息安全机遇环境感知层激光雷达、毫米波雷达、摄像头、传感器、红外测距、卫星导航、路侧系统等，信息融合层行人隙碍物识别、车辆识别、场景重构、精准定位等数据采集层智能决策层路径规划、人机共驾等控制执行层自动驾驶、无人驾驶、轨迹跟踪、转向制动、耦合动力学全状态参数识别等安全体系功能安全（FUnCtiOnaISafety）和信息安全（CyberSeCUrity）智能控制系统架构通讯架构和控制架构整车集成与标定整车硬件集成（底盘、车身、电机、电池系统等）和智能控制系统集成测试模块性能测试（测试机理）和整车功能测试（测试方法）摘自：上海市政府汽车行业规划发展内部报告车联网安全市场前景2017NoteOuetoroun>ng.rw11tmh11heremayMaMUPlSourceP*CSlrMegyAnfnExhibit7Connectedcarrevenuepotential,byregion,2017-22WesternE.U.UnitedStatesJapanS12.4(2i,WhilethosetypesofvehiclesareonlybecomingmoreprominentReuterssharesdatafrommarketresearcherIDATEshowingthatthenumberofconnectedcarsontheroadhasrisen57percentannuallysince2013andthatthetotalnumberisexpectedtoreach420millionby2018keepingthemsafefromhackersisbecomingabigbusiness.,Weviewthisasapotential$10billionmarketopportunityoverthenextfiveyears,ReutersquotesDanielIves,ananalystwithFBRCapitalMarketsinNeWYork,asstating.”“TheReutersstoryaddsthatHannanInternationalIndustries,amakerofconnectedcarsystems,boughtIsraeli-foundedcyberdefensestartupTowerSecforthepurposeofprotectingitsproductsandthatglobaltechcompanies,likeIBMandCISCO,arealsoemployingtheirteamsinIsraeltoworkonthesecurityofconnectedcars.,-2016/1/12国际和国内安全行业：网联汽车安全研究成为新热,kncem2015年7月，黑客可以通过远程方式入侵克莱斯勒自由光JEEP并对行车和车身进行远程控制，其中涉及了多个TSP模块、互联网通讯模块、车机模块中多个安全漏洞。影响：克莱斯勒召回北美地区140万辆自由光2015年7月，黑客实现对美国通用OnStar移动APP的劫持，可以远程控制车门开关、发动机启动和鸣号。主要涉及移动APP模块和TSP模块的安全漏洞。影响：通用紧急修复相关漏洞2016年2月，黑客实现对尼桑EV1.EAF移动APP的劫持，可以远程控制空调开关，闪灯等。主要涉及移动APP模块和TSP模块的安全漏洞。影响：尼桑临时关闭1.EAF云端服务:、汽车安全基础与工具K)KEENsecuritylabCarHackersHandbookhttp:/opengarages.org/handbook/ExposingtheVulnerabilitiesandRisksofHighTechVehicles http:/icitech.org/wp-content/uploads/2015/09/ICIT-Brief_Whos-Behind-the-Wheel_Car-Hacking2.pdfASurveyofRemoteAutomotiveAttackSurfaces AdventuresinAutomotiveNetworksandControlUnitsTencentI试工具1.20.0/24-p80):/nmap.org)at2016-06-1107:OlPDTJ3.20.0J3.20.10.J3.20.33204J3.20.50-IOKEENsecuritylab汽车安全双 Nmap Wireshark CANalyzer BinwalkIDA$sudonnap-Pn-sS10.32StartingNmap6.40(htNmapscanreportforIO.二Hostisup.PORTSTATESERVICE80/tcpfilteredhttpNmapscanreportfor10.2Hostisup(0.84slatencyPORTSTATESERVICE80/tcpclosedhttpNmapscanreportfor10.2Hostisup.PORTSTATESERVICE80/tcpfilteredhttpNmapscanreportfor10.3Hostisup.PORTSTATESERVICE80/tcpfilteredhttpNmapscanreportfor10.2Hostisup(0.84slatencyPORTSTATESERVICE80/tcpclosedhttpNmapscanreportfor10.3Hostisup(0.84slatencyPORTSTATESERVICE80/tcpclosedhttp Nmap Wireshark CANalyzer BinwalkIDA420100.pcapnq文件(F)编痛视图(V)/桀(G)际(C)分析（八）统计(三)电话(Y)无线(W)ZS(T)帮助（三）鼻|应用显示过滤器立”i-/>於0QT够震布现国圜40A至NoSource1192.168.90.1002192.168.90.1003192.168.90.1024192.168.90.1025192.168.90.1026192.168.90.1027192.168.90.1028192.168.90.1009192.168.90.10210192.168.90.10211192.168.9.10212192.168.90.10213192.168.90.10014192.168.90.10215192.168.90.10216192.168.9.102Destination224.0.0.26224.0.0.26192.168.90.255192.168.90.255192.168.90.255192.168.90.255192.168.90.255224.0.0.26192.168.90.255192.168.9.255192.168.90.255192.168.90.255224.0.0.26192.168.90.255192.168.90.255192.168.90.255Protocol1.engthJD,UDPJ2PJAUDPPpppUDUOUDUDJzpUDPInfo45040741÷403116040741÷4031622l2ll622l00->201016220100-201016220100->201016220100->201016234020->49996220100÷21016220100÷201016220100÷2ll622l0->201018840741-40316220100->201016220100201016220100->201011.en=4061.en=1161.en=121.en三121.en-121.en-121.en三121.en=41.en=121.en=121.en=121.en-121.en-441.en三121.en三8q3表达式+InternetProtocolVersion4,Src:192,168.90.102,Dst:192.168.90.255UserDatagramProtocol,SrcPort:20100(20100),DstPort:20101(20101)Data(12bytes)Data:0000008313lcl090000000 Nmap Wireshark CANalyst BinwalkIDA3SEND17:54:36.7710x0000064cDATAFrame0x080227Oil00000000004RECV17:54:36.7810x0000065cDATAFrame0x08101267Ol00QlQ2035SEND17:54:36.9810x0000064cDATAFrame0x0830000000000000006RECV17:54:36.9810x0000065cDATAFrame0x0821040506070809Oa7RECV17:54:36.9810x0000065cIMOVdncererbeunqDATAFrame0x0822ObOcOdQeOf0000-CAN-CAN(st)DefaU1.istj口田。9Q*Ui；IndexDrecbonITirnlOlO10101010Ev<thenRightAlignNot。"StandardFraAO"ChckboxsdisalforExtornalIDzI£bitboxdisplay*,X,*thebitisnocare,Ie"11XXXXXXIll二mansthtonlythreeIwbitisTI1，Ouldshworhide.Cl0rAddN”ddToExistClosEvalufttor,MakeTtxiColor11CdorAdVenCeOptions,ShoWFilterOffiI)YhgFrSeIDJ,IShg二AdvanceOptionsMiToExistTriggerSettingHideSndFrMTIe1.OadConf>urQNmapWiresharkCANalyzerDECIMA1.HEXDESCRIPTION1288x58CFEbootloader,littleendian65536xlBroadcom96345firmwareheader,headersize：256,firmwareversion："8",board-CRC32headerchecksum:0x7FBD17C6,CRC32datachecksum：xF44DBF79id:"6348GW-10",65792xllSquashfsfilesystem,bigendian,version2.,size：2623358bytes,42inodes,bytes,created:ThuSep1718:07:36209blocksize：655363426366×34483ESercommfirmwaresignature,versioncontrol:,downloadcontrol:,hardwareID:"DG834GT",hardwareversion：x41,firmwareversion：×16,startingcodesegment：x,codesize：x73BinwalkIDAOFFSETftrmwarel.binftrmware2.binftrnware3.bte2700084G00180O18024COO0287236700380051956877A35201614ID696E756E656C6580606456OF960OEF863862BOO68OS05020378284B652496D6108OOOOOO.VdV.1.inux.Kernel.Inage27OS4A678006SE914C69726E6765OO001956DD4F00IE066E75656C0OOC69OOOE80315S782020490B73FF4F7802034B656D61O,.V.?3g.0.I1.inux.KeIrnel.InaIge27054DAB8OOFEF94C69726E6765OO01956FC7A289ZF6E75656C0OOOOOl90OE802B5S78202049OO0OOFB9BFDSF22034B656D61OO1.inuxrnel.：ge.：.KeInaNmapWiresharkCANalyzerBinwalkIDA?-CUSfEAd咆吧”吧"n°ffbWdfej吧吧;db，竺史今33空包332fileEditJumpSearchViewDebuggerOptionsWindowsHelpH8，。牡嗑4，wW。C显凸产了点硒X>S口Mdebucr1.ibrftryfunctionDaMReCUI钞functionUnexploredInstructionExternalsymbol7PimctionsYixidow口(5K1®IDAVlareA哨Pseudocode-AQW1.OCaTypesFunctionnameaccumulateHe×BytesDoorHandlefIendUpdaterOrAppDoorHandleUDSegetNodeVendor7jpareBlock1.engthfIdata.download71UDS.accumulateHex8ytes1UDSeSend1.dstPiecefconti_end_$b1.oreapp刁jlr.end.$b1.or.appZPektrOQend-Sb1.OjaPPZtesla.end.sb1.or.app7valeo.end.sbl.or.appTlhella.end.sbl.or.appTjUDS.Operation.controlDTC7d。WnloadOPeratiOnS.7111odelnPrivateVariablesForDownload/ComputeKeyeTesIaElComputeKeyeBaolongjcomputeKey.BitronComputeKeyeBoschJComputeKeyeContinentaIComputeKeyeDeIphijComputeKeyeHaIIajComputeKeyJ1.R/iComputeKeyeKostaIComputeKeyePanasonicMComputeKeyePektronMComputeKeyeVaIeo工nodeComputeSecurityKeyWHodeRequestSecurityAcessjjUDSJESlAegerwateKeyJUDS.bitron-generateKeyUDSeCont1.generateKey7UDS.bosch,generateKeyTjUDShalla.generateKeyTlUDSPanasonicQenerateKev2829303132333435363738394041424345647¼89SQ515253555565758596061626364do<u6=(int)u1u;u7=(unsigned_int8)u+;u8=*(BVTE*)(U62)；if(u8t=u7)u50;u31-u8；u3；>while(u-16);if(u5-1)<u9-9；u10-u1->seruerSeedSize;while(u9<u10)<u11三(int)Mlu9;m9-(unsignedint8)(u91);*(BVTE*)(U1118)=»(BVTE)(u112)*0×35;>)else<UDS_TES1.A_generateKey(Mi->nodeID,plainTe×ttCiPherTeXt);u12=8>cipherTe×t-1;u13=(int)fcu1->seruerSeed15;do<u14-u121;u12；*(_BVTE*)(u13*1)-u14;>while(u12?-(cipherText15);>u2三16;>1特斯拉系统架构K)KEENsecuritylabIC InstrumentCluster Tegra31.inux 192.168.90.101CID CenterInformationDisplay Tegra41.inux 192.168.90.100Gateway VehicleGateway FreeRTOS 192.168.90.102CIDIn-VehicleNetworkETHChannelIC192.168.90.100CID192.168.90.101DIAG192.168.90.102四、特斯拉网关安全研究K)KEENsecuritylab 汽车网关系统是汽车车电网络中的重要一环，它用于在车载多路CAN总线之间进行数据转发。特斯拉在车载总线中引入了以太网，所以特斯拉汽车网关还负责以太网与CAN总线之间的数据过滤与转发。典型案例吉普自由光(NECV850) 特斯拉(FreeSCaIeMPC5668G) 本土车企(NEC78K0R)特斯拉汽车网关TencentETHChannelIC192.168.90.100CID192.168.90.101DIAG192.168.90.102+QUOTapacheguysaid:Ingineer,Aug21,2015TheMCUneversleeps.Itisalwaysonforlogging.That'swhythecenterscreenimmediatelycomsecondstowakeup.3G,Bluetooth,andWifiareclearlydisabledwhileasleep,butI'veneverseeniIngineerElectricalEngineerIjustfiguredthatthe1.TEradiomightbefastertowakeupthantheolderradio.Joined:Aug9,2012REPORTThisisnottrue.TheMCUhas2separateanddistinctsystemsinit'shousing;the(performstheloggingfunction,anditrunsFreeRTOSonaFreescaleMPC5668G.TlwhiletheGatewaycanstayawake.Thttp:WWW.nxpcomproductsmicocontrollers-and-processorspower-architecture-pocessorsmpc5xxx-5xxx32bitmcus/mpc56xx-mcus/ultra-reliablempc5668g-mcu-for-automotive-industrial-gateway-applications:MPC5668GTencent固件特性硬件与booted.imghwidacq.logconfighwids.acqdtchwids.txtSD4GBmkdirreleasetar:ErrorisTSD4GBIs空11forest)nforest:/workspace/tesla/SD_4GBTSD4GBIslogOrigint.datupdate.logmodhwid.logIreIease.tgzmodinfo.logudsdebug.log&&tarxfrelease.tgz-Crelease/gzip:stdin:decompressionOK,trailinggarbageignoredtar:Childreturnedstatus2notrecoverable:exitingnowrelease/gtw,hdhndfd.hexhndfp.hexhndrd.hexhndrp.hexic.hexIft.hexlog.cfgmanifestmsm.hexpark.hexdhfd.hexdhfp.hexdhrd.hexdhrp.hexdifpga.hexdi.hexdsp.hexeas.hexepb.hexepbm.hexesp.hexbdy.hexbmscpld.hexbmshexChgphlcpldhexchgphlhexchgph2cpld,hexchgp2.hexchgph3cpld.hexchgph3.hexChgsphlcpldhexchgsphl.hexSD_4GBIchgsph2cpldhexchgsph2,hexchgsph3cpld.hexchgsph3.hexChgsvicpldhexchgsvihexchgvicpld.hexchgvi.hexcp.hexdcdc.hexddm.hexpdm.hexpm.hexptc.hexrccm.hexsec.hexsun.hexthe.hextpms_hard_cal.hextunercalhextunerdsp.hextuner.hex系统内存布局AddressRegionNameTeslaSpecificsStartEnd0x000000000x00020000F1.ASHBootloaderandInternalFiles0x000200000x00IFFFFFF1.ASH2CODERegionDATARegion0x400000000x400FFFFFSRAMUpdaterSystemwheninProgrammingModeProgramSegmentation回NameStartEndRWXD1.AlignBaseTyPeClassADviedsi三F1.ASH0000000000020000Xbyte00publicCODE32FFFFFFFFFFFFFFFF蔡F1.ASH200020000001F7AB8X1.byte00publicCODE32FFFFFFFFFFFFFFFF靠BAMOOFFOOOOOOFFFFFFRWbyte01publicREG32FFFFFFFFFFFFFFFFlQ1RAM4000000050000000RWbyte00publicDATA32FFFFFFFFFFFFFFFF匐AIPS.AC3000000C4000000RWdword01publicREG32FFFFFFFFFFFFFFFF崩AIPS.BFFFOOOOOFFFFFFFFRW*dword01publicREG32FFFFFFFFFFFFFFFF1.ine3of6寄存器内存布局TencentTableA-1.ModuleBaseAddresses(continued)ModuleNameBaseAddressPageI2C-AOXFFF8_8000PageA-55I2C-B0xFFF8.C0PageA-56DSP1_A0xFFF9-00PageA-56DSP1.B0xFFF9,40PageA-57eSCI_AOXFFFAJXx)OPageA-58eSC1.B0xFFFA_40pageA-58eSCI.C0xFFFA_80pageA-59eSCI_DOxFFFA.COPageA-59eSCI.EOXFFFBJX)OOpageA-60eSCI.F0xFFFB_40PageA-60eSCI.G0xFFFB_80oageA-61eSCi_HOxFFFB.CO三,ageA-6lFIexCaneAOXFFFCJ)OOOoageA62FteXCan_B0xFFFC_40Pag©A66FleXCan_C0xFFFC_80PageA71FtexCaneDOXFFFjCoPageA76FIeXCan_EOXFFFDjX)OOPageA80FIexCaneFOXFFFD_4000PageA85CTU_A0xFFFD_80PageA-89DMAMultiplexer0xFFFD-C0PageA91PrTOxFFFE.OOPageA-92eMIOS.A0xFFFE_4(XX)PageA-93SlUOXFFFJ80Pag©A-100CRPOxFFFE_C(XX)Pag©A-110FMP1.1.OxFFFF-O(XX)PageA-111PFlashConfiguration0xFFFF_80PageA-111BAMOXFFFF_COOoPageA-112Nameswindow回Name7Address,QCANA,ECRFFFC001C三0CANA.ESRFFFC0020f3CANA.IF1.AG1FFFC0030鱼CANA.MCRFFFCOOOOQCANA-RXIMR62FFFC0978BCANA_RXIMR63FFFC097CQCANB.ECRFFFC401CQCANB.IF1.AG1FFFC4030mCANBjMASKIFFFC4028QCAN8_MCRFFFC4000mCANC.ECRFFFC801Cf11CancjflagiFFFC8030何CancjmaskiFFFC8028OCANjMCRFFFC8000CAND.ECRFFFCC01Cf3CandjflagiFFFCC030f3CANDJMASiaFFFCC028dCAND.MCRFFFCCOOO!3CANE.ECRFFFD001C何CANE_1F1.AG1FFFD0030f11CanejmaskiFFFDOO28包CANE_MCRFFFDOOOOElCANE.ECRFFFD401Cf3CANFJF1.AGIFFFD4030(3CANFJMASKIFFFD4028(3CANF_MCRFFFD400041.ine46of346http:CaCTmrSvc”是定位FreeRTOS的关键.197198199200201202203204205206207208209210211212213214215216217218219220221222223224225PortBASE_TYPEXTimerCreateTimerTask(void)PortBASEJrYPExRturn-pdFAI1.;*ThisfunctioniscalledwhentheschedulerisstartedifCheckthattheinfrastructureusedbythetimerservicetaskhasbeencreated/initia1ised.Iftimershavealreadybeencreatedthentheinitialisationwillalreadyhavebeenperformed./PrvcheckForValid1.istAndQueue();(XTimerQueuei-NU1.1.)(INC1.UDE_xTImerGetTimerDaemonTaskHandle1)*Createit.canbeXReturn=telse*CreateXReturn-Iendif)thetimertask,storingitshandleinXTimerTaskHandlesoreturnedbytheXTimerGetTinierDaenjonTaakHandle()jXTaskCreate(prvTimerTaskr(thGtimertaskwithoutstoXTaskCreate(PrVTimerTask,(configASSERT(XReturn);×Return;itssignedchar*)："TmrSvc",(unsignedhandle.*/signedchar*)"TmrSvc",(unsignedtTasks代码及其执行状态组成了一个任务，FreeRTOS自身提供任务管理调度模块。Queues队列是FreeRToS中的消息传递形式，包括任务间的消息机制以及任务与中断的消息传递。etc.IOKEENsecurityIabhttp:/www.freertos.org

注意事项

本文（2022特斯拉安全漏洞.docx）为本站会员（夺命阿水）主动上传，课桌文档仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若此文所含内容侵犯了您的版权或隐私，请立即通知课桌文档（点击联系客服），我们立即给予删除！

温馨提示：如果因为网速或其他原因下载失败请重新下载，重复下载不扣分。