Vgate iCar2 WiFi OBD2 Dongle Inadequate Access Protections

`SEC Consult Vulnerability Lab Security Advisory < 20180529-0 >  
=======================================================================  
title: Unprotected WiFi access & Unencrypted data transfer  
product: Vgate iCar 2 WiFi OBD2 Dongle  
vulnerable version: Vgate iCar 2 WiFi OBD2 Dongle  
fixed version: -  
CVE number: CVE-2018-11476  
CVE-2018-11477  
CVE-2018-11478  
impact: Critical  
homepage: http://www.vgate.com.cn  
found: 2018-04-24  
by: T. Weber (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"Based in Shenzhen, China, Vgate Technology.co ltd. specializes in the  
development, design and manufacture of diagnostic equipment, tools and  
accessories in the automotive aftermarket industry.  
We offers a selective range of products from automotive diagnostic tools  
including code readers and scan tools, to test and inspection equipment such as  
sensor testers and battery testers. Aside from the above, we also carry garage  
equipment like infrared paint dryers and pipe expanders, and automotive  
diagnostic accessories such as OBD diagnostic cable assemblies, SAE J1962  
connectors, and vehicle to PC (or PDA) interface adapters (VAG-COM interfaces).  
Though the company is young in age, we are strong in experiences in that all of  
our major engineers have extensive R&D experience in the automotive aftermarket  
technology. With the combination of our experienced and distinguished  
specialists, low-cost manufacturing and exceptional customer service, M.B is  
able to become the supplier of choice who delivers high quality products,  
user-friendly designs and most competitive prices to both professional and  
amateur (or DIYers) automotive technicians.  
  
We are proud of ourselves in providing cost effective, timely and innovative  
solutions with a first class service."  
  
Source: http://www.vgate.com.cn/en/Aboutus.html  
  
  
Business recommendation:  
------------------------  
By using the vulnerabilities which are documented in this advisory an attacker  
can easily send arbitrary messages to the automotive communication bus  
(CAN/FlexRay/...) of the car electronics and potentially take over  
safety-critical car functions.  
  
The vendor told SEC Consult in a phone call that our identified security  
issues are common practice for such hardware and therefore will not be fixed!  
  
SEC Consult recommends not to use this product until a thorough security  
review has been performed by security professionals and all identified  
issues have been resolved.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Unprotected WiFi Access (CVE-2018-11476)  
The dongle opens an unprotected wireless LAN which cannot be configured with an  
encryption / password. This enables anyone within the range of the WLAN to  
connect to the network without authentication.  
  
2) Unencrypted Data Transfer (CVE-2018-11477)  
The data packets which are sent between the App and the OBD dongle are not  
encrypted. The combination of this vulnerability with the lack of a wireless  
network protection exposes all transferred car data to the public.  
  
3) Unauthenticated Access to On-board Diagnostics (OBD) (CVE-2018-11478)  
The OBD port is used to receive measurement data and debug information from the  
car. This on-board diagnostics can also be used to send commands to the car  
which is different for every vendor / car product line / car.  
  
The mentioned features are usually needed for maintenance purposes but can be  
abused by attackers. This is possible because the OBD interface is directly  
accessible through port 35000 on the (unprotected) wireless access point of the  
OBD device.  
  
Because of the fact that it is never intended that other people have access to  
the data bus (e.g. CAN) of your car while you are driving, this vulnerability is  
seen as highly critical and a safety-critical threat to the public.  
  
  
Proof of concept:  
-----------------  
Detailed of proof of concepts have been removed as the vendor did not provide  
a patch.  
  
1) Unprotected WiFi Access (CVE-2018-11476)  
The unprotected wireless LAN is named "V-LINK". To create it, the "Fn-Link  
(6110R-IF)" is used. It acts as wireless UART bridge to hand over the commands  
of the App to the ELM327 compatible "iCar-2" chip.  
  
2) Unencrypted Data Transfer (CVE-2018-11477)  
All commands starting with "AT" and the "0100"/"0120" are strings which were  
sent from the App to the OBD Dongle. The "X" character is a wildcard for an  
arbitrary hexadecimal value and is used to anonymize car data in responses  
for this advisory.  
  
The following plain-text correspondence was recorded with wireshark during a  
test-drive:  
  
ATZ  
ELM327 v2.1  
>ATE0  
ATE0  
OK  
>ATE0  
OK  
>ATM0  
OK  
>ATL0  
OK  
>ATS0  
OK  
>AT@1  
OBDII to RS232 Interpreter  
>ATI  
ELM327 v2.1  
>ATH0  
OK  
>ATAT1  
OK  
>ATDPN  
6  
>ATSP0  
OK  
>0100  
SEARCHING...  
410098XXXXXX  
410098XXXXXX  
>ATH1  
OK  
>ATDPN  
A6  
>0100  
7E806410098XXXXXX  
7E906410098XXXXXX  
>ATH1  
OK  
>0100  
7E806410098XXXXXX  
7E906410098XXXXXX  
>0120  
7E806412080XXXXXX  
7E906412080XXXXXX  
[...]  
>ATDPN  
A6  
>ATDP  
AUTO, ISO 15765-4 (CAN 11/500)  
  
  
3) Unauthenticated Access to On-board Diagnostics (OBD) (CVE-2018-11478)  
a) Read access on port 35000 to the on-board diagnostics:  
* E.g. by sending the command "090X" vehicle information can be requested  
* By sending the command "AT RV" the battery voltage can be requested  
* The command "AT PPS" prints out the programmable parameter summary  
  
b) Write access to the onboard diagnostics:  
It was also possible to send commands to manipulate the CAN bus via WIFI.  
A Nissan car has been tested for this, proof of concept information has been  
removed.  
  
  
Vulnerable / tested versions:  
-----------------------------  
Vgate iCar 2 Wi-Fi OBD2 Dongle  
  
Based on an Amazon search a broad range of OBD2 dongles are just rebranded  
and may contain the same hardware. Some vendor names for the same device are:  
  
* TONWON  
* iCarsoft  
* iKKEGOL  
* [...]  
  
  
Vendor contact timeline:  
------------------------  
2018-04-25: Contacting vendor through [email protected]; No response.  
2018-05-07: Telephone call with CNCERT: No coordination for products.  
2018-05-08: Telephone call with vendor: Vendor does not consider the issues  
as problematic, will not be fixed  
2018-05-25: Requested CVE numbers.  
2018-05-29: Release of security advisory  
  
  
Solution:  
---------  
The vendor does not provide a fix and hence this product should not be used,  
especially while driving the car.  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF T. Weber / @2018  
  
`