Over-the-Air - How We Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars

Explore the intricacies of remotely compromising Tesla car systems in this Black Hat conference presentation. Delve into the technical details of exploiting multiple zero-day vulnerabilities across various in-vehicle components, including the Gateway, BCM, and Autopilot ECUs. Learn about the inner workings of over-the-air technology and the new attack chain developed during Tesla hacking in 2017. Examine topics such as memory manipulation, kernel exploration, AppArmor rules, firmware deployment processes, and the exploitation of Easter egg functionalities. Gain insights into the presenters' methods for achieving root access, patching different ECUs, and fully compromising Tesla vehicles. Understand Tesla's response to these findings and subsequent security enhancements implemented to address the vulnerabilities.

Intro
Source view
Memory view
Fill with ArrayStorage
Refill with Uint32Array
Explore Kernel
QtCarBrowser AppArmor rules
Fix solution in V2
Gateway file operation protocol
Gateway diagnostic protocol
Gateway update
Filesystem of the gateway
OTA Overview
Cloud - Car: Firmware Deploy
Ethernet Connected ECUs - Step 1
Traditional ECUs: In Bundle
Traditional ECUs: Firmware Info
Traditional ECUS: Create and Send Files
How Easter egg works?
Triggers on CID
Start on BCCEN
Easter egg start
How we patch
Patch in CID
Reverse of ECUS
Patch of BCCEN
Patch of BCFRONT
Autopilot ECU
Ape-updater
Commands for update
m3_factory_deploy
Exploit
Get Root
Fixed by Tesla
Fully Compromised
Tesla's Response
Security Enhancement