In November 2022, GoGoByte received vulnerability intelligence from the ASRG-China community that a serious vulnerability existed in the T-Box of Hangzhou Hopechart IoT Technology Co Ltd, which was extensively utilized in engineering measurements by companies such as Sany Heavy Industry Co., Ltd. When combined with Sany Heavy Industry’s own server vulnerabilities, it posed the risk of significant consequences. In the first instance, GoGoByte reached out to the security team at Sany and Hopechart providing detailed intelligence on the vulnerability and fix recommendations. Also, GoGoByte notified the CAVD (China Automobile Vulnerability Database), a specialized repository for vehicle networking product security vulnerabilities under the Ministry of Industry and Information Technology. According to the “CAVD Vulnerability Classification and Management Rules” the severity level of this vulnerability was classified as “critical.”
Thanks to the swift response and collaborative efforts of ASRG, GoGoByte, CAVD, and the relevant vendors, the vulnerability has now been fixed without causing any significant damage. ASRG has assigned this vulnerability number CVE-2023-3028, with a CVSS Base Score of Critical 9.8 “Critical“, which is consistent with the CAVD Vulnerability Classification and Management Rules.
Vulnerability Description:
The vulnerability in the HopeChart HQT-401 T-Box leads to address disclosure of the MQTT server, and insufficient authentication of the server (MQTT backend) of the Sany vehicles using the HopeChart HQT-401 T-Box allows an attacker to access and even tamper with the control and status data of the entire fleet. Multiple vulnerabilities were identified:
– The MQTT backend does not require authentication, allowing unauthorized connections from an attacker.
– The vehicles publish their telemetry data (e.g. GPS Location, speed, odometer, fuel, etc) as messages in public topics. The backend also sends commands to the vehicles as MQTT posts in public topics. As a result, an attacker can access the confidential data of the entire fleet that is managed by the backend.
– The MQTT messages sent by the vehicles or the backend are not encrypted or authenticated. An attacker can create and post messages to impersonate a vehicle or the backend. The attacker could then, for example, send incorrect information to the backend about the vehicle’s location.
– The backend can inject data into a vehicle´s CAN bus by sending a specific MQTT message on a public topic. Because these messages are not authenticated or encrypted, an attacker could impersonate the backend, create a fake message and inject CAN data in any vehicle managed by the backend.
The security issues in vehicles involve the entire automotive industry chain, where any product defects from upstream to downstream companies can lead to significant security risks. As an essential contributor to the secure development of the automotive industry, GoGoByte has always been committed to providing full-life-cycle cybersecurity services for the automotive industry. In recent years, we have actively built communities, engaged in collaborative projects, and developed innovative products to address security challenges faced by enterprises.Our mission is to safeguard the interconnected world through technological innovation and ensure the secure development of the automotive industry. We strive to fulfill our responsibilities by actively addressing security concerns, offering assistance, and providing reliable solutions.
This series of vulnerabilities were discovered and reported by ASRG security researchers Ramiro Pareja Veredas and Yashin Mehaboobe.
For more information on vulnerabilities please refer to:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3028