BYD DiLink OS Insecure credential storage due to hard-coded cryptographic key

Overview

A vulnerability exists in the DiLink 3.0 (version 13.1.32.2307211.1) Operating System used in BYD vehicles' multimedia units. Due to incorrect encryption implementation of system log dumps, attackers with physical access to the car can bypass the encryption and potentially access sensitive personal and location data. This is categorized as a medium severity issue.

 

Product Information

Affected Product/Component Name

DiLink 3.0 OS (Multimedia Unit)

Services or other products relevant to the affected products

In-Vehicle Infotainment (IVI) system

Version(s) 

13.1.32.2307211.1

Vendor/OEM/Supplier

BYD

 

Description

The multimedia unit in BYD cars, such as the ATTO 3, running DiLink 3.0 (version 13.1.32.2307211.1), periodically stores system logs on the drive. These logs contain sensitive data, including personally identifiable information and location data. A patch was released (following CVE-2024-54728) to encrypt these logs, but the encryption implementation is flawed, allowing an attacker to bypass it and access the sensitive information. 

Attack Path

Attacker gains physical access to the vehicle.

Attacker accesses the multimedia unit's debug port.

Attacker locates the encrypted log dump files.

Due to the incorrect encryption implementation, Attacker generates the encryption key for the log dumps and takes the data.

Impact

An attacker who successfully exploits this vulnerability can gain access to sensitive information stored within the system logs. This includes personally identifiable information (PII) and location data, potentially leading to privacy violations, tracking of the vehicle's movements, or other malicious activities.

Tools and techniques

Exploiting this vulnerability uses freely available tools like ADB,

APKtool and JDAX to extract the Initial Vector (IV) for the AES stage of the encryption and to download the log dumps.

Recommendations

It is recommended for BYD to review and correct the encryption implementation for the system log dumps. An asymmetric encryption algorithm with proper key management and secure implementation practices should be used. The new implementation should be independently tested.