Advertisement






Comma Openpilot Insecure Default Configuration

CVE Category Price Severity
CVE-2021-38970 CWE-306 Not available High
Author Risk Exploitation Type Date
Felix von Leitner High Local 2022-06-05
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022060015

Below is a copy:

Comma Openpilot Insecure Default Configuration
=====
Intro
=====

Comma is a company that makes open source driver assist technology for automobiles. Openpilot is the brains of the comma two device. You can choose to give your car a software upgrade to perform automated functions better. It utilizes or improves upon the experience of Adaptive Cruise Control, Automated Lane Centering, Forward Collision Warning and Lane Departure Warning while also adding Driver Monitoring as a safety feature. This competes with the likes of Tesla Autopilot and GM Super Cruise, except that its open source software.

Openpilot deploys a bunch of local services written in Python to facilitate data going from the car to Comma devices and visa-versa. To get an in-depth view of how this works, refer to https://desosa.nl/projects/openpilot/2020/03/11/from-vision-to-architecture.html for a more complete explanation and design diagram.

After evaluating and testing various local and remote attack vectors on the system, mostly around device permissions, hardening core processes and SSH access to the device, the product seemed pretty solid. A few security suggestions were shared with the dev team and changes were made by the dev team, see the Fixes section below for more details.

=======
Details
=======

See https://i.haxx.cc/2021/01/25/who-wants-to-drive/ for a full walkthrough.

openpilot-scan.sh was created to check for devices on your local network that allow login with the default SSH key.

-> https://packetstormsecurity.com/files/160735/Openpilot-Default-SSH-Key-Scanner.html

=====
Fixes
=====

- Device permissions
-- https://github.com/commaai/openpilot/pull/21922/commits/56114a9db7360e8ab13393d1a5de83fde30e28da

- Processes running as non-root
-- "Openpilot can now mostly run as a non-privileged user"

- SSH key
-- "We removed the default SSH key in the latest NEOS update and SSH is now turned off by default. We require the user to turn this on manually now and can only be used with their public keys from their github."

- Warning for URLs other than Openpilot official
-- WONTFIX

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.