Last updated at Fri, 06 Nov 2020 17:56:32 GMT
Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2020 Under the Hoodie report.
An organization hired us to perform a penetration test on a self-driving car—as it turns out, there are several self-driving projects available on the market today, so we were tasked with assessing the attack surface of the vehicle to enumerate vulnerabilities that could lead to remote control of the vehicle. This included testing a somewhat broad scope of the vehicle, including its CAN Bus and TCP/IP networking.
I was responsible for testing the TCP/IP portion of the assessment. Through testing, we followed a similar methodology to an internal penetration test. We connected to the network using an ethernet cable, scanned the vehicle’s Local Area Network identifying alive hosts, port scanned to fingerprint for services, etc.
While scanning, we found that anonymous FTP was enabled on a couple of the hosts. Upon further inspection, we learned that it allowed Read and Write with Root permissions to the Root directory of its Linux operating system. We uploaded our own private key to the system using the anonymous login and found that we could then SSH in. Turns out the hosts were part of the radar controller unit. This system failing while the vehicle was in motion could lead to the car crashing.
Continuing our testing, we also found that the system had several instances of Docker listening. The Docker interfaces were bound to the hosts’ external TCP/IP interface. Insecure Docker images are pretty common on corporate networks, and sure enough, this proved to be the case with the car! Not only was the service bound to the hosts external interface, it also was not configured with authentication. This led to us accessing the Docker host as well as the Docker images with Root privileges. Turns out, these systems were the controllers for the Autonomous Vehicle System, the device that stored proprietary software for how the vehicles leverage its Artificial Intelligence and Machine Learning algorithms.
Interested in learning more about how Rapid7 pen testers conduct their assessments? Check back every week for a new story in the series.
- This One Time on a Pen Test: Playing Social Security Slots
- This One Time on a Pen Test: I’m Calling My Lawyer
- This One Time on a Pen Test: Outwitting the Vexing VPN
- This One Time on a Pen Test: Ain't No Fence High Enough
- This One Time on a Pen Test: I Know...Everything
- This One Time on a Pen Test: Doing Well With XML