BYD QIN PLUS DM-i Dilink OS Unencrypted Cloud Broadcast Vulnerability Allowing Man-in-the-Middle Attacks

A vulnerability exists in the BYD QIN PLUS DM-i vehicle's Dilink OS, specifically in versions 3.0_13.1.7.2204050.1 prior to 3.0_13.1.7.2312290.1_0. The issue arises from the system broadcasting data to the manufacturer's cloud server without encryption, creating an opportunity for attackers to intercept and manipulate the communication. This flaw could be exploited to hijack CAN (Controller Area Network) traffic, potentially allowing unauthorized access to sensitive vehicle information and real-time driving status.

Impact

Exploitation of this vulnerability could lead to unauthorized interception and modification of data sent to the manufacturer's cloud server, allowing attackers to collect and analyze CAN traffic remotely. This could disrupt the normal data collection process and interfere with the vehicle's reported driving status.

Reproduction

The vulnerability can be reproduced by installing an application on the affected IVI (In-Vehicle Infotainment) system that requires only standard permissions. Once the app is running, it can access an unprotected broadcast feature to send CAN traffic data to an attacker's server, effectively hijacking the vehicle's data transmission.

Remediation

The vulnerability has been addressed in the latest versions of the BYD QIN PLUS DM-i Dilink OS. Users are advised to update to the most recent version.