Bosch Infotainment ECU Vulnerability in Nissan Leaf ZE1 2020 Allowing Man-in-the-Middle Attack via Misconfigured SSL/TLS Communication

A vulnerability exists in the Bosch-manufactured infotainment ECU of the 2020 Nissan Leaf ZE1, related to the Redbend service used for over-the-air updates. The issue arises because the default SSL configuration does not properly verify server certificates, allowing an attacker to impersonate a Redbend server with a self-signed certificate. This could enable unauthorized access to the vehicle's update system and potentially exploit other vulnerabilities within the ECU.

Impact

Exploitation of this vulnerability could lead to a Man-in-the-Middle (MitM) attack, allowing an attacker to intercept and manipulate data between the infotainment system and the Redbend server. This could include injecting malicious update data or provisioning information.

Reproduction

The vulnerability can be reproduced by establishing a Bluetooth connection with the Nissan Leaf infotainment system and then initiating a hands-free profile communication. This process can be automated with a script that bypasses the anti-theft mechanism and exploits the stack buffer overflow vulnerability in the Bluetooth stack, leading to remote code execution on the infotainment ECU.