Breaking Down the Attack Surfa... Note

Breaking Down the Attack Surface of the Kenwood DNR1007XR – Part One

The Kenwood DNR1007XR head unit is a target for the Pwn2Own Automotive contest, offering features like Android Auto and Apple CarPlay. This blog post details its external features, including an SD card slot behind the screen and a USB port for various functionalities. Internally, the unit features multiple interconnected boards, with the main board housing key components.The primary processor is the Dolphin+ TCC8034 System on a Chip, capable of running Android, Linux, and QNX. It runs on Linux and is similar to a SoC used in last year's Kenwood target. A Kioxia eMMC chip stores the device firmware, and a Winbond flash chip holds additional data.A Murata radio module handles Wi-Fi and Bluetooth operations, with its specific model number being LBEE6ZZ1WD-334. This module lacks publicly available datasheets, making its details obscure. A significant discovery is a debug connector on the main board's right edge.This connector provides access to a Linux login prompt via UART at 115200bps. Successful authentication grants a shell, presenting a potential attack vector. The post aims to provide sufficient information for vulnerability research, with more analysis to follow. The authors encourage keeping an eye on automotive vendor security improvements for future contests. They share their social media handles for those interested in exploit techniques and security patches.
CdXz5zHNQW_EZiDBlz8ag.jpeg