Zero Day Initiative | Blog
Follow
Looking at the Attack Surfaces of the Pioneer DMH-WT7600NEX IVI
The Pioneer DMH-WT7600NEX in-vehicle infotainment unit has been selected as a target for the upcoming Pwn2Own Automotive contest. To research vulnerabilities, the unit's software needed to be extracted, which proved challenging due to the lack of a serial console and encrypted software update package. Researchers chose to extract the eMMC contents in-system, connecting to the eMMC chip via test points on the board and holding the main SoC in reset. The extracted data revealed a Linux-based system with a GPT partition table and various partitions containing the bootloader, kernel, and root file system. The system partition contained custom software concentrated in /usr/local/ subdirectories. The software update package was found to be structured with a header, RSA signature block, and encrypted update data. Researchers also discovered a serial console by studying the bootloader partitions and manipulating the backup partition to enable console output and login prompt. The unit's Bluetooth and Wi-Fi connectivity, as well as its USB port, present potential attack vectors, with the Wi-Fi connectivity allowing for the discovery of open TCP ports and non-standard services. The unit's support for various audio and video file formats also presents a potential source of exploitable bugs.