Vulnerability Details : CVE-2023-3028
Insufficient authentication in the MQTT backend (broker) allows an attacker to access and even manipulate the telemetry data of the entire fleet of vehicles using the HopeChart HQT-401 telematics unit. Other models are possibly affected too.
Multiple vulnerabilities were identified:
- The MQTT backend does not require authentication, allowing unauthorized connections from an attacker.
- The vehicles publish their telemetry data (e.g. GPS Location, speed, odometer, fuel, etc) as messages in public topics. The backend also sends commands to the vehicles as MQTT posts in public topics. As a result, an attacker can access the confidential data of the entire fleet that is managed by the backend.
- The MQTT messages sent by the vehicles or the backend are not encrypted or authenticated. An attacker can create and post messages to impersonate a vehicle or the backend. The attacker could then, for example, send incorrect information to the backend about the vehicle's location.
- The backend can inject data into a vehicle´s CAN bus by sending a specific MQTT message on a public topic. Because these messages are not authenticated or encrypted, an attacker could impersonate the backend, create a fake message and inject CAN data in any vehicle managed by the backend.
The confirmed version is 201808021036, however further versions have been also identified as potentially impacted.
Published
2023-06-01 06:15:15
Updated
2023-09-28 06:15:09
Vulnerability category: BypassGain privilege
Products affected by CVE-2023-3028
- cpe:2.3:o:hopechart:hqt401_firmware:201808021036:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-3028
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-3028
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
3.9
|
4.7
|
Automotive Security Research Group (ASRG) | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2023-3028
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by:
- cve@asrg.io (Secondary)
- nvd@nist.gov (Primary)
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by: cve@asrg.io (Secondary)
-
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Assigned by: cve@asrg.io (Secondary)
References for CVE-2023-3028
-
https://garage.asrg.io/cve-2023-3028-improper-backend-communications-allow-access-and-manipulation-of-the-telemetry-data/
Register/Login – Automotive Security Research GroupPermissions Required
-
https://asrg.io/security-advisories/cve-2023-3028/
Improper Backend Communications Allow Access And Manipulation Of The Telemetry Data - Automotive Security Research Group
Jump to