undefined | Better HN

0 pointsMichaelZuo2y ago0 comments

The 'early release tests' weren't testing an identical copy of the actual update?

0 comments

DannyBee2y ago

It's probably closer to:

The test vehicles accept test/prod signed versions

Regular vehicles only accept prod signed versions

They are otherwise identical.

The test vehicles were sent test signed versions

The prod vehicles were sent the exact same update, signed with test.

This would not be uncommon since the test vehicles probably occasionally run test releases for debugging.

Further, the update is probably multiple signed pieces, and the only part accidentally signed with test was likely infotainment software.

Or something like this.

It's hard to believe they wouldn't test sending badly signed updates, so i have to imagine it's a particularly weird badly signed update.

In other words, i would not assume they are idiots.

AlotOfReading2y ago

It'd be pretty silly to implement an OTA scheme that didn't check signatures before installing updates. That would mean any random attacker could soft-brick the module by sending an invalid image, which a development image should be to a production vehicle.

You could get this situation if the application code accepted signatures the bootloader does not though. I can imagine that accidentally occurring.

DannyBee2y ago

Sure, but it could also be signed binaries inside the OTA, a variant of what you are talking about.

IE OTA is a signed package, inside package are also signed binaries. OTA itself is properly signed, a single binary (infotainment) is signed with wrong key.

While most OTA verifiers will verify the OTA signature (which this would pass), most don't verify the individual inside-package binary signatures at install time, only at runtime.

1 more reply

intern4tional2y ago

Likely not their code.

OTA is generally developed by tier 1, so this is probably a bug in the tier 1's code. (Samsung, Panasonic, Sony, etc are common tier 1s in this space.)

j / k navigate · click thread line to collapse

0 comments

DannyBee2y ago

It's probably closer to:

The test vehicles accept test/prod signed versions

Regular vehicles only accept prod signed versions

They are otherwise identical.

The test vehicles were sent test signed versions

The prod vehicles were sent the exact same update, signed with test.

This would not be uncommon since the test vehicles probably occasionally run test releases for debugging.

Further, the update is probably multiple signed pieces, and the only part accidentally signed with test was likely infotainment software.

Or something like this.

It's hard to believe they wouldn't test sending badly signed updates, so i have to imagine it's a particularly weird badly signed update.

In other words, i would not assume they are idiots.

AlotOfReading2y ago

You could get this situation if the application code accepted signatures the bootloader does not though. I can imagine that accidentally occurring.

DannyBee2y ago

Sure, but it could also be signed binaries inside the OTA, a variant of what you are talking about.

IE OTA is a signed package, inside package are also signed binaries. OTA itself is properly signed, a single binary (infotainment) is signed with wrong key.

While most OTA verifiers will verify the OTA signature (which this would pass), most don't verify the individual inside-package binary signatures at install time, only at runtime.

1 more reply

intern4tional2y ago

Likely not their code.

OTA is generally developed by tier 1, so this is probably a bug in the tier 1's code. (Samsung, Panasonic, Sony, etc are common tier 1s in this space.)

j / k navigate · click thread line to collapse