Research - [CVE-2024-6347] - Unauthorized access to ECU functionality
Title: Predictable seed generation after ECU reset
Date: 15/08/2024
CVE-ID: CVE-2024-6347
CVSS Score: 5.3 (v4)
Author: Thomas Sermpinis
Versions: Nissan Altima MY22 - MY24 (More to be added)
CNA: ASRG
Tested on: Nissan Altima MY22 - MY24
Unprotected privileged mode access through UDS session in the Blind Spot Detection Sensor ECU firmware in Nissan Altima (2022) allows attackers to trigger denial-of-service (DoS) by unauthorized access to the ECU’s programming session. * No preconditions implemented for ECU management functionality through UDS session in the Blind Spot Detection Sensor ECU in Nissan Altima (2022) allows attackers to disrupt normal ECU operations by triggering a control command without authentication.
Disclosed in DefCon 32 - Engage, on August 11th, 2024, in Las Vegas, NV, during my talk “The hack, the crash and two smoking barrels. (And all the times I (almost) killed an engineer.)”.