bugcrowd · adamrdavid · Mar 15, 2021 · Mar 10, 2021 · Mar 10, 2021 · Mar 12, 2021
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,12 +11,48 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
 - broken_authentication_and_session_management.weak_login_function.over_http
 - server_security_misconfiguration.oauth_misconfiguration.account_squatting
 - Third-party mapping to [Secure Code Warrior](https://www.securecodewarrior.com/) trainings
+- automotive_security_misconfiguration.can.injection_battery_management_system
+- automotive_security_misconfiguration.can.injection_steering_control
+- automotive_security_misconfiguration.can.injection_pyrotechnical_device_deployment_tool
+- automotive_security_misconfiguration.can.injection_headlights
+- automotive_security_misconfiguration.can.injection_sensors
+- automotive_security_misconfiguration.can.injection_vehicle_anti_theft_systems
+- automotive_security_misconfiguration.can.injection_powertrain
+- automotive_security_misconfiguration.can.injection_basic_safety_message
+- automotive_security_misconfiguration.battery_management_system
+- automotive_security_misconfiguration.battery_management_system.firmware_dump
+- automotive_security_misconfiguration.battery_management_system.fraudulent_interface
+- automotive_security_misconfiguration.gnss_gps
+- automotive_security_misconfiguration.gnss_gps.spoofing
+- automotive_security_misconfiguration.immobilizer
+- automotive_security_misconfiguration.immobilizer.engine_start
+- automotive_security_misconfiguration.abs
+- automotive_security_misconfiguration.abs.unintended_acceleration_brake
+- automotive_security_misconfiguration.rsu
+- automotive_security_misconfiguration.rsu.sybil_attack
+- automotive_security_misconfiguration.infotainment_radio_head_unit
+- automotive_security_misconfiguration.infotainment_radio_head_unit.pii_leakage
+- automotive_security_misconfiguration.infotainment_radio_head_unit.ota_firmware_manipulation
+- automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_can_bus_pivot
+- automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_no_can_bus_pivot
+- automotive_security_misconfiguration.infotainment_radio_head_unit.unauthorized_access_to_services
+- automotive_security_misconfiguration.infotainment_radio_head_unit.source_code_dump
+- automotive_security_misconfiguration.infotainment_radio_head_unit.dos_brick
+- automotive_security_misconfiguration.infotainment_radio_head_unit.default_credentials
 
 ### Removed
 - insufficient_security_configurability.lack_of_verification_email
 - broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default
 - broken_authentication_and_session_management.weak_login_function.http_and_https_available
 - broken_authentication_and_session_management.weak_login_function.lan_only
+- automotive_security_misconfiguration.infotainment
+- automotive_security_misconfiguration.infotainment.pii_leakage
+- automotive_security_misconfiguration.infotainment.code_execution_can_bus_pivot
+- automotive_security_misconfiguration.infotainment.code_execution_no_can_bus_pivot
+- automotive_security_misconfiguration.infotainment.unauthorized_access_to_services
+- automotive_security_misconfiguration.infotainment.source_code_dump
+- automotive_security_misconfiguration.infotainment.dos_brick
+- automotive_security_misconfiguration.infotainment.default_credentials
 
 ### Changed
  - server_security_misconfiguration.lack_of_security_headers.cache_control_for_a_non_sensitive_page updated remediation advice

diff --git a/deprecated-node-mapping.json b/deprecated-node-mapping.json
@@ -166,5 +166,29 @@
   },
   "broken_authentication_and_session_management.weak_login_function.lan_only": {
     "1.10": "broken_authentication_and_session_management.weak_login_function.over_http"
+  },
+  "automotive_security_misconfiguration.infotainment": {
+    "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit"
+  },
+  "automotive_security_misconfiguration.infotainment.pii_leakage": {
+    "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.pii_leakage"
+  },
+  "automotive_security_misconfiguration.infotainment.code_execution_can_bus_pivot": {
+    "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_can_bus_pivot"
+  },
+  "automotive_security_misconfiguration.infotainment.code_execution_no_can_bus_pivot": {
+    "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_no_can_bus_pivot"
+  },
+  "automotive_security_misconfiguration.infotainment.unauthorized_access_to_services": {
+    "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.unauthorized_access_to_services"
+  },
+  "automotive_security_misconfiguration.infotainment.source_code_dump": {
+    "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.source_code_dump"
+  },
+  "automotive_security_misconfiguration.infotainment.dos_brick": {
+    "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.dos_brick"
+  },
+  "automotive_security_misconfiguration.infotainment.default_credentials": {
+    "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.default_credentials"
   }
 }
diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json
@@ -910,12 +910,16 @@
       "id": "automotive_security_misconfiguration",
       "children": [
         {
-          "id": "infotainment",
+          "id": "infotainment_radio_head_unit",
           "children": [
             {
               "id": "pii_leakage",
               "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
             },
+            {
+              "id": "ota_firmware_manipulation",
+              "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
+            },
             {
               "id": "code_execution_can_bus_pivot",
               "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
@@ -978,6 +982,38 @@
         {
           "id": "can",
           "children": [
+            {
+              "id": "injection_battery_management_system",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+            },
+            {
+              "id": "injection_steering_control",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+            },
+            {
+              "id": "injection_pyrotechnical_device_deployment_tool",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+            },
+            {
+              "id": "injection_headlights",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+            },
+            {
+              "id": "injection_sensors",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+            },
+            {
+              "id": "injection_vehicle_anti_theft_systems",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+            },
+            {
+              "id": "injection_powertrain",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+            },
+            {
+              "id": "injection_basic_safety_message",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+            },
             {
               "id": "injection_disallowed_messages",
               "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
@@ -987,6 +1023,55 @@
               "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
             }
           ]
+        },
+        {
+          "id": "battery_management_system",
+          "children": [
+            {
+              "id": "firmware_dump",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
+            },
+            {
+              "id": "fraudulent_interface",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H"
+            }
+          ]
+        },
+        {
+          "id": "gnss_gps",
+          "children": [
+            {
+              "id": "spoofing",
+              "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+            }
+          ]
+        },
+        {
+          "id": "immobilizer",
+          "children": [
+            {
+              "id": "engine_start",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+            }
+          ]
+        },
+        {
+          "id": "abs",
+          "children": [
+            {
+              "id": "unintended_acceleration_brake",
+              "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+            }
+          ]
+        },
+        {
+          "id": "rsu",
+          "children": [
+            {
+              "id": "sybil_attack",
+              "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+            }
+          ]
         }
       ]
     },

diff --git a/mappings/cwe/cwe.json b/mappings/cwe/cwe.json
@@ -436,7 +436,7 @@
       "cwe": null,
       "children": [
         {
-          "id": "infotainment",
+          "id": "infotainment_radio_head_unit",
           "cwe": null
         },
         {
@@ -446,6 +446,26 @@
         {
           "id": "can",
           "cwe": null
+        },
+        {
+          "id": "battery_management_system",
+          "cwe": null
+        },
+        {
+          "id": "gnss_gps",
+          "cwe": null
+        },
+        {
+          "id": "immobilizer",
+          "cwe": null
+        },
+        {
+          "id": "abs",
+          "cwe": null
+        },
+        {
+          "id": "rsu",
+          "cwe": null
         }
       ]
     },

diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json
@@ -1268,7 +1268,7 @@
       "remediation_advice": "",
       "children": [
         {
-          "id": "infotainment",
+          "id": "infotainment_radio_head_unit",
           "children": [
             {
               "id": "pii_leakage",
@@ -1277,6 +1277,13 @@
                 "https://www.prnewswire.com/news-releases/carsblues-vehicle-hack-exploits-vehicle-infotainment-systems-allowing-access-to-call-logs-text-messages-and-more-300751244.html"
               ]
             },
+            {
+              "id": "ota_firmware_manipulation",
+              "remediation_advice": "Implement key signing and firmware verification.",
+              "references": [
+                "https://www.wired.com/2015/02/firmware-vulnerable-hacking-can-done/"
+              ]
+            },
             {
               "id": "code_execution_can_bus_pivot",
               "remediation_advice": "Filter arbitrary commands and apply input validation to any media devices to prevent executing from the infotainment system. Make sure that the infotainment system is on a sandbox module and does not have direct interaction to the CANbus network.",
@@ -1386,6 +1393,62 @@
         {
           "id": "can",
           "children": [
+            {
+              "id": "injection_battery_management_system",
+              "remediation_advice": "Filter malicious CANBus requests or codes that can be injected into the battery management system.",
+              "references": [
+                "https://i.blackhat.com/USA-20/Wednesday/us-20-Kiley-Reverse-Engineering-The-Tesla-Battery-Management-System-To-Increase-Power-Available.pdf"
+              ]
+            },
+            {
+              "id": "injection_steering_control",
+              "remediation_advice": "Filter malicious CANBus requests or codes that can be injected into the steering control.",
+              "references": [
+                "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
+              ]
+            },
+            {
+              "id": "injection_pyrotechnical_device_deployment_tool",
+              "remediation_advice": "Countermeasures of this attack include selection of suitable technologies, hard-wired plausibility checks, usage of cryptography, and hardening against brute force attacks of the keys or algorithms.",
+              "references": [
+                "https://www.rapid7.com/db/modules/post/hardware/automotive/pdt/"
+              ]
+            },
+            {
+              "id": "injection_headlights",
+              "remediation_advice": "Filter malicious CANBus requests or codes that can be injected into the headlights.",
+              "references": [
+                "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
+              ]
+            },
+            {
+              "id": "injection_sensors",
+              "remediation_advice": "Filter malicious CANBus requests or codes that can be used to manipulate the sensors.",
+              "references": [
+                "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
+              ]
+            },
+            {
+              "id": "injection_vehicle_anti_theft_systems",
+              "remediation_advice": "Filter malicious CANBus requests or codes that can be used to manipulate the Vehicle Anti-theft Systems.",
+              "references": [
+                "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
+              ]
+            },
+            {
+              "id": "injection_powertrain",
+              "remediation_advice": "Filter malicious CANBus requests or codes that can be used to manipulate the Powertrain.",
+              "references": [
+                "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
+              ]
+            },
+            {
+              "id": "injection_basic_safety_message",
+              "remediation_advice": "Filter malicious CANBus requests or codes that can be used to manipulate the Basic Safety Message.",
+              "references": [
+                "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
+              ]
+            },
             {
               "id": "injection_disallowed_messages",
               "remediation_advice": "Filter malicious CANbus requests or codes especially if not included in the DBC file by implementing a secure gateway.",
@@ -1402,6 +1465,73 @@
               ]
             }
           ]
+        },
+        {
+          "id": "battery_management_system",
+          "children": [
+            {
+              "id": "firmware_dump",
+              "remediation_advice": "Implement secure boot, obfuscate the code, and compression algorithm with hardware-backed dictionary. Find creative ways to break disassemblers and debuggers.",
+              "references": [
+                "https://en.wikipedia.org/wiki/Security_through_obscurityhttps://www.researchgate.net/publication/320859156_Source_Code_Vulnerabilities_in_IoT_Software_Systems"
+              ]
+            },
+            {
+              "id": "fraudulent_interface",
+              "remediation_advice": "Protect and make sure the battery management system provides prevention from operating outside its safe operating area.",
+              "references": [
+                "https://en.wikipedia.org/wiki/Battery_management_system"
+              ]
+            }
+          ]
+        },
+        {
+          "id": "gnss_gps",
+          "children": [
+            {
+              "id": "spoofing",
+              "remediation_advice": "Implement a system that detects GPS spoofing which evaluates or prevents the system from believing and acting on false data.",
+              "references": [
+                "https://www.kaspersky.com/blog/gps-spoofing-protection/26837/"
+              ]
+            }
+          ]
+        },
+        {
+          "id": "immobilizer",
+          "children": [
+            {
+              "id": "engine_start",
+              "remediation_advice": "Implement a secure gateway to protect against immobilizer attacks, assign significant bytes in data and a method to send an abnormal signal overwriting the false data when a communication error has occurred.",
+              "references": [
+                "https://www.kaspersky.com/blog/36c3-immobilizers/32419/"
+              ]
+            }
+          ]
+        },
+        {
+          "id": "abs",
+          "children": [
+            {
+              "id": "unintended_acceleration_brake",
+              "remediation_advice": "Implement a secure gateway to protect against ABS attacks.",
+              "references": [
+                "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
+              ]
+            }
+          ]
+        },
+        {
+          "id": "rsu",
+          "children": [
+            {
+              "id": "sybil_attack",
+              "remediation_advice": "Known approaches to Sybil attack prevention include identity validation, social trust graph algorithms, or economic costs, personhood validation, and application-specific defenses.",
+              "references": [
+                "https://en.wikipedia.org/wiki/Sybil_attack"
+              ]
+            }
+          ]
         }
       ]
     },