• eyezhenn@lemmy.world
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    I worked for a certain media company that sold hardware / software in cars with memberships (typically through a deal with the OEMs). For those customers that have the hardware-only experience, a set of testing IDs can be applied that effectively give free membership and can’t really be revoked because of their wide-use in initial manufacturing provisioning. There have been multiple independent security reviews pointing this out, but not much can be done about it because of how the trial memberships are applied after manufacturing.

    • ttr@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I am VERY interested in your knowledge here. Feel free to DM me if you don’t want to post the info publicly. I pay this company, so I’m not looking for a free ride. I’m mostly just interested in how it all works.

      • eyezhenn@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        There is a decent amount of detail to go into to get to the meat of the issue. In hardware cases, the crux of the problem is that provisioning is generally pretty separated from the actual service and relies heavily on a data channel with the’tier 1’ manufacturers of the hardware modules. This all happens before the hardware is included in the vehicle manufacturing process such that the radios can be enabled as a trial on the dealership lots. There is a mode, however, that is used to ‘fake’ the id signature and fill the signed value with all 0s such that the device can be tested at the manufacturer before it is assigned a real id. If you write this flag to ROM, you could effectively gain full access immediately. However, because the software+hardware solution still uses the id for device with to gain IP service, you could also just proxy the traffic on an IP radio and use that signing mode to gain free access in IP much easier.