# Comma Three Security
Small notes on Comma Three security.

# SSH Remote Access
It appears from their docs that most users connect to their device
using ssh with the hostname `ssh.comma.ai` which resolves to
`104.214.96.241`, with the whois record showing the owner as
`Microsoft Corporation (MSFT)`.


So basically the device phones home to Microsoft.


# SSH Keys
On the device, the root filesystem is mounted read-only.
There is a `/persist` directory that contains some SSH RSA
keys:

```
root@tici:~# date ; ls -Rl /persist/
Sun 23 Jan 2022 02:30:39 AM UTC
/persist/:
total 4
drwxrwxr-x 2 comma comma 4096 Jan 14 23:41 comma

/persist/comma:
total 8
-rw------- 1 comma comma 1679 Jan 14 23:41 id_rsa
-rw-rw-r-- 1 comma comma  451 Jan 14 23:41 id_rsa.pub
```

The keys were created before the device shipped, not on first
boot, if the file timestamp is correct. So that ssh key
is in cleartext through the supply chain.

## Uh
Ok, this is perhaps even more absurd reading the docs:

```
1. Download the private key from the openpilot repo.. Save the key file as a text file and name it something like key.pem.
```

From: https://github.com/commaai/openpilot/wiki/SSH


That key:
https://raw.githubusercontent.com/commaai/openpilot/master/tools/ssh/id_rsa

```
-----BEGIN RSA PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC+iXXq30Tq+J5N
Kat3KWHCzcmwZ55nGh6WggAqECa5CasBlM9VeROpVu3beA+5h0MibRgbD4DMtVXB
t6gEvZ8nd04E7eLA9LTZyFDZ7SkSOVj4oXOQsT0GnJmKrASW5KslTWqVzTfo2XCt
Z+004ikLxmyFeBO8NOcErW1pa8gFdQDToH9FrA7kgysic/XVESTOoe7XlzRoe/eZ
acEQ+jtnmFd21A4aEADkk00Ahjr0uKaJiLUAPatxs2icIXWpgYtfqqtaKF23wSt6
1OTu6cAwXbOWr3m+IUSRUO0IRzEIQS3z1jfd1svgzSgSSwZ1Lhj4AoKxIEAIc8qJ
rO4uymCJAgMBAAECggEBAISFevxHGdoL3Z5xkw6oO5SQKO2GxEeVhRzNgmu/HA+q
x8OryqD6O1CWY4037kft6iWxlwiLOdwna2P25ueVM3LxqdQH2KS4DmlCx+kq6FwC
gv063fQPMhC9LpWimvaQSPEC7VUPjQlo4tPY6sTTYBUOh0A1ihRm/x7juKuQCWix
Cq8C/DVnB1X4mGj+W3nJc5TwVJtgJbbiBrq6PWrhvB/3qmkxHRL7dU2SBb2iNRF1
LLY30dJx/cD73UDKNHrlrsjk3UJc29Mp4/MladKvUkRqNwlYxSuAtJV0nZ3+iFkL
s3adSTHdJpClQer45R51rFDlVsDz2ZBpb/hRNRoGDuECgYEA6A1EixLq7QYOh3cb
Xhyh3W4kpVvA/FPfKH1OMy3ONOD/Y9Oa+M/wthW1wSoRL2n+uuIW5OAhTIvIEivj
6bAZsTT3twrvOrvYu9rx9aln4p8BhyvdjeW4kS7T8FP5ol6LoOt2sTP3T1LOuJPO
uQvOjlKPKIMh3c3RFNWTnGzMPa0CgYEA0jNiPLxP3A2nrX0keKDI+VHuvOY88gdh
0W5BuLMLovOIDk9aQFIbBbMuW1OTjHKv9NK+Lrw+YbCFqOGf1dU/UN5gSyE8lX/Q
FsUGUqUZx574nJZnOIcy3ONOnQLcvHAQToLFAGUd7PWgP3CtHkt9hEv2koUwL4vo
ikTP1u9Gkc0CgYEA2apoWxPZrY963XLKBxNQecYxNbLFaWq67t3rFnKm9E8BAICi
4zUaE5J1tMVi7Vi9iks9Ml9SnNyZRQJKfQ+kaebHXbkyAaPmfv+26rqHKboA0uxA
nDOZVwXX45zBkp6g1sdHxJx8JLoGEnkC9eyvSi0C//tRLx86OhLErXwYcNkCf1it
VMRKrWYoXJTUNo6tRhvodM88UnnIo3u3CALjhgU4uC1RTMHV4ZCGBwiAOb8GozSl
s5YD1E1iKwEULloHnK6BIh6P5v8q7J6uf/xdqoKMjlWBHgq6/roxKvkSPA1DOZ3l
jTadcgKFnRUmc+JT9p/ZbCxkA/ALFg8++G+0ghECgYA8vG3M/utweLvq4RI7l7U7
b+i2BajfK2OmzNi/xugfeLjY6k2tfQGRuv6ppTjehtji2uvgDWkgjJUgPfZpir3I
RsVMUiFgloWGHETOy0Qvc5AwtqTJFLTD1Wza2uBilSVIEsg6Y83Gickh+ejOmEsY
6co17RFaAZHwGfCFFjO76Q==
-----END RSA PRIVATE KEY-----
```

I don't get how this isn't a really bad idea.
A shared ssh private key to many systems,
shared publicly?


More ssh key fun:

```
root@tici:~# grep ssh_host_ /etc/ssh/sshd_config
HostKey /data/etc/ssh/ssh_host_rsa_key
HostKey /data/etc/ssh/ssh_host_dsa_key
HostKey /data/etc/ssh/ssh_host_ecdsa_key
HostKey /data/etc/ssh/ssh_host_ed25519_key
root@tici:~# ls -l /data/etc/ssh/ssh_host_*
-rw------- 1 root root 1373 Sep  7 18:37 /data/etc/ssh/ssh_host_dsa_key
-rw-r--r-- 1 root root  599 Sep  7 18:37 /data/etc/ssh/ssh_host_dsa_key.pub
-rw------- 1 root root  505 Sep  7 18:37 /data/etc/ssh/ssh_host_ecdsa_key
-rw-r--r-- 1 root root  171 Sep  7 18:37 /data/etc/ssh/ssh_host_ecdsa_key.pub
-rw------- 1 root root  399 Sep  7 18:37 /data/etc/ssh/ssh_host_ed25519_key
-rw-r--r-- 1 root root   91 Sep  7 18:37 /data/etc/ssh/ssh_host_ed25519_key.pub
-rw------- 1 root root 2590 Sep  7 18:37 /data/etc/ssh/ssh_host_rsa_key
-rw-r--r-- 1 root root  563 Sep  7 18:37 /data/etc/ssh/ssh_host_rsa_key.pub
```

Those keys were generated at factory. Shared?

```
root@tici:~# sha256sum /data/etc/ssh/ssh_host_*
27f51bad028a16a44570590feb04ef82f58d2be85fd617619f0586f2c73a62b6  /data/etc/ssh/ssh_host_dsa_key
66ed353232f9826b51a4c95590e1b9246b7dfd9ff642c6a5a54bfcc90fdd7519  /data/etc/ssh/ssh_host_dsa_key.pub
441b79400802b9a0947f93383cd83fb2a3ed67b0c12b12b9b98c5c3e444bdc7e  /data/etc/ssh/ssh_host_ecdsa_key
9dfcbed0ddb3dcbc151375c96b4077ac401a97ea86d82953d178cbf92fe6cadc  /data/etc/ssh/ssh_host_ecdsa_key.pub
d7e7b3256dcf3f8a334f6bd68c5bf37b29d102a2952deea9902f3ad9accce140  /data/etc/ssh/ssh_host_ed25519_key
6df70068291b69055c969cc721025cc78ec49b34f210b3496584a20a49df8100  /data/etc/ssh/ssh_host_ed25519_key.pub
ba8b445792f1216ab53cdf34bce275bce956387b0f9874f515500e30cfdfb361  /data/etc/ssh/ssh_host_rsa_key
750f22eb6d020497f5a1c846f48bde33c7efb55479217b95103a7ebdb1136414  /data/etc/ssh/ssh_host_rsa_key.pub
```


# Listening
Listening TCP ports.

```
root@tici:~# netstat -pant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      3957/systemd-resolv 
tcp        0      0 0.0.0.0:8022            0.0.0.0:*               LISTEN      7655/sshd: /usr/sbi 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      7655/sshd: /usr/sbi 
tcp6       0      0 :::8022                 :::*                    LISTEN      7655/sshd: /usr/sbi 
tcp6       0      0 :::22                   :::*                    LISTEN      7655/sshd: /usr/sbi 

# Looks like a local DNS resolver and ssh is listening on two ports:
root@tici:~# grep Port /etc/ssh/sshd_config
Port 8022
Port 22
```

Listening UDP.

```
root@tici:~# netstat -panu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 127.0.0.53:53           0.0.0.0:*                           3957/systemd-resolv 
udp        0      0 127.0.0.1:323           0.0.0.0:*                           5508/chronyd        
udp6       0      0 ::1:323                 :::*                                5508/chronyd        
```

So local DNS resolver is listening for both tcp/udp and time sync
with `chrony`.


`IPv6` is in use.


# Filesystem

```
# /var filesystem is at 100%, maybe logfiles gone wild.
root@tici:~# df -h /var/
Filesystem      Size  Used Avail Use% Mounted on
tmpfs           128M  128M     0 100% /var

```

The `/var` mount does not appear to be just a temp mount, there
are old files there, e.g.:

```
root@tici:~# head /var/log/syslog.1 
Sep  7 18:37:27 tici kernel: [    0.000000] Booting Linux on physical CPU 0x0
```

# Random, or not?
Surely deterministic random numbers are secure?

```
root@tici:~# ls -l /var/lib/systemd/random-seed
-rw------- 1 root root 512 Sep  7 18:37 /var/lib/systemd/random-seed
```