spacecruft
/
uhoh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
uhoh/docs/SEC.md

6.8 KiB
Raw Blame History

Comma Three Security

Small notes on Comma Three security.

SSH Remote Access

It appears from their docs that most users connect to their device using ssh with the hostname ssh.comma.ai which resolves to 104.214.96.241, with the whois record showing the owner as Microsoft Corporation (MSFT).

So basically the device phones home to Microsoft.

SSH Keys

On the device, the root filesystem is mounted read-only. There is a /persist directory that contains some SSH RSA keys:

root@tici:~# date ; ls -Rl /persist/
Sun 23 Jan 2022 02:30:39 AM UTC
/persist/:
total 4
drwxrwxr-x 2 comma comma 4096 Jan 14 23:41 comma

/persist/comma:
total 8
-rw------- 1 comma comma 1679 Jan 14 23:41 id_rsa
-rw-rw-r-- 1 comma comma  451 Jan 14 23:41 id_rsa.pub

The keys were created before the device shipped, not on first boot, if the file timestamp is correct. So that ssh key is in cleartext through the supply chain.

Uh

Ok, this is perhaps even more absurd reading the docs:

1. Download the private key from the openpilot repo.. Save the key file as a text file and name it something like key.pem.

From: https://github.com/commaai/openpilot/wiki/SSH

That key: https://raw.githubusercontent.com/commaai/openpilot/master/tools/ssh/id_rsa

-----BEGIN RSA PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC+iXXq30Tq+J5N
Kat3KWHCzcmwZ55nGh6WggAqECa5CasBlM9VeROpVu3beA+5h0MibRgbD4DMtVXB
t6gEvZ8nd04E7eLA9LTZyFDZ7SkSOVj4oXOQsT0GnJmKrASW5KslTWqVzTfo2XCt
Z+004ikLxmyFeBO8NOcErW1pa8gFdQDToH9FrA7kgysic/XVESTOoe7XlzRoe/eZ
acEQ+jtnmFd21A4aEADkk00Ahjr0uKaJiLUAPatxs2icIXWpgYtfqqtaKF23wSt6
1OTu6cAwXbOWr3m+IUSRUO0IRzEIQS3z1jfd1svgzSgSSwZ1Lhj4AoKxIEAIc8qJ
rO4uymCJAgMBAAECggEBAISFevxHGdoL3Z5xkw6oO5SQKO2GxEeVhRzNgmu/HA+q
x8OryqD6O1CWY4037kft6iWxlwiLOdwna2P25ueVM3LxqdQH2KS4DmlCx+kq6FwC
gv063fQPMhC9LpWimvaQSPEC7VUPjQlo4tPY6sTTYBUOh0A1ihRm/x7juKuQCWix
Cq8C/DVnB1X4mGj+W3nJc5TwVJtgJbbiBrq6PWrhvB/3qmkxHRL7dU2SBb2iNRF1
LLY30dJx/cD73UDKNHrlrsjk3UJc29Mp4/MladKvUkRqNwlYxSuAtJV0nZ3+iFkL
s3adSTHdJpClQer45R51rFDlVsDz2ZBpb/hRNRoGDuECgYEA6A1EixLq7QYOh3cb
Xhyh3W4kpVvA/FPfKH1OMy3ONOD/Y9Oa+M/wthW1wSoRL2n+uuIW5OAhTIvIEivj
6bAZsTT3twrvOrvYu9rx9aln4p8BhyvdjeW4kS7T8FP5ol6LoOt2sTP3T1LOuJPO
uQvOjlKPKIMh3c3RFNWTnGzMPa0CgYEA0jNiPLxP3A2nrX0keKDI+VHuvOY88gdh
0W5BuLMLovOIDk9aQFIbBbMuW1OTjHKv9NK+Lrw+YbCFqOGf1dU/UN5gSyE8lX/Q
FsUGUqUZx574nJZnOIcy3ONOnQLcvHAQToLFAGUd7PWgP3CtHkt9hEv2koUwL4vo
ikTP1u9Gkc0CgYEA2apoWxPZrY963XLKBxNQecYxNbLFaWq67t3rFnKm9E8BAICi
4zUaE5J1tMVi7Vi9iks9Ml9SnNyZRQJKfQ+kaebHXbkyAaPmfv+26rqHKboA0uxA
nDOZVwXX45zBkp6g1sdHxJx8JLoGEnkC9eyvSi0C//tRLx86OhLErXwYcNkCf1it
VMRKrWYoXJTUNo6tRhvodM88UnnIo3u3CALjhgU4uC1RTMHV4ZCGBwiAOb8GozSl
s5YD1E1iKwEULloHnK6BIh6P5v8q7J6uf/xdqoKMjlWBHgq6/roxKvkSPA1DOZ3l
jTadcgKFnRUmc+JT9p/ZbCxkA/ALFg8++G+0ghECgYA8vG3M/utweLvq4RI7l7U7
b+i2BajfK2OmzNi/xugfeLjY6k2tfQGRuv6ppTjehtji2uvgDWkgjJUgPfZpir3I
RsVMUiFgloWGHETOy0Qvc5AwtqTJFLTD1Wza2uBilSVIEsg6Y83Gickh+ejOmEsY
6co17RFaAZHwGfCFFjO76Q==
-----END RSA PRIVATE KEY-----

I don't get how this isn't a really bad idea. A shared ssh private key to many systems, shared publicly?

More ssh key fun:

root@tici:~# grep ssh_host_ /etc/ssh/sshd_config
HostKey /data/etc/ssh/ssh_host_rsa_key
HostKey /data/etc/ssh/ssh_host_dsa_key
HostKey /data/etc/ssh/ssh_host_ecdsa_key
HostKey /data/etc/ssh/ssh_host_ed25519_key
root@tici:~# ls -l /data/etc/ssh/ssh_host_*
-rw------- 1 root root 1373 Sep  7 18:37 /data/etc/ssh/ssh_host_dsa_key
-rw-r--r-- 1 root root  599 Sep  7 18:37 /data/etc/ssh/ssh_host_dsa_key.pub
-rw------- 1 root root  505 Sep  7 18:37 /data/etc/ssh/ssh_host_ecdsa_key
-rw-r--r-- 1 root root  171 Sep  7 18:37 /data/etc/ssh/ssh_host_ecdsa_key.pub
-rw------- 1 root root  399 Sep  7 18:37 /data/etc/ssh/ssh_host_ed25519_key
-rw-r--r-- 1 root root   91 Sep  7 18:37 /data/etc/ssh/ssh_host_ed25519_key.pub
-rw------- 1 root root 2590 Sep  7 18:37 /data/etc/ssh/ssh_host_rsa_key
-rw-r--r-- 1 root root  563 Sep  7 18:37 /data/etc/ssh/ssh_host_rsa_key.pub

Those keys were generated at factory. Shared?

root@tici:~# sha256sum /data/etc/ssh/ssh_host_*
27f51bad028a16a44570590feb04ef82f58d2be85fd617619f0586f2c73a62b6  /data/etc/ssh/ssh_host_dsa_key
66ed353232f9826b51a4c95590e1b9246b7dfd9ff642c6a5a54bfcc90fdd7519  /data/etc/ssh/ssh_host_dsa_key.pub
441b79400802b9a0947f93383cd83fb2a3ed67b0c12b12b9b98c5c3e444bdc7e  /data/etc/ssh/ssh_host_ecdsa_key
9dfcbed0ddb3dcbc151375c96b4077ac401a97ea86d82953d178cbf92fe6cadc  /data/etc/ssh/ssh_host_ecdsa_key.pub
d7e7b3256dcf3f8a334f6bd68c5bf37b29d102a2952deea9902f3ad9accce140  /data/etc/ssh/ssh_host_ed25519_key
6df70068291b69055c969cc721025cc78ec49b34f210b3496584a20a49df8100  /data/etc/ssh/ssh_host_ed25519_key.pub
ba8b445792f1216ab53cdf34bce275bce956387b0f9874f515500e30cfdfb361  /data/etc/ssh/ssh_host_rsa_key
750f22eb6d020497f5a1c846f48bde33c7efb55479217b95103a7ebdb1136414  /data/etc/ssh/ssh_host_rsa_key.pub

Listening

Listening TCP ports.

root@tici:~# netstat -pant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      3957/systemd-resolv 
tcp        0      0 0.0.0.0:8022            0.0.0.0:*               LISTEN      7655/sshd: /usr/sbi 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      7655/sshd: /usr/sbi 
tcp6       0      0 :::8022                 :::*                    LISTEN      7655/sshd: /usr/sbi 
tcp6       0      0 :::22                   :::*                    LISTEN      7655/sshd: /usr/sbi 

# Looks like a local DNS resolver and ssh is listening on two ports:
root@tici:~# grep Port /etc/ssh/sshd_config
Port 8022
Port 22

Listening UDP.

root@tici:~# netstat -panu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 127.0.0.53:53           0.0.0.0:*                           3957/systemd-resolv 
udp        0      0 127.0.0.1:323           0.0.0.0:*                           5508/chronyd        
udp6       0      0 ::1:323                 :::*                                5508/chronyd

So local DNS resolver is listening for both tcp/udp and time sync with chrony.

IPv6 is in use.

Filesystem

# /var filesystem is at 100%, maybe logfiles gone wild.
root@tici:~# df -h /var/
Filesystem      Size  Used Avail Use% Mounted on
tmpfs           128M  128M     0 100% /var

The /var mount does not appear to be just a temp mount, there are old files there, e.g.:

root@tici:~# head /var/log/syslog.1 
Sep  7 18:37:27 tici kernel: [    0.000000] Booting Linux on physical CPU 0x0

Random, or not?

Surely deterministic random numbers are secure?

root@tici:~# ls -l /var/lib/systemd/random-seed
-rw------- 1 root root 512 Sep  7 18:37 /var/lib/systemd/random-seed