Introduction
NowSecure researchers have recognized an Android cell app whose builders violated Google Play safety tips, bypassing advisable replace procedures exposing bodily techniques to distant management.
A number of flaws within the automotive diagnostics app Xtooltech AnyScan have been uncovered, together with a susceptible in-app replace system, harmful permissions and insecure community communications and cryptographic practices. These points not solely result in distant code execution (RCE) on consumer gadgets, but in addition put automobiles in danger. Till the developer fixes these vulnerabilities, customers haven’t any actual safety aside from uninstalling the AnyScan app.
When Automobiles Grow to be Computer systems
Cars have developed into computer systems with wheels. Fashionable automobiles comprise quite a few sensors, actuators, motors and solenoids related by way of wires snaked into a fancy community of controllers all working collectively. Every year, automobile producers grow to be extra depending on digital techniques and, consequently, the speed of cyberattacks towards automobiles has dramatically elevated.
The OBD-II port supplies frequent and handy entry for mechanics utilizing it along side scan instruments to speak with automotive computer systems whereas performing upkeep. OBD-II merchandise have been developed to conduct a big selection of capabilities; from engine tuners promising to spice up efficiency, to dongles promising to spice up gasoline financial system, from antitheft and monitoring, to bolt-on self-driving.
With the proliferation of cell apps and the sheer variety of OBD-II associated merchandise, it was solely a matter of time till any individual mixed cell apps and OBD-II scanners right into a single product. The Chinese language firm Xtooltech sells a wide range of merchandise within the automotive diagnostic area. Its xTool A30M gadget plugs right into a automobile’s OBD-II port and wirelessly communicates with a cell gadget over Bluetooth (versus needing a receiver).
Xtooltech AnyScan cell app customers can ship instructions to and obtain information from the automobile’s pc by way of the diagnostic gadget. Whereas the power to remotely ship a command, corresponding to honking a horn, could also be innocent, some instructions management important engine and security mechanisms like unlocking doorways, rolling down home windows and controlling the accelerator.
The distinctive capabilities of Xtool scanners current an fascinating assault floor. Not solely can a susceptible cell app result in gadget compromise, but it surely additionally presents a chance to pivot to the automobile itself. On this weblog, we are going to discover how improper TLS validation can result in persistent distant code execution on each cell gadgets and automobiles.
Improper TLS validation can result in persistent distant code execution on each cell gadgets and automobiles.
We notified Xtooltech of the vulnerability on June 10, 2025 they usually confirmed receipt on June 11. Preliminary evaluation was carried out on AnyScan model 4.40.11. As of press time, the newest model of 4.40.40 continues to be susceptible.
The Path to Distant Code Execution
The xTool AnyScan app is deployed with very restricted options and depends on official “plugins” to carry out its core capabilities. For instance, if the consumer needs to bleed their brake system, they should set up the brake bleeding plugin. If the consumer needs to diagnose their Ford automobile, they should obtain the Ford plugin. AnyScan ensures that its plugins are up-to-date by reaching out to a distant replace server each time the app launches.
Whereas this can be a handy means to make sure that the consumer has entry to probably the most up-to-date software program, there are various implementation points that permit a nasty actor to conduct a wide range of malicious assaults. These vulnerabilities might be chained collectively to attain persistent full-remote code execution on the cell gadget. As soon as the attacker executes code throughout the AnyScan app, they will ship instructions to the automobile that the xTool dongle is plugged into.
Reverse Engineering the App
When exploring the AnyScan app, the very first thing that caught out to us was the power to obtain plugins from throughout the app itself. This habits violates Google’s developer tips, so it’s stunning that the app comprises this performance within the first place. This observe is discouraged as a result of it permits a developer to push new performance to the app with out passing by means of the everyday Play Retailer code assessment course of. As this weblog publish demonstrates, the results of improperly rolling your personal replace mechanism might be unhealthy. If an attacker can compromise the replace channel, then they will run their very own code on gadgets working the app.
Exploring the Replace Function
On a recent set up of the app, the consumer is prompted to put in over 100 updates. If none of those updates are put in, the app won’t connect with a automobile, so the consumer should use the remote-download characteristic to attain primary performance.
These updates are retrieved from xTool by sending a GET request to https://apigw.xtoolconnect.com/uhdsvc/UpgradeService.asmx/GetUpdateListEx. Whereas HTTPS requests are encrypted, they will solely be thought of safe if the implementation is finished correctly. On this case, AnyScan makes use of an insecure TrustManager implementation which permits all HTTPS certificates to be thought of legitimate.
By default, Android offered TrustManagers validate {that a} TLS certificates is legitimate and issued by a trusted CA; nevertheless builders might select to override the unique performance and exchange it with their very own implementation. Right here, we will see that the com.xtool.diagnostic.fwcom.internet.OKHttpDownload.buildTrustManagers() methodology overrides the unique Android implementation and leaves the brand new override methodology utterly empty.
Because of this any verification sometimes carried out by the TrustManager will probably be utterly bypassed. This enables an attacker to proxy community visitors with a self-signed TLS certificates and modify the contents of particular person community packets.
Utilizing this data, we will examine the request and response liable for gathering replace metadata.
Trying on the information contained within the packets, the response physique consists of an XML file containing Base64 encoded textual content which decodes to encrypted information.
Exploiting Hardcoded Cryptographic Materials
So as to make sense of the encrypted content material, the encryption algorithm and mode, key, and initialization vector (IV) all have to be uncovered. After some digging, all these objects have been discovered within the com.xtool.dcloud.RemoteServiceProxy class.
This discovery raises two main considerations:
- The app is utilizing an insecure DES 56-bit encryption algorithm.
- The important thing and IV are the identical worth and hardcoded straight within the app.
Using DES ciphers has been discouraged for the reason that late 90’s, in favor of safer AES ciphers that are extra proof against brute power assaults. As well as, cryptographic materials ought to by no means be hardcoded, because it trivializes the decryption of delicate information.
As a result of we now have all the fabric wanted to decrypt the XML contents, we will reveal the replace metadata.
Understanding the Set up Course of
Now that we perceive how updates are fetched over the community, we have to determine what occurs as soon as the appliance downloads an replace. First, a real replace might be downloaded with out authentication (yet one more vulnerability) by sending a GET request to a URL created by combining the FilePath discipline with the FileName discipline discovered within the replace metadata. The request returns a zipper file containing the next construction:
When AnyScan downloads an replace, it unzips the file, then blindly copies that contents to a central location (…one other vulnerability) for later use. Whereas the replace metadata comprises an MD5 signature, it doesn’t seem that any validation is carried out regionally or remotely.
Creating the Exploit
The meat and potatoes for every plugin is a shared object, named libscan.so (on 64-bit gadgets, libscan_x64.so is used). When a consumer selects a automobile to scan, AnyScan appears for the libscan.so binary that corresponds to the specified producer and hundreds it into reminiscence utilizing the dlopen household of capabilities.
Crafting a Malicious Native Executable
For a proof of idea, we saved the code quick and candy – it sends a message to the system logs and exits. Through the use of the C constructor attribute, our payload is executed robotically when the libscan.so library is loaded by the app. As soon as the payload was crafted, it was compiled and renamed to libscan_x64.so.
Bundling the Malicious Replace Payload
AnyScan plugins comprise a handful of different information contained in the zip in addition to the shared library, so we took a little bit of a shortcut by stuffing our compiled code into an present plugin. As well as, we modified a file contained in the zip containing metadata strings to make our plugin a bit extra identifiable after which zipped the entire thing up.
With our “malicious” plugin constructed, we might work on getting the app to load it. So as to make the app conscious of our malicious replace, we would have liked to craft an replace metadata JSON that might be accepted by the app when it reaches out for brand spanking new updates.
We modified the present replace metadata JSON to comprise a hyperlink to a server internet hosting our malicious replace (extra on that later). Then, utilizing the hardcoded password and IV uncovered within the app, we DES encrypted the replace metadata and stuffed it within the unique XML file.
Subsequent, we arrange a community proxy with mitmproxy that captures all visitors coming from our Android gadget. We completed this with iptables guidelines on the Android gadget. Out in the actual world, this may be carried out with out consumer consent by means of numerous means, corresponding to a man-in-the-middle assault by way of a malicious hotspot, VPN, or TOR exit node. This assault can be carried out by modifying settings on a router to direct all visitors by means of an attacker-controlled tunnel (that is simply carried out on public routers using default credentials).
Then, we wrote a mitmproxy plugin that intercepts all requests to the GetUpdateListEx endpoint and responds with our malicious replace metadata.
Now that the proxy can redirect requests from the app, we want a strategy to truly serve the replace to the consumer. This will simply be executed by organising a easy Python webserver in the identical listing because the payload. With the server working, the payload is accessible to any system that reaches out to our IP handle.
With the community prepared for the assault, we launched the app and have been instantly introduced with obtainable updates. Because of this the proxy efficiently redirected the replace request and the app decrypted the injected metadata.
When the consumer chooses to obtain the replace, the app then reaches out to our server internet hosting the malicious plugin, downloads it, and extracts it to the filesystem on the gadget.
As soon as downloaded, the consumer is introduced with a scanner for a brand new PWNED automobile. In an actual assault, this replace could be disguised as a official automotive producer, so the consumer would haven’t any suspicion of malicious exercise.
We will verify the exploit is profitable by choosing the malicious scanner and observing logcat. Upon urgent the PWNED button, logcat stories that the app efficiently copies our libscan_x64.so library and calls dlopen() on it with out validating its authenticity, which causes our customized log to be displayed.
Influence
The app doesn’t present a lot performance until customers are putting in and utilizing plugins, so nearly all customers will obtain updates offered by this susceptible characteristic sooner or later. This makes it a really highly effective assault vector as a result of it weaponizes a characteristic that the majority customers are conversant in and are anticipated to make use of frequently. With the replace code being unvalidated, the attacker has the power to run no matter code they need on the gadget when the plugin is run. Plugins are saved within the app’s native filesystem, so the exploit persists throughout reboots. As well as, malicious code might be injected alongside the official plugin performance, so the consumer isn’t knowledgeable of any unusual habits.
The attacker’s code executes inside AnyScan’s software context, which permits an attacker to make the most of all the permissions that the app has been granted. AnyScan requests all kinds of permissions together with many who Android considers to be harmful permissions, so numerous delicate elements (such because the digicam, bluetooth, GPS and filesystem entry) could also be utilized for malicious functions corresponding to putting in spy ware, adware or cryptocurrency miners.
Not solely does this assault permit for code execution on the cell gadget, xTool scanners facilitate bi-directional communication between the automobile and the consumer, which allows attacker-controlled code to work together with the automobile by way of the OBD-II port. Malicious instructions may cause all kinds of undesirable habits of various severity, together with keyfob reprogramming and tampering with crucial automobile techniques.
OBD-II entry permits attackers to ship malicious CAN bus instructions to the automobile. These instructions have been used to achieve full distant management of a automobile, which might result in automobile theft or critical damage to passengers.
Whereas this vulnerability can have extreme penalties, it doesn’t essentially accomplish that by itself. In the previous couple of years, some automobile producers have elevated their safety of inner techniques; nevertheless, many nonetheless haven’t. This vulnerability serves as an assault vector which permits malicious actors to run exploits on the consumer’s gadget and related automobiles. With a number of stories of automotive hacking on the rise, vulnerabilities permitting preliminary entry are extraordinarily invaluable to attackers and must be patched instantly.
Name to Motion
For finish customers of the AnyScan app, the dearth of certificates validation whereas downloading plugins means that there’s not a really safe means to make use of the app. Customers can decrease their publicity by solely utilizing the app whereas related to non-public, trusted networks with a safe password. There is no such thing as a strategy to decide if the app has already been compromised by way of this insecure replace mechanism. The one safe possibility is to uninstall the app till this susceptible characteristic has been addressed. If the app should be used, we advocate uninstalling the app utterly (to take away beforehand put in plugins), then reinstalling it and solely utilizing the replace characteristic when completely needed on a trusted community.
For builders, there are two main takeaways from this instance. First, the observe of rolling your personal replace mechanism is a dangerous determination. The Google developer tips advise towards it for good purpose. A single mistake within the implementation leaves the door open for attackers to take management of the app. Second, breaking TLS certificates validation is rarely a good suggestion. If a TLS validation bypass is used to make the event cycle simpler, all bypasses must be eliminated for manufacturing builds with out exception.
Conclusion
So far as cell assaults go, usually the consumer’s gadget is the top of the road. The attacker’s objective is to get code onto the gadget and get information off. Within the case of the Xtooltech gadget and AnyScan, the cell app allows you to use your telephone to remotely talk together with your automobile throughout a diagnostic port. This can be a distinctive case the place an attacker will get a persistent presence on the cell gadget and may then pivot to begin covertly sending malicious instructions to automobiles.
Permitting a consumer to obtain app options from contained in the app itself is a harmful method that violates Play Retailer coverage. As well as, there are various vulnerabilities that exist in Xtool’s implementation of this characteristic. Whereas all vulnerabilities ought to all be addressed, the largest vulnerability that wants speedy fixing is the failure to validate TLS certificates, as a result of it permits for persistent distant code execution on the cell gadget and related automobiles.
The listing of what all might be completed over the OBD-II port varies enormously relying on the make and mannequin of the automobile, in addition to how the automobile was configured by the producer. Whereas refined assaults might require a fancy chain of exploits tailor-made to a automobile’s make and mannequin, this vulnerability can be utilized because the preliminary foothold which permits attackers to run an exploit towards the automotive’s pc itself, resulting in additional entry. With the dramatically growing charge of cyberattacks towards automobiles, any vulnerabilities which offer preliminary entry for attacker-controlled code to be run, have to be taken very significantly.
Reference hyperlinks