An incorrect encryption implementation vulnerability exists in the system log dump feature of BYDs DiLink 3.0 OS (e.g. in the model ATTO3). An attacker with physical access to the vehicle can bypass the encryption of log dumps on the In-Vehicle Infotainment (IVI) units storage. This allows the attacker to access and read system logs containing sensitive data, including personally identifiable information (PII) and location data.
This vulnerability was introduced in a patch intended to fix CVE-2024-54728.
The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.