CVE-2025-28169 in QIN Plus DM-i Dilink OSinfo

Summary

by MITRE • 04/23/2025

BYD QIN PLUS DM-i Dilink OS v3.0_13.1.7.2204050.1 to v3.0_13.1.7.2312290.1_0 was discovered to cend broadcasts to the manufacturer's cloud server unencrypted, allowing attackers to execute a man-in-the-middle attack.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/25/2025

The vulnerability identified as CVE-2025-28169 affects the BYD QIN PLUS DM-i Dilink OS version range from v3.0_13.1.7.2204050.1 through v3.0_13.1.7.2312290.1_0, representing a critical security flaw in the vehicle's connected services infrastructure. This issue manifests through the improper handling of network communications where the system transmits data to manufacturer cloud servers without implementing encryption protocols, creating a significant attack surface for malicious actors operating within the same network segment. The vulnerability specifically impacts the vehicle's over-the-air communication capabilities and remote diagnostics functionality that rely on unencrypted data transmission.

The technical flaw stems from the absence of secure communication channels in the Dilink OS implementation, which violates fundamental security principles for IoT and automotive systems. This unencrypted communication pattern allows attackers positioned within the network to intercept and potentially manipulate data flowing between the vehicle and the manufacturer's cloud infrastructure. The vulnerability can be classified under CWE-319 as it involves the transmission of sensitive information in a manner that is not protected by encryption. The flaw represents a critical weakness in the vehicle's security architecture, particularly concerning the protection of vehicle telemetry data, diagnostic information, and potentially control commands that may be transmitted through the same unencrypted channel.

From an operational perspective, this vulnerability exposes the vehicle to various man-in-the-middle attack vectors that could compromise vehicle integrity and user privacy. Attackers could intercept sensitive data including vehicle identification numbers, location information, diagnostic trouble codes, and potentially access control commands that might enable unauthorized vehicle manipulation. The impact extends beyond simple data interception as the unencrypted nature of communications could allow attackers to inject malicious payloads or commands into the vehicle's communication stream. This vulnerability aligns with ATT&CK technique T1566 which involves the use of unencrypted network protocols to gain access to sensitive information and potentially establish persistent access to vehicle systems.

The security implications of this vulnerability are particularly concerning given that modern vehicles increasingly rely on connected services for diagnostics, over-the-air updates, and remote access capabilities. The lack of encryption in vehicle-to-cloud communications creates a pathway for attackers to potentially gain unauthorized access to vehicle control systems, compromise vehicle safety mechanisms, or extract sensitive user data. The vulnerability affects not just individual vehicle security but also raises concerns about fleet management and manufacturer data integrity. Organizations should consider implementing network segmentation strategies and monitoring for unusual communication patterns to detect potential exploitation attempts. The affected vehicle models represent a significant portion of BYD's connected vehicle fleet, making this vulnerability particularly impactful for automotive security.

Mitigation strategies should include immediate implementation of network monitoring to detect unauthorized access attempts, deployment of network intrusion detection systems specifically designed for automotive environments, and consideration of temporary network segmentation measures to isolate vehicle communication traffic. Vehicle owners and fleet operators should be advised to avoid connecting to untrusted networks when vehicle connectivity is active and to implement network access controls that limit communication to authorized endpoints only. The manufacturer should provide firmware updates that implement proper encryption protocols for all vehicle-to-cloud communications and establish secure channel establishment procedures that prevent man-in-the-middle attacks. Additionally, organizations should consider implementing network traffic analysis tools that can detect anomalies in communication patterns that might indicate exploitation attempts.

Responsible

MITRE

Reservation

03/11/2025

Disclosure

04/23/2025

Moderation

accepted

CPE

ready

EPSS

0.00289

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!