Three security researchers have discovered security vulnerabilities in the telematics control units (TCUs) used in BMW, Ford, Infiniti, and Nissan vehicles.
Three security researchers have discovered security vulnerabilities in the telematics control unit (TCU) manufactured by Continental AG that is installed on variousÂ car models manufactured byÂ BMW, Ford, Infiniti, and Nissan.
The researchers are Mickey Shkatov, Jesse Michael, and Oleksandr Bazhaniuk (@jessemichael, @HackingThings, @ABazhaniuk) from the Advanced Threat Research Team at McAfee. The team hasÂ presentedÂ their discovery at the last DEF CON security conference.
The TCUs are 2G modems that are used by modernÂ vehicles to transfer data, they enable the communications between the car and remote management tools such as web panels and mobile apps.
The two vulnerabilities found by the research team affect the TCUs that use the S-Gold 2 (PMB 8876) cellular baseband chipset, they areÂ a stack-based buffer overflow in the TCUâ€™s component that processes AT commands (CVE-2017-9647), and a vulnerability in the temporary mobile subscriber identity (TMSI) may could be exploited by attackers to access and control memory (CVE-2017-9633).
The first vulnerability could be exploited only by an attacker with aÂ physical access to the car using the vulnerable TCU, while the second can be exploited by a remote attacker.
Below the description provided in the alert:
â€śStack-based buffer overflow CWE-121 â€“Â An attacker with a physical connection to the TCU may exploit a buffer overflow condition that exists in the processing of AT commands. This may allow arbitrary code execution on the baseband radio processor of the TCU.
IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119Â â€“ A vulnerability in the temporary mobile subscriber identity (TMSI) may allow an attacker to access and control memory. This may allow remote code execution on the baseband radio processor of the TCU.â€ť
The ICS-CERT issued a specific alert for the vulnerabilities affecting theÂ Continental AG Infineon S-Gold 2 (PMB 8876).
â€śSuccessful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code. This may allow an attacker to disable the infotainment system of the vehicle and affect functional features of the vehicle. According to affected auto manufacturers, these vulnerabilities do not directly affect the critical safety features of the vehicle.â€ť states theÂ alertÂ issued by the ICS-CERT.
The following vehicles use vulnerable TCUs:
BMWÂ several models produced between 2009-2010
FordÂ â€“ program to update 2G modems has been active since 2016 and impact is restricted to the limited number of P-HEV vehicles equipped with this older technology that remain in service.
InfinitiÂ 2013 JX35
InfinitiÂ 2014-2016 QX60
InfinitiÂ 2014-2016 QX60 Hybrid
InfinitiÂ 2014-2015 QX50
InfinitiÂ 2014-2015 QX50 Hybrid
InfinitiÂ 2013 M37/M56
InfinitiÂ 2014-2016 Q70
InfinitiÂ 2014-2016 Q70L
InfinitiÂ 2015-2016 Q70 Hybrid
InfinitiÂ 2013 QX56
InfinitiÂ 2014-2016 QX 80
NissanÂ 2011-2015 Leaf
According to affected car makers, the flaws could be exploited only to access the infotainment systems of the vehicles.
Nissan announced it will disable the 2G modems (TCUs) for all affected customers for free in one of its services. Same thing for Infiniti cars, whileÂ BMW â€świll be offering a service measure to affected customers.â€ť