This ARMv7 vulnerability allows hacking remotely smart cars like in Movies

Smart cars have become one of the main targets of some cybercriminal gangs. Malware reverse engineering experts from the Cisco Customer Experience Assessment and Penetration Team (CX APT) have revealed the finding of a memory corruption vulnerability in ARMv7 that, if exploited, would make it easy to compromise a smart car.

Thanks to the inclusion of computer systems, many today’s cars are considered complex machines beyond mechanical and design aspects, including sensors and other devices that help determine their exact location, engine performance, theft protection and other functions.

In the report, malware reverse engineering experts point out that these sensors provide smart vehicle owners with various indicators in real time, merging mobile components and cloud deployments to facilitate some functions, such as door opening or auto start-up. The implementation of these systems also involves the introduction of multiple attack vectors in vehicles that are connected via mobile networks such as WiFi, Bluetooth, DAB or USB.

Researcher Andrew Tierney mentions that the presence of this failure is not limited to smart cars, but could affect multiple Internet of Things (IoT) deployments: “While it is true that more than 90% of vehicles with satellite systems are based on ARM/Linux, which makes them vulnerable to these failures, the problem extends beyond this implementation, even some industrial controllers could be affected.”  

The malware reverse engineering expert ensures that this is a relevant flaw that must be addressed shortly; While OEMs have the ability to fix these vulnerabilities and release updates in short periods of time, there are thousands of enterprise and industrial environments that don’t have the same chance of receiving security patches, so hackers could take advantage of these flaws for years before the risk of exploitation is fully mitigated.

According to the International Institute of Cyber Security (IICS), Cisco’s research team reported the vulnerability to some companies, which have committed to release the corresponding updates by August. While it’s good news, experts believe smart vehicle owners don’t have any protection against these attacks until updates are released. The good news is that exploiting these failures is a complex process, so the possibilities of exploitation in real-world scenarios are actually reduced.