“We can remotely compromise the infotainment system and from there send arbitrary messages on the car’s CAN (controller area network) bus,” the authors wrote.
Computest believes inn public disclosure of identified vulnerabilities and takes responsibility that nobody is put at unnecessary risk and also no unnecessary damage is caused by such a disclosure. The vulnerabilities they identified are all software-based, and therefore could be mitigated via a firmware upgrade.However, this cannot be done remotely, but must be done by an official dealer which makes upgrading the entire fleet at once difficult.
The reports noted that if an attacker would gain access to the CAN bus of a vehicle, he or she would control the car. They could impersonate the front radar for example to instruct the braking system to make an emergency stop due to a near collision or take over the steering. The attacker only needs to find a way to actually get access to a component that is connected to the CAN bus, without physical access.The attacker has a lot of remote attack surface to choose from. Some of them require close proximity to the car, while others are reachable from anywhere around the globe. Some of the vectors will require user interaction, whereas others can be attacked unknowingly to its passengers.
The researchers looked at cars with cellular or Wi-Fi connections and had the least layers between the cellular connection and the CAN bus.
“The open interface on the Golf GTE and Audi A3 was closed by an update to the infotainment software from production week 22/2016 onwards,” Volkswagen reported.
The Volkswagen Golf was running MIB2. The VW Golf GTE was running MIB manufacturered by HARMAN.
“In this example, the researchers were able to launch an in-memory overflow attack on an infotainment system to exploit a remote-code-execution vulnerability. There are dozens such vulnerabilities in modern car systems waiting for hackers to exploit. The only preventive solution against this class of attack is sealing the ECUs according to their factory settings. Since many vulnerabilities are unknown, the ECU hardening layer considers any unauthorized deviation from factory settings as malware, thus protecting against known and unknown attacks (zero-day vulnerabilities),” said Assaf Harel, co-founder and chief scientist at Karamba Security.
Read full report.