A team of three security researchers has found and disclosed two security flaws in the TCU (telematics control unit) components that ship with various luxury car models.
TCUs are 2G modems that receive or send data from a car's internal system and are used as an interface between the car and remote management tools such as web panels and mobile apps.
The researchers found the flaws in TCUs manufactured by Continental AG, and more specifically in TCUs that use the S-Gold 2 (PMB 8876) cellular baseband chipset.
According to an alert issued by the Department of Homeland Security (DHS), the following car models use vulnerable TCUs:
The two flaws are a buffer overflow in the TCU’s component that processes AT commands (CVE-2017-9647), and a flaw that allows attackers to execute code via one of the TCU’s inner components (baseband radio processor) (CVE-2017-9633).
An attacker would need physical access to a car’s to exploit the first flaw, while the second can be exploited from remote locations. Proof-of-concept (PoC) exploit code is available online for both flaws.
Affected car makers said the flaws only allow attackers access to the car’s infotainment system, but not to critical car functions, such as braking, motor control, or car doors.
BMW said it “will be offering a service measure to affected customers.” Similarly, Nissan said it will deactivate the 2G modems (TCUs) for all affected customers for free in one of its services. This measure also affects Infiniti car owners. Infinity is a Nissan-owned luxury brand.
Ford said it has started to disable all 2G modems last year, in 2016. The company told ICS-CERT that there are very few cars with 2G modems left on the market, and the impact is minimal.
Security researchers Mickey Shkatov, Jesse Michael, and Oleksandr Bazhaniuk of the Advanced Threat Research Team at McAfee are the ones who discovered the flaws. They recently presented their findings at the DEF CON security conference held in Las Vegas last week.