Nissan car logo

A team of three security researchers has found and disclosed two security flaws in the TCU (telematics control unit) components that ship with various luxury car models.

TCUs are 2G modems that receive or send data from a car's internal system and are used as an interface between the car and remote management tools such as web panels and mobile apps.

The researchers found the flaws in TCUs manufactured by Continental AG, and more specifically in TCUs that use the S-Gold 2 (PMB 8876) cellular baseband chipset.

BMW, Ford, Infiniti, and Nissan cars affected

According to an alert issued by the Department of Homeland Security (DHS), the following car models use vulnerable TCUs:

BMW several models produced between 2009-2010
Ford - program to update 2G modems has been active since 2016 and impact is restricted to the limited number of P-HEV vehicles equipped with this older technology that remain in service.
Infiniti 2013 JX35
Infiniti 2014-2016 QX60
Infiniti 2014-2016 QX60 Hybrid
Infiniti 2014-2015 QX50
Infiniti 2014-2015 QX50 Hybrid
Infiniti 2013 M37/M56
Infiniti 2014-2016 Q70
Infiniti 2014-2016 Q70L
Infiniti 2015-2016 Q70 Hybrid
Infiniti 2013 QX56
Infiniti 2014-2016 QX 80
Nissan 2011-2015 Leaf

The two flaws are a buffer overflow in the TCU’s component that processes AT commands (CVE-2017-9647), and a flaw that allows attackers to execute code via one of the TCU’s inner components (baseband radio processor) (CVE-2017-9633).

An attacker would need physical access to a car’s to exploit the first flaw, while the second can be exploited from remote locations. Proof-of-concept (PoC) exploit code is available online for both flaws.

Car makers took actions to address flaws

Affected car makers said the flaws only allow attackers access to the car’s infotainment system, but not to critical car functions, such as braking, motor control, or car doors.

BMW said it “will be offering a service measure to affected customers.” Similarly, Nissan said it will deactivate the 2G modems (TCUs) for all affected customers for free in one of its services. This measure also affects Infiniti car owners. Infinity is a Nissan-owned luxury brand.

Ford said it has started to disable all 2G modems last year, in 2016. The company told ICS-CERT that there are very few cars with 2G modems left on the market, and the impact is minimal.

Security researchers Mickey Shkatov, Jesse Michael, and Oleksandr Bazhaniuk of the Advanced Threat Research Team at McAfee are the ones who discovered the flaws. They recently presented their findings at the DEF CON security conference held in Las Vegas last week.