This vulnerability was announced by Kaspersky cybersecurity experts on the afternoon of November 12 after a security review. By exploiting the zero-day vulnerability in a public application of a partner contractor, attackers can completely take control of the vehicle's telematics system (vehicle data collection and processing system).
This attack directly threatens the safety of the driver and passengers. For example, attackers can tie the vehicle to a gear shift or turn off the engine while moving.
Existent risks
The security assessment was conducted remotely, focusing on the manufacturer's public services and the contractor's infrastructure. Kaspersky has determined that some of its online access ports were accidentally leaked on the Internet without a full layer of security.
First, through a zero-day vulnerability of inserting malicious code into SQL commands to illegally retrieve data in the wiki application, experts extracted the contractor's user list along with hash password (one-sided encrypted version of the password and cannot be read directly).
Due to weak security policies, some of these password hash have been successfully decoded, paving the way for further penetration into the contractor's incident tracking system (this tracking system is used to manage and track tasks, errors or incidents in the project).
Notably, this system contains sensitive configuration details of the manufacturer's telematics infrastructure, including a file containing user password hash on one of the company's telematics servers.
For the connected car system, Kaspersky discovered that the fireworks were misconstructed, exposing some internal servers.
More alarmingly, the team also discovered a firmware update, allowing the download of the edited firmware version to the telematics controller on the vehicle. This means they can access the vehicle's internal communication network, the system responsible for connecting and coordinating the operation between parts on the vehicle such as the engine and sensors.
After accessing this network, experts can affect many important functions of the vehicle such as engine control or gearbox. In real situations, if exploited, these vulnerabilities can directly threaten the safety of the driver and passengers.
Recommendation
Kaspersky recommends that contractors and technology partners in the automotive sector should:
- Limit Internet access for web services via VPNs, isolate services from the internal network of businesses
- Separate web services, so as not to be related to internal business networks
- Implement strict password policies
- Activate two-factor authentication (2FA)
- encrypt sensitive data
Integrating a logging system with the SIEM platform to track and detect incidents in real time. SIEM is an event management and security information system that helps detect unusual behavior or cyber attacks early.
For car manufacturers, cybersecurity experts recommend limiting access to the telematics platform from the vehicle's connection network, only allowing network connections on the list of permitted ones, disabling the login mechanism via SSH password, operating services with the necessary minimum authority, ensuring the authenticity of control commands sent to TCU (timatics controller on the vehicle) and integrating SIEM platform.
