BMW, Ford, Nissan Hacked: use vulnerable modems

Problems in BMW, Ford, Infiniti and Nissan vehicles. A team of three security researchers discovered two security flaws in the TCU (telematics control unit) components that are contained in various car models connected to the internet.

TCUs are 2G modems which send and receive data from a car's internal system. They are used as an interface between the car and remote management tools, such as web panels and mobile applications.

The researchers found the defects in the TCU manufactured by Continental AG, and more specifically TCUs using the S-Gold 2 (PMB 8876) cellular baseband chipset.

Thus, according to a notice issued by the Department of Homeland Security (DHS), the following car models use vulnerable TCUs:

The two defects relate to a buffer overflow in the TCU element processing the AT commands (CVE-2017-9647) and a flaw that allows attackers to run code via one of the internal elements of the TCU (baseband radio) (CVE-2017-9633).

In the first vulnerability, the attacker would need physical access to the target car, while the latter may take advantage of remote locations. The exploits code (Proof-of-concept or PoC) is available for both defects.

The car makers involved said the defects allow attackers only access to the car's entertainment system and not to critical operations such as braking, engine control or vehicle doors.

BMW said it would "provide service to affected customers" and Nissan said it would turn off 2G modems (TCUs) for all affected customers for free. This measure also applies to owners of Nissan-owned Infiniti cars.

Ford said it started disabling all 2G modem from last year, 2016. The company has told ICS-CERT that there are very few 2G modems on the market.

Security researchers Mickey Shkatov, Jesse Michael and Oleksandr Bazhaniuk from McAfee's Advanced Threat Research Team presented their findings at the DEF CON security conference held in Las Vegas last week. (PDF)