Pierluigi Paganini October 25, 2015

Researchers demonstrated how disable the airbags on a Audi TT (and others models) and other functions by exploiting a zero-day flaw in third-party software.

Lately, many researchers proved that car manufacturers haven’t addressed security vulnerabilities in modern vehicles properly and use of lots of embedded controllers and providing different external interfaces made it possible to hack and take control of automobile’s core systems.

Once again, a group of three researchers, András Szijj, and Levente Buttyán of CrySyS Lab and Zsolt Szalay of Budapest University of Technology and Economics cooperatively managed to disable airbags in an Audi TT.

The Researchers said that in comparison to the remote hacking of Jeep car, this attack is less severe and less capable threat. They use a zero-day vulnerability in commonly-used diagnostic software that is compatible with cars sold by the Volkswagen. Buttyán emphasized that this flaw “has nothing to do with VW itself” and relates to third-party software only.

Taking control of the vulnerable software means that the attacker is able to switch on or off all the functionalities that the software has been designed to control and check. This flaw enables attackers to falsify the information generated by the car.

Audi TT was the platform to demonstrate this attack and these experiments were carried out during spring 2015. To make the exploit work, mechanic’s computer must be compromised firstly or a malicious USB device to be plugged into the vehicle. The proof-of-concept implementation allows for Man-in-the-Middle attacks between the application and the car (in this case an Audi TT).

This demonstration shows that a Stuxnet-style attack is easy to implement in practice against cars by minimal modification of a diagnostic application. Furthermore, the situation could get worse and more dangerous if hackers could inject a backdoor by updating a car’s embedded control unit firmware via the OBD2 port. This backdoor could be triggered while the car is in motion.

Stephen Checkoway published a research paper in 2011, titled “Comprehensive Experimental Analyses of Automotive Attack Surfaces,” and described the possible ways to infect a car through diagnostic equipment. The researchers said that their work is a proof-of-concept for the aforementioned paper. The detailed explanation of the POC is summarized in the following presentation here.

About the Author

Ali Taherian (@ali_taherian) is an enthusiastic information security Officer. He’s finished his education in information security and has recently been involved in banking software and payment security industry. Taherian is proud to be certified IBM Cloud Computing Solution Advisor and ECSA and enjoys sharing and tweeting about security advances and news.

Edited by Pierluigi Paganini

(Security Affairs –  Airbag, Audi TT)