Security flaws affect TCUs used in BMW, Ford, Infiniti, and Nissan vehicles

Pierluigi Paganini August 01, 2017

Three security researchers have discovered security vulnerabilities in the telematics control units (TCUs) used in BMW, Ford, Infiniti, and Nissan vehicles.

Three security researchers have discovered security vulnerabilities in the telematics control unit (TCU) manufactured by Continental AG that is installed on various car models manufactured by BMW, Ford, Infiniti, and Nissan.

The researchers are Mickey Shkatov, Jesse Michael, and Oleksandr Bazhaniuk (@jessemichael, @HackingThings, @ABazhaniuk) from the Advanced Threat Research Team at McAfee. The team has presented their discovery at the last DEF CON security conference.

The TCUs are 2G modems that are used by modern vehicles to transfer data, they enable the communications between the car and remote management tools such as web panels and mobile apps.

The two vulnerabilities found by the research team affect the TCUs that use the S-Gold 2 (PMB 8876) cellular baseband chipset, they are a stack-based buffer overflow in the TCU’s component that processes AT commands (CVE-2017-9647), and a vulnerability in the temporary mobile subscriber identity (TMSI) may could be exploited by attackers to access and control memory (CVE-2017-9633).

The first vulnerability could be exploited only by an attacker with a physical access to the car using the vulnerable TCU, while the second can be exploited by a remote attacker.

Below the description provided in the alert:

“Stack-based buffer overflow CWE-121 – An attacker with a physical connection to the TCU may exploit a buffer overflow condition that exists in the processing of AT commands. This may allow arbitrary code execution on the baseband radio processor of the TCU.

IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 – A vulnerability in the temporary mobile subscriber identity (TMSI) may allow an attacker to access and control memory. This may allow remote code execution on the baseband radio processor of the TCU.”

TCUs car flaws

The ICS-CERT issued a specific alert for the vulnerabilities affecting the Continental AG Infineon S-Gold 2 (PMB 8876).

“Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code. This may allow an attacker to disable the infotainment system of the vehicle and affect functional features of the vehicle. According to affected auto manufacturers, these vulnerabilities do not directly affect the critical safety features of the vehicle.” states the alert issued by the ICS-CERT.

The following vehicles use vulnerable TCUs:

BMW several models produced between 2009-2010
Ford – program to update 2G modems has been active since 2016 and impact is restricted to the limited number of P-HEV vehicles equipped with this older technology that remain in service.
Infiniti 2013 JX35
Infiniti 2014-2016 QX60
Infiniti 2014-2016 QX60 Hybrid
Infiniti 2014-2015 QX50
Infiniti 2014-2015 QX50 Hybrid
Infiniti 2013 M37/M56
Infiniti 2014-2016 Q70
Infiniti 2014-2016 Q70L
Infiniti 2015-2016 Q70 Hybrid
Infiniti 2013 QX56
Infiniti 2014-2016 QX 80
Nissan 2011-2015 Leaf

According to affected car makers, the flaws could be exploited only to access the infotainment systems of the vehicles.

Nissan announced it will disable the 2G modems (TCUs) for all affected customers for free in one of its services. Same thing for Infiniti cars, while BMW “will be offering a service measure to affected customers.”

Ford already started disabling all 2G modems in 2016.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – TCUs,car hacking)

[adrotate banner=”13″]



you might also like

leave a comment