One of the most worrisome attack scenarios for connected vehicle cybersecurity has surfaced in recent days. A team of researchers from the Cisco giant Customer Experience Assessment & Penetration Team (CX APT) discovered, at the end of May, a flaw allowing to control a vehicle remotely – which did not fail to recall the demonstration as fascinating as horror of a Jeep Cherokee remotely piloted by two security researchers and a reporter from Wired in 2015.
The vulnerability (CVE-2020-6096) is located in the implementation of a programming library (the GNU libc) useful for programming part of the ARMv7 Linux operating systems, present in ” 90% of connected vehicle navigation systems “Said Andrew Tierney of the British penetration testing company Pen Test Partners, when asked SC Magazine UK.
An on-board web server made accessible via the vehicle’s Wi-Fi
More specifically, it is the implementation of the memory function – memcpy () – in the ARMv7 OS which can be corrupted by a malicious individual after a complex hacking in four stages, notably involving injecting malicious code when the user sends a request to this memory function and detailed in a May 21 publication of the Talos threat intelligence team, also belonging to the Cisco group. By doing so, it is then possible to exploit the operating system for malicious purposes, in particular to take remote control of the vehicle.
This flaw was found during a penetration test, carried out by the team of CX APT researchers – resulting from three acquisitions by the Cisco group (NDS, Neohapsis, and Portcullis) – on a connected vehicle, which brought to light the exposure of an embedded web server to the Wi-Fi network of the connected vehicle. The researchers then identified the implementation of the memcpy () function as responsible for this exposure.
A flaw that also affects industrial equipment
” The good news is that this vulnerability was discovered before malicious actors were able to exploit it. Enthuses Niels Schweisshelm, technical program manager at the HackerOne penetration testing platform. More fear than harm, therefore. ” CX APT worked with Cisco Talos to disclose the vulnerability and libc library officials plan to release an update to address the vulnerability in August “Talos said in his blog post.
But Andrew Tierney warns all the same on one point: ” Although this is an interesting bug which, surprisingly, has never been spotted before, we do not see why Talos highlights this problem as a “connected vehicle” problem. This flaw also concerns a wide range of IoT systems and other embedded systems, including connected industrial machines. We are concerned that in the industry and in the connected object universe in general, many older and perhaps unsupported embedded systems will never be fixed. “