It's 2017 and Hayes AT modem commands can hack luxury cars

["Dave Farber" <farber () gmail com>]

Begin forwarded message:

> From: Dewayne Hendricks <dewayne () warpspeed com>
> Date: August 6, 2017 at 6:43:09 PM EDT
> To: Multiple recipients of Dewayne-Net <dewayne-net () warpspeed com>
> Subject: [Dewayne-Net] It's 2017 and Hayes AT modem commands can hack luxury cars
> Reply-To: dewayne-net () warpspeed com
>
> [Note:  This item comes from friend Steve Schear.  DLH]
>
> It’s 2017 and Hayes AT modem commands can hack luxury cars
> Telematics torched in BMWs, Infinitis, Nissan Leaf and some Fords
> By Richard Chirgwin
> Aug 1 2017
> <https://www.theregister.co.uk/2017/08/01/telematics_vulnerabilities_in_bmw_infiniti_ford_nissan/>
>
> Updated A bunch of mid-age Ford, Infiniti, Nissan and BMW vehicles are carrying around a vulnerable chipset from 
> Infineon that America's ICS-CERT reckons is easy to exploit.
>
> The BMWs went on sale between 2009 and 2010, the affected Infiniti models were built between 2013 and 2015 and 
> there's a chance Nissan Leafs manufactured between 2011 to 2015 have bugs. A handful of Ford hybrids may also be in 
> trouble.
>
> In IT terms a 2009 product is close to end-of-life; a car that age might still be covered by an extended warranty 
> (and in Australia, by parts of the 10-year statutory warranty).
>
> Infineon's contribution to the problem is a 2G baseband chipset, the S-Gold 2 (part number PMB 8876), used by 
> upstream German vendor Continental to produce telematics control units (TCUs).
>
> The first vulnerability is a stack-based buffer overflow that ICS-CERT says is only exploitable by an attacker with 
> physical access to the car.
>
> Old-timers will get nostalgic and weepy at this point: the vulnerability is exposed by the modem's AT command set. As 
> detailed in this DEFCON presentation (PDF), the commands are AT+STKPROF, AT+XAPP, AT+XLOG and AT+FNS.
>
> (Many of these turned up as sources of iPhone vulns patched in 2015, if the extra detail at the iPhoneWiki is 
> accurate.)
>
> The second – which is remotely exploitable if you can get a 2G connection – lets an attacker “access and control 
> memory” for “remote code execution on the baseband radio processor of the TCU.”
>
> The discoverers, McAfee researchers Mickey Shkatov, Jesse Michael and Oleksandr Bazhaniuk, note in the presentation 
> that the exploits for the firmware in question were outlined by Ralf-Philip Weinmann in the iOS Hacker's Handbook in 
> 2016.
>
> So, as ICS-CERT says, “public exploits are available”.
>
> [snip]
>
> Dewayne-Net RSS Feed: http://dewaynenet.wordpress.com/feed/
> Twitter: https://twitter.com/wa8dzp



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170806185950:F1983BFE-7AFA-11E7-B471-FCAA683D1D3A
Powered by Listbox: http://www.listbox.com