1. Attachments are working again! Check out this thread for more details and to report any other bugs.

Featured Some Ford hybrids might be susceptible to Hayes modem AT command hacks

Discussion in 'Prius, Hybrid, EV and Alt-Fuel News' started by pilotgrrl, Aug 1, 2017.

  1. pilotgrrl

    pilotgrrl Senior Member

    Joined:
    Jul 23, 2017
    891
    1,797
    0
    Location:
    Chicagoan in TX
    Vehicle:
    2016 Prius
    Model:
    Three
    It’s 2017 and Hayes AT modem commands can hack luxury cars
    Telematics torched in BMWs, Infinitis, Nissan Leaf and some Fords

    A bunch of mid-age Ford, Infiniti, Nissan and BMW vehicles are carrying around a vulnerable chipset from Infineon that America's ICS-CERT reckons is easy to exploit.

    The BMWs went on sale between 2009 and 2010, the affected Infiniti models were built between 2013 and 2015 and there's a chance Nissan Leafs manufactured between 2011 to 2015 have bugs. A handful of Ford hybrids may also be in trouble.

    In IT terms a 2009 product is close to end-of-life; a car that age might still be covered by an extended warranty (and in Australia, by parts of the 10-year statutory warranty).

    Infineon's contribution to the problem is a 2G baseband chipset, the S-Gold 2 (part number PMB 8876), used by upstream German vendor Continental to produce telematics control units (TCUs).

    The first vulnerability is a stack-based buffer overflow that ICS-CERT says is only exploitable by an attacker with physical access to the car.

    Old-timers will get nostalgic and weepy at this point: the vulnerability is exposed by the modem's AT command set. As detailed in this DEFCON presentation (PDF), the commands are AT+STKPROF, AT+XAPP, AT+XLOG and AT+FNS.

    (Many of these turned up as sources of iPhone vulns patched in 2015, if the extra detail at the iPhoneWiki is accurate.)

    The second – which is remotely exploitable ifyou can get a 2G connection – lets an attacker “access and control memory” for “remote code execution on the baseband radio processor of the TCU.”

    The discoverers, McAfee researchers Mickey Shkatov, Jesse Michael and Oleksandr Bazhaniuk, note in the presentation that the exploits for the firmware in question were outlined by Ralf-Philip Weinmann in the iOS Hacker's Handbook in 2016.

    So, as ICS-CERT says, “public exploits are available”.

    The best mitigation, it seems, is to deactivate the TCU, which Nissan and Infiniti and Ford (since last year) are implementing; BMW told ICS-CERT it will put a program in place for customers.

    It’s 2017 and Hayes AT modem commands can hack luxury cars • The Register
     
  2. fotomoto

    fotomoto Senior Member

    Joined:
    Apr 22, 2009
    5,608
    3,788
    0
    Location:
    So. Texas
    Vehicle:
    Other Hybrid
    My 2013 Ford recently got its 2g modem updated to 3G (for free) because the 2G network that it used is being turned off in the US.
     
  3. pilotgrrl

    pilotgrrl Senior Member

    Joined:
    Jul 23, 2017
    891
    1,797
    0
    Location:
    Chicagoan in TX
    Vehicle:
    2016 Prius
    Model:
    Three
    Ford must use AT&T. AT&T turned off their 2G network as of 1/1/2017.
     
  4. fotomoto

    fotomoto Senior Member

    Joined:
    Apr 22, 2009
    5,608
    3,788
    0
    Location:
    So. Texas
    Vehicle:
    Other Hybrid
    (y)
     
    pilotgrrl likes this.