Over 10 years ago, the first iPhone burst on the scene and changed mobile computing forever. But it had a flaw: The baseband (the part that manages all the radios) on the installed Infineon chip could be exploited to run the phone on networks other than AT&T — which was, at the time, the exclusive provider. Fast-forward to 2017 and that same chip was recently found in various Nissan Leafs built between 2011 and 2015.
While such chips are typically used in multiple devices across different markets, the problem is that the Infineon chip with the same vulnerability was found in a modern car so many years later. But it’s not just one car with this issue; BMWs and Fords were found to have the same vulnerable silicon that would allow someone to remotely access and control memory. At Def Con recently, McAfee researchers Mickey Shkatov, Jesse Michael and Oleksandr Bazhaniuk warned that the chip could be used to send ransomware to the car. However, they decided that a good old-fashion Rick Roll would suffice for their presentation.
“We just randomly picked a car at the wrecking yard and happened to find this and our jaws kinda dropped,” said Michael.
The actual flaw was discovered in the telematics control units (TCU) of the vehicle supplied by Continental AG. It was a vendor-supplied component that housed the Infineon chip. That piece of hardware found its way into BMWs, Fords and Inifinitis (the luxury arm of Nissan), according to an ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) advisory issued on July 27th this year.
Fortunately, Intel (which purchased Infineon back in 2011) and Nissan worked with the researchers to help identify and figure out a way to fix the issue for current owners. Also, Nissan, BMW and Ford have all delivered system updates to fix or disable the affected modems. But that doesn’t get at the larger issue of potentially vulnerable hardware permeating multiple, unrelated devices. While the iPhone was a huge target for hackers, other lesser-known devices with the same chipset just don’t register with people looking for vulnerabilities. At least not initially.
Car hacking has only recently become something automakers and their suppliers have to worry about. But even in a world where all devices are fair game to bad actors, even the most security-minded company will find it difficult to vet all the hardware that goes into a car that’s teaming with thousands of pieces of silicon.
It’s not only the automotive world that should be concerned. Hardware with known exploits could be in just about anything. Boats, security systems and infrastructure components could potentially have hardware that’s not up to snuff.
It’s not just vulnerable silicon that’s used over and over again. In 2014, researchers Lior Oppenheim and Shahar Tal found routers running old versions of software for embedded devices that let folks bypass the device’s security. The old version of the software had been used over and over again, even though the original vendor issued an update seven years earlier.
“The problem is that the notion of managing your supply chain when it comes to computer technology and software is not there,” Veracode founder and researcher Chris Wysopal told Engadget. Wysopal noted that when it comes to hardware and software, no one seems to be tracking down to the component level.
So who is responsible when something like this happens? In this case is it the automaker, the vendor or the chipmaker? To Wysopal, all parties involved are responsible, and if (for example) a chip is found with a vulnerability, it’s up to the company that built it to recall those pieces of silicon from resellers.
Plus, companies should be tracking updates to the components put into their products. It’s going to be costly, but it needs to happen or the next exploit might not be found by researchers, meaning one morning the owners of certain car models could wake up to a vehicle that’s locked them out unless they are willing to pay a ransom.
When that happens, no amount of PR spin or free fixes from the dealer is going to repair an automaker’s — or any company’s — image.
Wysopal said, “It’s a new world out there. We just need to build some new processes. We need standard industry processes for this solution so people can sort of rely on these things being able to get updated.”