Hackers could exploit vulnerabilities in Lexus and Toyota cars to conduct remote attacks on affected vehicles, researchers at Tencent Keen Security Lab, based in China, have discovered.
Research into the AVN (Audio, Visual and Navigation) system in the 2017 Lexus NX300 — the same device is also used in other models, including the LS and ES series — revealed safety issues with the car’s Bluetooth and vehicle diagnostics functions.
Those vulnerabilities may be misused to compromise the AVN and internal CAN network and related electronic control units (ECUs), according to Keen Security Lab.
Also, the researchers said they were able to take control of the AVN device wirelessly without user intervention, then insert malicious CAN messages to trigger “physical actions” for the vehicle.
However, the precise technical information relating to these vulnerabilities will only be published next year, researchers said.
The Lexus AVN is composed of DCU (Display Control Unit) and MEU (Multimedia Extension Unit for Maps), with the DCU’s mainboard displaying attack surfaces such as Wi-Fi, Bluetooth, and USB interfaces. The DCU also interacts over CAN message with internal ECUs.
The Chinese researchers leveraged two vulnerabilities to attack the Bluetooth in-vehicle service and gain root privileges for remote code execution in the DCU program.
The issues include a readout of bound heap memory and a heap buffer overflow, all occurring before pairing in the process of creating Bluetooth connections. Because of these flaws, manipulation of Bluetooth is “completely touchless and interaction-less at proximity,” explains Keen Security Lab.
An affected car’s Bluetooth MAC address might be sniffed over the air using the well-known “Ubertooth One” app if the DCU system previously paired with mobile phones.
The DCU framework does not support safe booting, which allowed researchers to re-flash with malicious firmware on the uCOM board. Then, they used this to circumvent an existing filtering system for CAN messages.
“By chaining the findings existed in Bluetooth and on-board diagnostic functions, a remote, touch-less attack chain from Bluetooth wireless connectivity down into automotive CAN network is feasible to be implemented,” the security researchers say.
Malicious code can be installed on the DCU via the Bluetooth software, and it will remain on the device forever. The system will automatically connect the DCU to a Wi-Fi hotspot, and spawn an interactive root shell, allowing an attacker to send arbitrary Will messages to the CAN bus wirelessly.
“Furthermore, by leveraging the diagnostic CAN messages, some automotive ECUs inside CAN network would be tricked into executing diagnostic functions and triggering the car with unexpected physical motions,” Keen Security Lab concludes.
Toyota, who recognized the presence of these vulnerabilities, says certain Toyota vehicles also impaired by the use of “particular multimedia units.”
“The vulnerability findings and exploit process, as described by Keen Lab, do not control steering, braking, or throttle,” the car maker says.
Toyota says fixing these bugs requires not only multimedia device program experience but also a unique tool and proximity to a vehicle during the attack.
“Thus, Toyota believes that exploiting these vulnerabilities in the manner developed by Keen Lab is extremely sophisticated, and the likelihood of this condition to occur in the real world is limited,” the vehicle maker says.
The business has introduced steps to fix the vulnerabilities on the production line and says the affected in-market vehicles will receive a software update.