Security experts at Cisco have discovered a memory corruption vulnerability in GNU libc for ARMv7 that enables attackers to target Linux ARMv7 systems and gain remote control over smart cars.
Cisco's Customer Experience Assessment & Penetration Team (CX APT) revealed in a blog post published last week that the memory corruption vulnerability in ARMv7 implementation of memcpy() resulted in the programme entering an undefined state and allowing attackers to perform remote code execution.
Identifying the vulnerability as TALOS-2020-1019/CVE-2020-6096, the researchers added that the vulnerability in memcpy() "causes programme execution to continue in scenarios where a segmentation fault or crash should have occurred. This unexpected behavior can result in a scenario where program execution continues with corrupted runtime state leading to exploitation opportunities."
ARM had recently launched the Cortex-A76AE, the “world’s first autonomous-class” processor for driverless vehicles that would power autonomous applications and high-integrity safety features in smart cars. The company expects the new processor to power smart cars on the road from this year onwards.
Researchers at Cisco's CX APT team said that the vulnerable embedded web server was found to be written in C++ and was externally exposed through a smart car's WiFi network, allowing attackers to target the web server after gaining access to the WiFi network. When fed a large GET request, the web server crashed and generated a segmentation fault.
This is where the vulnerability in the memcpy() allowed programme execution to continue even when the web server had crashed, resulting in a scenario where "program execution continues with corrupted runtime state leading to exploitation opportunities," they added.
Security vulnerabilities are quite commonly found in autonomous and semi-autonomous vehicles that feature a number of smart technologies and applications to improve vehicle safety and driving experience. Last week, security researcher Till Kottmann discovered a misconfiguration in the Git web portal of Daimler AG, the automotive company behind the Mercedes-Benz car brand, that allowed him to create an account on Daimler's code-hosting portal and download more than 580 Git repositories containing the source code of onboard logic units (OLUs) installed in Mercedes vans.
According to Kottmann, there wasn’t any account confirmation process in the company's official GitLab server, which allowed him to register an account using a non-existent Daimler corporate email. He was able to download 580 Git repositories from the company's server and made it publicly available by uploading the files in several locations such as file-hosting service MEGA, the Internet Archive, and on his own GitLab server.
Last year, researchers at Pan Test Partners uncovered critical security holes in popular car alarms that could have been exploited by cyber criminals to unlock car doors, activate car alarms, and turn on car engines, all of which could allow criminals to steal cars with great ease.
The firm found how certain third-party car alarms, whose sellers claim to offer enhanced security to owners of keyless entry cars, featured gaping security holes that allowed criminals to geo-locate cars in real time, find out the car type and details of their owners, disable car alarms, unlock cars, disable immobilisers, and even kill car engines when they were running.
These security flaws affected up to three million cars worth over $150 billion globally and were present in car alarms sold by Viper (branded ‘Clifford’ in the UK) and Pandora who are among the largest car alarm brands globally. In fact, Pandora claimed in its website that security in its car alarms was "unhackable", a claim that was decisively demolished by security researchers and subsequently retracted.
Both Viper and Pandora fixed the security flaws in their car alarm APIs before Pan Test Partners published their findings. "We’ve seen easy to exploit IDORs in IoT APIs on many occasions. This is the first time we’ve seen them lead to a potential attack on this scale before," the researchers said.