By exploiting a zero-day vulnerability in a contractor’s publicly accessible application, it was possible to gain control over the vehicle telematics system, compromising the physical safety of drivers and passengers. For instance, attackers could force gear shifts or turn off the engine when the vehicle is driving. The findings highlight potential cybersecurity weaknesses in the automotive industry, prompting calls for enhanced security measures.

Car manufacturer’s side

The security audit was conducted remotely and targeted the manufacturer’s publicly accessible services and the contractor’s infrastructure. Kaspersky identified several exposed web services. First, through a zero-day SQL injection vulnerability in the wiki application (a web-based platform that allows users to collaboratively create, edit, and manage content), the researchers were able to extract a list of users on the contractor’s side with password hashes, some of which were guessed due to a weak password policy. This breach provided access to the contractor’s issue tracking system (a software tool used to manage and track tasks, bugs, or issues within a project), which contained sensitive configuration details about the manufacturer’s telematics infrastructure, including a file with hashed passwords of users of one of the manufacturer’s vehicle telematics servers. In a modern car, telematics enables the collection, transmission, analysis, and utilization of various data (e.g., speed, geolocation, etc.) from connected vehicles.

Connected vehicle side

On the connected vehicle side, Kaspersky discovered a misconfigured firewall exposing internal servers. Using a previously acquired service account password, the researchers accessed the server’s file system and uncovered credentials for another contractor, granting full control over the telematics infrastructure. Most alarmingly, the researchers discovered a firmware update command that allowed them to upload modified firmware to the Telematics Control Unit (TCU). This provided access to the vehicle’s CAN (Controller Area Network) bus – a system that connects different parts of the vehicle, like the engine and sensors. Afterwards, various other systems were accessed, including the engine, transmission, etc. This enabled potential manipulation of a range of critical vehicle functions, which could endanger driver and passenger safety.

“The security flaws stem from issues that are quite common in the automotive industry: publicly accessible web services, weak passwords, lack of two-factor authentication (2FA), and unencrypted sensitive data storage. This breach demonstrates how a single weak link in a contractor’s infrastructure can cascade into a full compromise of all of the connected vehicles. The automotive industry must prioritize robust cybersecurity practices, especially for third-party systems, to protect drivers and maintain trust in connected vehicle technologies,” comments Artem Zinenko, Head of Kaspersky ICS CERT Vulnerability Research and Assessment.

Kaspersky recommends that contractors restrict internet access to web services via VPN, isolate services from corporate networks, enforce strict password policies, implement 2FA, encrypt sensitive data, and integrate logging with a SIEM system for real-time monitoring.

For the automotive manufacturer, Kaspersky advises restricting telematics platform access from the vehicle network segment, using allowlists for network interactions, disabling SSH password authentication, running services with minimal privileges, and ensuring command authenticity in TCUs, alongside SIEM integration.