By Sam Dytrych and Jason Royes.

Executive summary

Modern automobiles are complex machines, merging both mechanical and computer systems under one roof. As automobiles become more advanced, additional sensors and devices are added to help the vehicle understand its internal and external environments. These sensors provide drivers with real-time information, connect the vehicle to the global fleet network and, in some cases, actively use and interpret this telemetry data to drive the vehicle.

 These vehicles also frequently integrate both mobile and cloud components to improve the end-user experience. Functionality such as vehicle monitoring, remote start/stop, over-the-air-updates and roadside assistance are offered to the end-user as additional services and quality of life improvements.

 All these electronic and computer systems introduce a lot of different attack vectors in connected vehicles – Bluetooth, Digital Radio (HD Radio/DAB), USB, CAN bus, Wi-Fi and, in some cases, cellular. However, like any other embedded system, connected vehicles are exposed to cyber attacks and security threats. Some of the threats that connected vehicles face include software vulnerabilities, hardware-based attacks and even remote control of the vehicle. During some recent research, Cisco’s Customer Experience Assessment & Penetration Team (CX APT) discovered a memory corruption vulnerability in GNU libc for ARMv7, which leaves Linux ARMv7 systems open to exploitation. This vulnerability is identified as TALOS-2020-1019/CVE-2020-6096.