A memory corruption vulnerability in GNU libc for ARMv7 was discovered amid recent research from Cisco's Customer Experience Assessment & Penetration Team (CX APT).
It leaves Linux ARMv7 systems open to exploitation, with this vulnerability identified as TALOS-2020-1019/CVE-2020-6096.
Security threats and cyber-attacks on exposed connected vehicles can include software vulnerabilities, attacks based on hardware and, according to a Talos Intelligence blog, could even remote control a vehicle.
It is now widely accepted that cars are now complex machines that blend both mechanical and computer systems.
More sensors and devices are helping cars to measure and understand its external and internal location, temperature and other environmental variables, as well as the distance from other objects.
The report said: “These sensors provide drivers with real-time information, connect the vehicle to the global fleet network and, in some cases, actively use and interpret this telemetry data to drive the vehicle.”
Cars can integrate both mobile and cloud components to improve driver experience, including over the air updates, remote start-stop and monitoring.
These systems introduce a lot of “different attack vectors” in vehicles that are connected through mobile networks, WiFI, Bluetooth, DAB, USB, the report added.
But Andrew Tierney of Pen Test Partners said the vulnerability was wider than just vehicles, and would involve the IoT more generally.
“While it’s an interesting bug that we are surprised hasn’t been spotted before, we don’t see why Talos are highlighting this as a ‘vehicle’ issue, Tierney said.
"While it’s true that more than 90 percent of vehicle IVIs (sat nav head units) are ARM / Linux based and therefore might be vulnerable in some configurations, this issue affects a wide swathe of IoT and other embedded systems including industrial controls.
“This is a significant security flaw that affects IoT, not just cars. While vehicle OEMs may be quick to address this, we fear that many older and possibly unsupported embedded systems will never be patched.
“This is a vulnerability for IoT and ICS hackers to dine out on for years to come.”
Giving technical details, the report added: “The CX APT IoT security practice specialises in identifying vulnerabilities in connected vehicle components.
“CX APT worked with Cisco Talos to disclose the vulnerability and the libc library maintainers plan to release an update that fixes this vulnerability in August.”
Niels Schweisshelm, technical program manager, HackerOne agreed that it was a big positive that the vulnerability had been found and reported.
"It doesn’t take a huge amount of imagination to envision the risks associated with automotive vehicles that are susceptible to being attacked by cybercriminals," Schweisshelm said.
"The good news here is that this vulnerability was found before bad actors had the chance to exploit it.
"Like all other human developed code, vulnerabilities will exist in automotive software and it's incredibly important to find them before they’re exploited.
"With complex on-board software and the security concerns that comes with it, automotive brands are starting to reap the benefits of hacker-powered security on their digital assets to ensure that we are all as safe as possible when making use of automotive vehicles. This trend needs to continue as we journey towards a self-driving future."