Examining Log4j Vulnerabilities in Connected Cars and Charging Stations

Trend Micro -

Evidence of attacks using the Log4j vulnerability was also shown in a test that triggered a bug on a Tesla car. For this case, the source does not provide much information on where it was actually executed. Nevertheless, this means that the exploitation of the vulnerability could still have an impact on the user’s privacy and the general security of the car because a back-end compromise could allow attackers to push actions to the car and serve malicious firmware over-the-air (FOTA) updates.

Digital keys vulnerable to Log4Shell?

Smartphones can now replace key fobs as so-called “digital keys” that can control some parts of cars. The applications that allow this could also be vulnerable to the Log4j vulnerability. The Frida script log4JFrida can be used to test this assumption, allowing one to change several characteristics of a car to trigger the vulnerability.

Beyond the three devices or properties in modern cars discussed in this article, there are still many more to test and monitor for Log4j vulnerabilities. Among them are servers’ responses to tests and plenty of other vectors that could allow attackers to use the access afforded by applications to send commands that can unlock a car, control the heating,

Read More: https://www.trendmicro.com/en_us/research/21/l/examining-log4j-vulnerabilities-in-connected-cars.html