At the Security Analyst Summit 2025, Kaspersky unveiled the alarming results of a security audit that exposed critical weaknesses in the connected car infrastructure of a major automotive manufacturer.
The audit found that a zero-day vulnerability in a third-party contractor’s publicly accessible application could be exploited to gain full control over the vehicle’s telematics system. This level of access compromises the physical safety of drivers and passengers, potentially allowing attackers to force gear shifts or turn off the engine while the vehicle is driving.
The Attack Chain:
- Contractor Breach: Researchers exploited an SQL injection zero-day in the contractor’s wiki application to steal user password hashes.
- Infrastructure Access: Using compromised credentials, they accessed the contractor’s systems, uncovering sensitive configuration details and passwords for the manufacturer’s telematics server.
- Vehicle Compromise: A misconfigured firewall on the connected vehicle side led to internal server access. Researchers then found a firmware update command that allowed them to upload modified firmware to the Telematics Control Unit (TCU).
- Full Control: This gave them access to the vehicle’s CAN bus, granting the ability to manipulate critical functions like the engine and transmission.
The Core Problem
According to Artem Zinenko, Head of Kaspersky ICS CERT Vulnerability Research and Assessment, the flaws stem from common industry issues: publicly accessible web services, weak passwords, lack of two-factor authentication (2FA), and unencrypted data storage.
Kaspersky urges the automotive industry and its contractors to immediately implement robust security practices, including enforcing strict password policies, encrypting sensitive data, and restricting internet access to critical services.
