Four days ago, the cybersecurity world was introduced to Log4Shell — one of the most profound vulnerabilities of 2021. We at Upstream were prepared for this day to come, with a holistic solution including detection capabilities meant to detect any attempt of misusing the vehicles’ communications and the vulnerability for malicious intents.
What is the Log4Shell Vulnerability?
Apache Log4j is a Java-based logging library, which has made major headlines in recent days. As news and awareness of this threat spread, IT and cybersecurity teams were tasked with mitigating this newly discovered threat to protect their companies’ assets, data, and customers.
This vulnerability in Log4j, known as ‘Log4Shell’, was a zero-day vulnerability now assigned CVE-2021-44228. This critical vulnerability in Log4j, allows an attacker to execute arbitrary code on systems using Log4j to write out log messages. For this reason, the vulnerability scored an alarmingly high 10 out of 10 on the CVSS score scale, a score to which not many have the “honor” of receiving.
On December 9th, the vulnerability was first introduced on GitHub. This first proof-of-concept exploit enabled unauthenticated remote code execution, leading to a complete system takeover. The next day, December 10th, usage of the exploit was reported, identifying massive scanning from multiple hosts for servers using versions of Apache Log4j vulnerable to the exploit. This showed not only the potential risks and impact of the vulnerability across industries but also why it was so critical to be patched.
What’s Log4Shell’s impact on the Automotive industry?
Connected vehicles collect information about every detail throughout the vehicle’s life, communicating with their OEMs’ telematics and application back-end servers. Beyond OEM servers, other services that communicate with vehicles might belong to aftermarket companies including insurance companies, fleets providers, commercial fleets, car rental and leasing companies, and more.
This connection between the vehicles and their open channel with the companies’ servers is exactly the spot where they are vulnerable to the Log4Shell vulnerability.
The servers that communicate with the vehicles are application servers. Ultimately, they are tasked with reading and writing data, making them vulnerable to attacks, such as injection attacks, just like many other servers.
The Log4Shell vulnerability is an example of a weakness that jeopardizes the security of any automotive-related server since the data traversing between the vehicle and server is collected, stored, and logged over a period of time in different systems or environments. This puts the vehicle data at risk of being impacted by the Log4Shell vulnerability.
By exploiting the connection between the vehicles and company servers, threat actors can access company assets. This can be achieved by communicating directly with the telematics data servers, to the back-end infrastructure and internal servers, bypassing many existing security controls in place.
As a matter of fact, this vulnerability can be exploited by inserting arbitrary code in a user-input field through applications, such as an infotainment system.
We witnessed how internal systems can be affected by these kinds of attacks as well as originate from the vehicle interface in 2019. In this incident, a hacker manipulated his Tesla model 3 by setting a nickname for his car, which led the OEM’s server into exposing private vehicle information. The hacker discovered a stored cross-site scripting (XSS) vulnerability that could have been exploited to obtain — and possibly modify — vehicle information. He was able to expose some internal Tesla application data.
Exploiting the vulnerability in different attack vectors.
Upstream’s Holistic Approach to Mitigation and Protection
Upstream’s products and services for automotive cybersecurity have worked together to create a full immediate response to the disclosure of the Log4Shell vulnerability.
Once an alert was triggered, our researchers learned and identified the problem, and its potential risks. After a thorough and fast evaluation, they worked with our VSOC operations team, to take protective steps and measures to allow our customers to have early detection and response capabilities.
Upstream’s platform monitors connected vehicle data and communications with the automotive application servers. The platform secures the dataflow and alerts on injection attacks, through purpose-built detection capabilities that flag these sorts of attacks.
In light of the disclosure of the Log4Shell vulnerability, our platform’s detection abilities for injections was extended to include the detection of the Log4Shell exploit in connected automotive data; be it vehicle data or companion-app back-end data. Adding a Log4Shell detection capability, The Upstream Platform provides early detection and response of any attempt to exploit this vector of communication, mitigating against any exploitation attempt of this vector.
Thanks to The Upstream Platform, combined with our AutoThreat® Intelligence and VSOC service, many CISOs learned about the patch before even learning about the Log4Shell vulnerability.