Continental AG Infineon S-Gold 2 (PMB 8876)

Plan PatchCVSS 8.8ICS-CERT ICSA-17-208-01Jul 27, 2017

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Continental AG and Infineon S-Gold 2 (PMB 8876) chipset contains a buffer overflow vulnerability (CWE-121, CWE-119) in the 2G cellular modem firmware used in Nissan, Infiniti, and early BMW vehicles. The vulnerability allows remote code execution over a 2G cellular connection without authentication. The affected Telematics Control Units (TCUs) are used for vehicle connectivity and infotainment functions. Nissan and Infiniti have confirmed their 2G cellular service provider no longer operates 2G services in the U.S., rendering these modems non-functional for telematics. Vendors have no firmware patches available; the only mitigation is physical deactivation of the hardware.

What this means

What could happen

An attacker could remotely compromise the 2G cellular modem in affected vehicles and potentially execute code to interfere with telematics, infotainment, or vehicle connectivity functions. However, these 2G modems are no longer actively providing services in the U.S., significantly reducing practical risk.

Who's at risk

Nissan and Infiniti vehicle owners with 2009-2016 model years equipped with Infineon S-Gold 2 cellular modems, including: Nissan Leaf (2011-2015), Infiniti Q70/Q70L (2014-2016), Infiniti QX series (QX50, QX60, QX80, 2013-2016), Infiniti M37/M56 (2013), and early BMW models (2009-2010). Older Infiniti and Nissan vehicles with first-generation telematics systems are the primary concern.

How it could be exploited

An attacker would send malicious data over the 2G cellular network to the vehicle's Telematics Control Unit (TCU). The vulnerability exists in the firmware of the Infineon S-Gold 2 chipset and allows buffer overflow or memory corruption attacks. If the vehicle is in range of a 2G cellular signal and the TCU is powered on, the attack could execute without authentication.

Prerequisites

Vehicle with affected 2G TCU must be within 2G cellular network coverage area
2G cellular network infrastructure must still be operational (degraded in most of U.S.)
No credentials or special knowledge required

remotely exploitableno authentication requiredlow complexity attackpublic exploits availableno patch available2G network coverage degraded in U.S.

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (14)

14 pending

ProductAffected VersionsFix Status

BMW: several models produced between 2009-20102009-2010No fix yet

Infiniti: 2014-2016 Q702014-2016No fix yet

Infiniti: 2014-2015 QX502014-2015No fix yet

Infiniti: 2014-2016 QX 802014-2016No fix yet

Infiniti: 2014-2015 QX50 Hybrid2014-2015No fix yet

Ford: - program to update 2G modems has been active since 2016 and impact is restricted to the limited number of P-HEV vehicles equipped with this older technology that remain in serviceprogram to update 2G modems has been active since 2016 and impact is restricted to the limited number of P-HEV vehicles equipped with this older technology that remain in serviceNo fix yet

Infiniti: 2014-2016 QX602014-2016No fix yet

Infiniti: 2013 JX352013No fix yet

Remediation & Mitigation

0/2

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDContact your local Nissan or Infiniti dealer to have the 2G TCU deactivated at no cost

Long-term hardening

0/1

HARDENINGIf your vehicle is no longer in active service or 2G coverage is unavailable in your area, monitor for dealer communication regarding the deactivation program

CVEs (2)

CVE-2017-9647 CVE-2017-9633

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ced6b58f-d620-431f-900b-953b74717a87

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.