Continental AG Infineon S-Gold 2 (PMB 8876)
Plan Patch8.8ICS-CERT ICSA-17-208-01Jul 27, 2017
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Continental AG and Infineon S-Gold 2 (PMB 8876) chipset contains a buffer overflow vulnerability (CWE-121, CWE-119) in the 2G cellular modem firmware used in Nissan, Infiniti, and early BMW vehicles. The vulnerability allows remote code execution over a 2G cellular connection without authentication. The affected Telematics Control Units (TCUs) are used for vehicle connectivity and infotainment functions. Nissan and Infiniti have confirmed their 2G cellular service provider no longer operates 2G services in the U.S., rendering these modems non-functional for telematics. Vendors have no firmware patches available; the only mitigation is physical deactivation of the hardware.
What this means
What could happen
An attacker could remotely compromise the 2G cellular modem in affected vehicles and potentially execute code to interfere with telematics, infotainment, or vehicle connectivity functions. However, these 2G modems are no longer actively providing services in the U.S., significantly reducing practical risk.
Who's at risk
Nissan and Infiniti vehicle owners with 2009-2016 model years equipped with Infineon S-Gold 2 cellular modems, including: Nissan Leaf (2011-2015), Infiniti Q70/Q70L (2014-2016), Infiniti QX series (QX50, QX60, QX80, 2013-2016), Infiniti M37/M56 (2013), and early BMW models (2009-2010). Older Infiniti and Nissan vehicles with first-generation telematics systems are the primary concern.
How it could be exploited
An attacker would send malicious data over the 2G cellular network to the vehicle's Telematics Control Unit (TCU). The vulnerability exists in the firmware of the Infineon S-Gold 2 chipset and allows buffer overflow or memory corruption attacks. If the vehicle is in range of a 2G cellular signal and the TCU is powered on, the attack could execute without authentication.
Prerequisites
- Vehicle with affected 2G TCU must be within 2G cellular network coverage area
- 2G cellular network infrastructure must still be operational (degraded in most of U.S.)
- No credentials or special knowledge required
remotely exploitableno authentication requiredlow complexity attackpublic exploits availableno patch available2G network coverage degraded in U.S.
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (14)
14 pending
ProductAffected VersionsFix Status
BMW: several models produced between 2009-20102009-2010No fix yet
Infiniti: 2014-2016 Q702014-2016No fix yet
Infiniti: 2014-2015 QX502014-2015No fix yet
Infiniti: 2014-2016 QX 802014-2016No fix yet
Infiniti: 2014-2015 QX50 Hybrid2014-2015No fix yet
Ford: - program to update 2G modems has been active since 2016 and impact is restricted to the limited number of P-HEV vehicles equipped with this older technology that remain in serviceprogram to update 2G modems has been active since 2016 and impact is restricted to the limited number of P-HEV vehicles equipped with this older technology that remain in serviceNo fix yet
Infiniti: 2014-2016 QX602014-2016No fix yet
Infiniti: 2013 JX352013No fix yet
Remediation & Mitigation
0/2
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
WORKAROUNDContact your local Nissan or Infiniti dealer to have the 2G TCU deactivated at no cost
Long-term hardening
0/1HARDENINGIf your vehicle is no longer in active service or 2G coverage is unavailable in your area, monitor for dealer communication regarding the deactivation program
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ced6b58f-d620-431f-900b-953b74717a87