Examining Log4j Vulnerabilities in Connected Cars and Charging Stations

Since its disclosure on Dec. 9, a vast number of articles have been written on the remote code execution (RCE) vulnerability in the library Apache Log4j — a reflection of its impact. The library is used by innumerable programs to easily release log statements without modifying the code. This means that it has an expansive attack surface, with Amazon, Apple, Cloudflare, Google, Tencent, Twitter, and many other well-known entities having been vulnerable targets at some point. Further expanding the attack surface, the vulnerability, dubbed Log4Shell, affects even embedded devices that use this library. In this report, we focus on the devices or properties found in or used for cars, specifically chargers, in-vehicle infotainment (IVI) systems, and “digital remotes” for opening cars.

Car chargers at risk
In Europe, the vehicle-to-grid (V2G) system is already available. This system allows stored energy in car batteries to be redistributed over the grid to help balance demand vis-à-vis production level.

Read more…
Source: Trend Micro