Antivirus software maker F-Secure on Thursday published on its blog excerpts from a statement it received from Lexus refuting the rumoured vulnerability in its luxury cars and SUVs.
The rebuttal addressed concerns related to a report by security software maker Kaspersky Labs in January that it was investigating the possibility that Lexus cars could be infected by viruses. Kaspersky says that no cars actually were infected and that the customer that had spurred the inquiry was merely interested in finding out whether the Bluetooth interface built into some models' GPS systems could be vulnerable.
In the excerpts posted on F-Secure's blog, Lexus confirmed that its navigation tools use an embedded operating system and random access memory (RAM) to store several types of information, such as recent destinations and a telephone directory. However, the car maker denied reports that the operating system is made by Symbian--which is known to be vulnerable to Cabir--saying rather that it is a proprietary piece of software.
Cabir, the first worm known to target smart phones, uses the Bluetooth short-range wireless feature of handsets running on the Symbian operating system to detect other Symbian phones, and then transfers itself to the new host as a package file.
Lexus also said that although the Bluetooth interface in its navigation system supports Object Push Protocol technology for accepting files from a smart phone, the feature is controlled manually by a car's owner and any data being accessed using the tool cannot be exported or transmitted from the navigation unit.
In light of Lexus' statement, F-Secure concluded that car owners have little to worry about from Cabir. The company said that the Bluetooth support for Object Push Protocol could make it possible for Cabir to attempt to send itself to the Lexus navigation systems, and that this could cause an error message to appear on the devices, but the security company indicated that there are not more serious problems likely to result from the threat.
David Emm, senior technology consultant at Kaspersky, said that the Lexus study it conducted last month was merely an exercise into the potential for such infections--but he believes that real threats targeting Bluetooth and other wireless technologies are likely to follow soon.
"It's probably unfair that Lexus was used as an example in this case, but it's not that far out when you consider the immediate potential for wireless threats that are smarter than Cabir," Emm said. "The (viruses) that we've seen so far have been pretty basic; they're very much proof-of-concept attacks that in some way or another give themselves away to the user, but that doesn't necessarily have to be the case."
Emm said also that as car makers continue to integrate technology traditionally found in computers into their vehicles, the opportunities for automobiles to absorb many different kinds of viruses will grow significantly.
"Car manufacturers are thinking of delivering onboard connectivity to the Internet to retrieve e-mail and so on," Emm said. "Within that context, you will have even more potential to pull down things into your vehicle that may not be safe for its onboard computers."
Windows for Fords: Coming to you real soon - NOT!
Just imagine having to push the 'Start' key to stop your car. What does the blue screen of death look like on the freeway at 100Kmh? Red blood everywhere? "No your honour, I wasn't speeding, but the computer was infected with a virus and I couldn't stop."
Rest ****ured that any car maker that decides to use a common OS for their cars' data processing requirements will be met with a hasty exodus of customers from the dealers showrooms.
I think the car manufacturers learnt from the Y2K embedded experience. As I recall, only one manufacturer had to recall a small number of 4WD vehicles to reprogram the engine management system to become compliant. You always learn from a product recall - once bitten twice $hy.
Where every bit and byte counts, and there is p****enger safety at stake, there MUST be 100% verification of all the code. Bloatware is not in the car manufacturers vocabulary. Room for a virus to infiltrate and park itself doesn't exist.
The car computers will - out of sheer necessity - continue be custom ALWAYS. The accessories may be another matter, where it doesn't matter if your stereo plays Bill Gates counting his money in a loop or not.
Now let me get back to writing that HiFi virus that stops that doof-doof drongo at the traffic lights stone cold...