E-CORRIDOR researchers Gianpiero Costantino and Ilaria Matteucci from CNR successfully identified KIA Head Unit vulnerability and made it a CVE entry. This is an additional step forward in the direction of making our vehicles secure against potential cyber-attacks and delivering secure Intelligent Transport Systems (ITS) solutions.

About this CVE entry

It is a public report of a vulnerability discovered on some software versions of KIA Motors Head Units (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8539).

Figure 1. The CVE for Kia Motors Head Unit

Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable daemon, to trigger unintended functionalities. In addition, this executable may be used by an attacker to inject commands to generate CAN frames that are sent into the M-CAN bus (Multimedia CAN bus) of the vehicle.

Importance of this finding

It is an important achievement for the cybersecurity automotive domain and our finding is relevant for the E-CORRIDOR project because it represents an additional step forward in the direction of making our vehicles secure against potential cyber-attacks. 

Links

The CVE is already public at the link (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8539).

A technical report on the discovered vulnerability is published as CNR Technical Report IIT-20-2020 (https://sowhat.iit.cnr.it/pdf/IIT-20-2020.pdf). The full paper with all the details is planned to be released in 2021.