ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Locus Energy and Tesla Motors.

Locus Energy Advisory

This advisory describes a command injection vulnerability in the Locus Energy LGate application. The vulnerability was reported by Daniel Reich. Locus Energy has produced a firmware update to mitigate the vulnerability. The update will be remotely installed by Locus Energy upon request. There is no indication that Reich has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to take control of LGate that has its web server port publicly exposed.

This advisory was originally posted to the US-CERT secure Portal library on September 29, 2016.

Tesla Motors Advisory

This advisory describes a gateway ECU advisory for the Tesla Motors (Tesla) Model S automobile. The vulnerability was reported by Tencent’s Keen Security Lab. Tesla has produced an over-the-air firmware update to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix. ICS-CERT reports that the updated has been available since September 18^th.

ICS-CERT reports that it would be difficult to craft an exploit for this vulnerability as it would require a complex chain of exploits, “including a web browser compromise, local privilege escalation, and custom-built firmware”. A successful exploit would allow an attacker to remotely control the vehicle’s software and driving functions.