Lexus slams brakes on in-car virus theory

Automaker Lexus has denied that the Cabir wireless worm poses a risk to the Bluetooth-capable navigation systems featured in some of its vehicles.

Antivirus software maker F-Secure on Thursday published on its blog excerpts from a statement it received from Lexus refuting the rumoured vulnerability in its luxury cars and SUVs.

The rebuttal addressed concerns related to a report by security software maker Kaspersky Labs in January that it was investigating the possibility that Lexus cars could be infected by viruses. Kaspersky says that no cars actually were infected and that the customer that had spurred the inquiry was merely interested in finding out whether the Bluetooth interface built into some models' GPS systems could be vulnerable.

In the excerpts posted on F-Secure's blog, Lexus confirmed that its navigation tools use an embedded operating system and random access memory (RAM) to store several types of information, such as recent destinations and a telephone directory. However, the car maker denied reports that the operating system is made by Symbian - which is known to be vulnerable to Cabir - saying rather that it is a proprietary piece of software.

Cabir, the first worm known to target smart phones, uses the Bluetooth short-range wireless feature of handsets running on the Symbian operating system to detect other Symbian phones, and then transfers itself to the new host as a package file.

Lexus also said that although the Bluetooth interface in its navigation system supports Object Push Protocol technology for accepting files from a smart phone, the feature is controlled manually by a car's owner and any data being accessed using the tool cannot be exported or transmitted from the navigation unit.

In light of Lexus' statement, F-Secure concluded that car owners have little to worry about from Cabir. The company said that the Bluetooth support for Object Push Protocol could make it possible for Cabir to attempt to send itself to the Lexus navigation systems, and that this could cause an error message to appear on the devices, but the security company indicated that there are not more serious problems likely to result from the threat.

David Emm, senior technology consultant at Kaspersky, said that the Lexus study it conducted last month was merely an exercise into the potential for such infections - but he believes that real threats targeting Bluetooth and other wireless technologies are likely to follow soon.

"It's probably unfair that Lexus was used as an example in this case, but it's not that far out when you consider the immediate potential for wireless threats that are smarter than Cabir," Emm said. "The [viruses] that we've seen so far have been pretty basic; they're very much proof-of-concept attacks that in some way or another give themselves away to the user, but that doesn't necessarily have to be the case."

Emm said also that as car makers continue to integrate technology traditionally found in computers into their vehicles, the opportunities for automobiles to absorb many different kinds of viruses will grow significantly.

"Car manufacturers are thinking of delivering onboard connectivity to the internet to retrieve email and so on," Emm said. "Within that context, you will have even more potential to pull down things into your vehicle that may not be safe for its onboard computers."

Matt Hines writes for CNET News.com.