Vmyths.com

Hoaxes, myths,
urban legends

Columnists

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Lexus automobile virus (urban legend)

CATEGORY: Myths & urban legends

CATEGORY: Hysteria over a computer security URBAN LEGEND

SC Magazine reporter David Quainton and ZDNet reporter Dan Ilett published stories in late January about an unknown computer virus that might have infected Lexus automobiles. According to the stories, Russian antivirus firm Kaspersky Labs revealed it was contacted "by a user asking how to disinfect the onboard computers of several Lexus cars... The user said that the infection occurred via a mobile phone."

Quainton's story quoted Eugene Kaspersky as saying "if infected mobile devices are scary, just thinking [sic] about an infected onboard computer." F-Secure spokesman Mikko Hyppönen talked in the story about computer security threats for both cars and aircraft.

F-Secure ex­pert Mikko Hyp­pö­nen summed it up in two words. "What virus?" Kas­per­sky Labs told re­por­ters they were only in­ves­ti­ga­ting a report of a virus.
These stories saw wide reprint on web-based news sites and on computer security mailing lists. They spawned numerous knockoff stories, many of them hysterical in nature and lacking attribution. Local & national TV reporters also expressed an interest in the story. Computer security celebrity Bruce Schneier (Counterpane) added more fuel to the fire when he linked to one such knockoff story in the February edition of his newsletter.

(Computer security "news" routinely lacks attribution, which in turn leads the experts themselves to believe myths & legends. Click here for more on this controversy. But to Schneier's credit, he correctly described the Lexus virus as "unconfirmed rumors.")

Lexus Product Communications Manager Bill Ussery spoke with Vmyths by phone the day Schneier's newsletter went out. In a follow-up email to Vmyths, Ussery explained "Lexus and its parent companies ... have investigated this rumor and have determined it to be without foundation for the following reasons:

  1. Navigation systems in Lexus and Toyota vehicles do utilize an embedded operating system (OS) and some degree of random access memory (RAM) that is used to store several types of information such as recent destinations, names and attributes of saved destinations, and a telephone directory among other items. The operating system itself is proprietary, however, not Symbian as these reports have alleged;

  2. Although the Bluetooth interface does support the Object Push Protocol for transferring the phone book from a Bluetooth cell phone to the navigation system, this is an operator controlled event and the data cannot be exported (or transmitted) from the navigation unit."
No one — not even Kaspersky Labs — offered an antivirus solution for Lexus drivers two weeks after Kaspersky blabbed to the media. We turned this observation into a loaded question and asked virus experts around the world for an answer. Hyppönen himself replied with two words: "what virus?"

Vesselin Bontchev (FRISK) agreed. "Such a virus doesn't exist yet. It has only been speculated (by Kaspersky Labs, apparently, and then F-Secure have chimed in) that it is possible... [Our antivirus software] gets updated when new known viruses are discovered. Sadly, we can't scan for hypothetical viruses yet." Graham Cluley (Sophos) chimed in with a sound observation. "The media loves to hype virus threats on devices where there isn't a problem, often ignoring Windows desktop PCs which can be bombarded by real attacks every hour of the day."

So there you have it, folks. Just another urban legend — spawned by society's gullibility over computer virus rumors. Stay calm. Stay reasoned. And stay tuned to Vmyths.

Bruce Hughes (ICSA Labs) joked about the notion of test-driving a computer virus. "I'm trying to get the company to buy me a Lexus for testing." Bontchev made the same joke. "The boss firmly refused to buy us a Lexus for 'replication and testing' purposes." Hyppönen chimed in, too. "When we heard about this, boys in our lab immediately left three purchase orders in our IT hardware order system for Lexuses 'for testing purposes.'"

We must largely blame this urban legend on the many ex­perts and pun­dits who failed to exer­cise caveat lector when they re­told the story in their own words.
Even reporter David Quainton piped up with some humor. "As soon as I found out about the possibility of infection I sold my brand new car and swapped it for a model made before 1985. Also, I now live in a mud hut..."

Did Kaspersky Labs start this urban legend as a publicity stunt?

Vmyths believes Kaspersky Labs actually did get a phone call from someone with a frustrating Lexus problem. It's still a common tactic for antivirus vendors to create publicity for these things, and we believe Kaspersky Labs followed established norms for creating media hype.

Kaspersky Labs shielded itself from full embarrassment by telling the media they were only "investigating" a Lexus virus accusation. Hence, we must largely blame this urban legend on the many experts and pundits who failed to exercise caveat lector when they retold the story in their own words.

Vmyths has documented any number of cases where experts incorrectly accuse a computer virus/worm of causing havoc (with much fanfare), and then look foolish when the innocuous truth comes out (with little fanfare). History suggests the computer security community won't go out of its way to clarify this story.

Did Lexus at first "refuse to comment" on this urban legend?

David Quainton and Dan Ilett both said Lexus had chosen not to discuss the incident. Ussery contested this, saying "Lexus has responded promptly to all media inquiries regarding this matter. Contrary to the original story that appeared on ZDNet, Lexus was never contacted for comment by the writer."

Both reporters live in Britain — not the U.S. or Japan. An investigation by Vmyths leads us to suspect both reporters contacted an out-of-the-loop representative in England who declined comment. Each reporter had enough statements from Kaspersky Labs and other computer security firms to file their stories.

On 15 February 2005 (just a few hours after Schneier's newsletter went out), Ussery fired off a letter to the editors at SC Magazine. This letter almost certainly spawned a story the next day by David Quainton titled "Lexus hits out at car virus claim."

Kaspersky Labs founder Eugene Kaspersky did not respond when Vmyths tried to get a clarification from him.

Last updated: 2005/3/19