Seven security experts have found several flaws in automobiles made by 16 automakers, including defects that let them operate the car’s functions and start or stop the engine. The researchers claim that other security flaws gave them access to a vehicle manufacturer’s internal applications and systems, exposing personally identifiable information (PII) belonging to clients and staff and enabling account takeover, among other things. Telematic systems, automotive APIs, and infrastructure were the targets of the breaches.
Acura, Ferrari, Honda, BMW, Ford, Kia, Genesis, Hyundai, Infiniti, Jaguar, Land Rover, Rolls Royce, Mercedes-Benz, Nissan, Porsche, and Toyota are among the affected automobile brands. The vulnerabilities were discovered throughout 2022. After learning about the security flaws, the auto industry published updates. The researchers claim they could communicate with automobiles made by Acura, Genesis, Kia, Honda, Nissan, Hyundai, Infiniti, and Porsche.
The researchers could start and stop engines, remotely lock & unlock automobiles, flash headlights, hork cars, and locate Acura, Honda, Kia, Infiniti, and Nissan vehicles using only the VIN (vehicle identifying number), which is generally displayed on the windshield. They might potentially alter automobile ownership and shut users out of remote vehicle management.
“For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car,” security researcher Sam Curry clarifies in a writeup of the identified weaknesses.
The researchers were able to carry out identical procedures using the victim’s email address for Genesis and Hyundai automobiles. In Porsche’s case, they could locate a car and give it orders. Curry first revealed a few of the found vulnerabilities in November. Some issues were discovered in a linked vehicle service offered by a Sirius XM subsidiary.
In addition to Sirius XM Connected Vehicle Services vulnerabilities, the researchers discovered problems with Spireon vehicle tracking systems and Reviver digital license plates. They could completely take control of any fleet thanks to security flaws in Spireon cars, including “track and shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles.” Additionally, the researchers could locate Reviver automobiles and modify their license plates.
Other flaws gave the researchers access to a variety of data inside the environment of the damaged automaker, including customer accounts and personally identifying data. The VIN gave Acura, Infiniti, Kia, Honda, and Nissan access to names, addresses, phone numbers, and email addresses. The researchers at Mercedes-Benz had access to “hundreds of mission-critical internal applications” due to improperly configured SSO, including several GitHub instances, internal chat and servers (SonarQube, Jenkins, and build servers), internal cloud deployment services, and APIs related to vehicles.
The researchers claim they could also perform remote code execution (RCE) on many different systems and retrieve PII belonging to employees and customers. The flaws discovered at Genesis and Hyundai might be used to access PII through a victim’s email address and remotely take control of accounts. Researchers could access dealership and remote worker apps thanks to SSO flaws affecting BMW and Rolls Royce. They could also access internal dealer portals and query VINs to acquire sales records for BMW vehicles.
With minimal user engagement, the researchers at Ferrari were able to hijack any customer account, read customer records, alter ‘back office’ administrator user accounts (which gave them access to the Ferrari CMS system), and tamper with rest-connectors to see confidential data. Due to flaws in Ford’s production car Telematics API, PII was disclosed, access tokens for tracking and running commands on vehicles were made public, configuration information for internal telematics services was made public, and it was possible to get into customer accounts and retrieve PII. Additionally, a problem that enabled customer account takeover was found.
Researchers could access client data and communicate with the car via weaknesses in Porsche’s vehicle telematics service. They had access to PII at Jaguar, Land Rover, and Toyota. They also gained access to a Spireon corporate administration panel, which allowed them to flash/update device firmware, issue arbitrary orders to about 15 million vehicles, and get vehicle positions.
Additionally, the researchers have been given the power to view and control data throughout the whole organization, as well as remotely run code on fundamental Spireon systems. Additionally, they were given administrative access to all Spireon products, including Trailer & Asset, GoldStar, FleetLocate, LoJack, and NSpire. 1.2 million user accounts were affected in total. The researchers discovered a problem at Reviver that gave them administrator access to account and vehicle management, allowing them to access user PII, alter license plates, locate cars, and access fleet management features for any business.