Hackers may have been able to perform malicious activity, such as unlocking, starting, and tracking cars, as well as exposing customers’ personal information, because nearly twenty car manufacturers and services contained API security vulnerabilities. These vulnerabilities could have been exploited by hackers.
Well-known manufacturers such as BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis were all affected by the security issues.
During the course of researchers work, they discovered the following security flaws in the organizations that are mentioned below:
Kia, Honda, Infiniti, Nissan, Acura
Using simply the vehicle identification number (VIN), you may fully remote lock and unlock cars, start and stop engines, pinpoint their location, flash headlights, and blow horns. You can also fully remote take over accounts and disclose personally identifiable information (name, phone number, email address, physical address)
The capacity to prevent users from remotely operating their vehicles, as well as to transfer ownership.
When it came to Kias in particular, we had the ability to remotely access the 360-degree camera and observe live photos coming from the vehicle.
Mercedes-Benz
Access to hundreds of mission-critical internal apps via an SSO configuration that was not set up correctly, including…
Multiple instances of Github hidden behind single sign-on Tool for company-wide internal communication with the ability to join almost any channel
SonarQube, Jenkins, etc. Construct web servers.
Services for internal cloud deployment that are used to manage instances of AWS
APIs relating to the internal workings of the vehicle
Execution of code remotely on a number of different platforms
Memory leaks can lead to the revealing of personally identifiable information about employees or customers and account access
Hyundai, Genesis
Using just the victim’s email address, fully remote access may be gained to lock and unlock automobiles, start and stop engines, pinpoint their location, flash headlights, and blow horns. Fully remote account takeover and PII disclosure can also be accomplished using the victim’s email address (name, phone number, email address, physical address)
The capacity to prevent users from remotely operating their vehicles, as well as to transfer ownership.
Rolls Royce and BMW
SSO vulnerabilities, which let us to access any employee application in the capacity of any employee, enabled us to…
Access to internal dealer portals where you are able to get sales documentation for BMW based on whatever VIN number you provide.
Gain access, on behalf of any employee, to any application that is locked by SSO. This includes apps that are used by remote employees and dealerships.
Ferrari
Takeover of any Ferrari customer account with minimal input required in order for IDOR to access any and all Ferrari client details
Absence of access control that would prevent an attacker from creating, modifying, or deleting employee “back office” administrator user accounts as well as all user accounts that might change Ferrari-owned web pages using the CMS system.
The capability to add HTTP routes on the Ferrari API (rest-connectors), as well as the ability to inspect all existing rest-connectors and the secrets associated with them (authorization headers)
Spireon
Multiple vulnerabilities, including:
Full administrator access to a company-wide administration panel, including the ability to send arbitrary orders to an estimated 15.5 million cars (such as unlock, start engine, deactivate starter, and so on), read any device location, and flash or update device firmware.
Execution of code remotely on essential systems used to manage user accounts, gadgets, and fleets of vehicles. Capability to access and manage all of Spireon’s data throughout the organization.
Ability to take complete control of any fleet (this would have enabled us to locate and disable starts for emergency vehicles, police cars, and ambulances in a number of different big cities, as well as send orders to such vehicles, such as “go to this area”)
Complete administrative access to all products manufactured by Spireon,
Overall, there were a total of…
15.5 million devices (mostly vehicles)
1,2 million different user profiles (end user accounts, fleet managers, etc.)
Ford
Complete exposure of the memory system on the production vehicle Telematics API reveals
Disclosing personally identifiable information about customers as well as access tokens for the purpose of monitoring and operating instructions on vehicles
The configuration credentials that are used for internal services linked to telematics are disclosed here.
Capability to login into a customer account, access all personally identifiable information, and take actions against automobiles.
By exploiting a flaw in the URL parsing, an attacker may take control of a customer account and have entire access to the victim account, including the car portal.
Reviver
Complete access to all of Reviver’s administrative functions, including the ability to manage user accounts and cars for all of Reviver’s linked vehicles. The following are examples of actions that an attacker may take:
Keep tabs on all of Reviver’s clients’ actual GPS locations and take care of their license plate management (e.g. changing the slogan at the bottom of the license plate to arbitrary text)
Change the status of any car to “STOLEN,” which will cause the license plate to be updated and will notify the police.
Access all user data, including information on the people’s physical addresses, phone numbers, and email addresses, as well as the automobiles they possess.
Gain access to the capabilities of fleet management for any firm, and successfully find and manage all of a fleet’s cars.
By exploiting security flaws in the car telematics service, Porsche was able to transmit and get information about the position of vehicles, send instructions to those vehicles, and obtain information about customers.
Porsche
Through exploiting weaknesses in the car telematics service, it is possible to transmit and get location information for vehicles, send instructions to vehicles, and retrieve information about customers.
Toyota
IDOR on Toyota Financial that reveals the name, phone number, and email address of any Toyota Financial clients as well as their current loan status
Land Rover and the Jaguar brand
IDOR of the user account revealing the hash of the password, as well as the user’s name, phone number, physical address, and car details
SiriusXM
AWS keys that had been compromised provided complete organizational read/write access to S3, as well as the ability to download any files, including (what looked to be) user databases, source code, and configuration files for Sirius.
By restricting the amount of personally identifiable information that is saved in automobiles or mobile companion applications, vehicle owners may protect themselves from the sorts of vulnerabilities described above.
In-car telematics should also be set to the most private mode possible, and one should familiarize oneself with the company’s privacy rules in order to have an understanding of how the data is being utilized.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.