AI-generated image via Dall-E
Security researcher Sam Curry has discovered API vulnerabilities in over 20 car manufacturers’ code, including names like BMW, Mercedes and Ferrari, allowing hackers to remotely unlock, start and track cars and leaking owners’ personal information.
Curry and his team had previously discovered a security vulnerability affecting the vehicle telematics service used by Hyundai and Genesis cars, allowing complete takeover using the vehicles’ remote control app. The researchers disclosed the bug on Twitter after working with Hyundai to develop a fix.
This discovery impacts multiple brands, including Acura, BMW, Ferrari, Ford, Honda, Hyundai, Infiniti, Jaguar, KIA, Land Rover, Mercedes-Benz, Nissan, Porsche, Roll Royce, Toyota, and Genesis. Additionally, the vulnerabilities also affect vehicle technology brands Reviver and Spireon and the streaming service SiriusXM.
Following a 90-day disclosure period, Curry revealed the vulnerabilities. At the time of writing, the respective manufacturers have fixed all issues, and the bugs aren’t exploitable anymore.
The vulnerabilities impact different manufacturers differently and range from giving attackers remote access to start/stop cars and tracking them to giving access to SSO (Single Sign-on) systems, eventually making internal tools accessible.
For BMW, the researchers could access internal dealer portals, query VINs and access sales documents containing sensitive user information. Mercedes-Benz was a similar case where they could access internal company tools, including multiple private GitHub and AWS instances, internal chat channels on Mattermost, and XENTRY systems used to connect to customer cars, among other things.
Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, KIA, Mercedes-Benz, Nissan, Porsche, Roll Royce, and Toyota cars had API vulnerabilities that revealed owners’ personally identifiable information (PII). This data includes customer address, sale information and even the physical location of the cars.
Spireon’s GPS navigation systems, used by 15.5 million cars, also suffered from a vulnerability that exposed the cars’ historical location data. Additionally, this could’ve also provided the attackers access to the cars’ remote management systems allowing them to remotely unlock the car, start the engine or even disable the starter mechanisms.
Digital license plate maker Reviver was also at risk of remote, unauthorised access to its admin panel, giving attackers access to location data, user records and the ability to change license plate messaging, among other things. They could also mark a car stolen remotely, causing unnecessary problems for the owner and law enforcement.