Skip to content

API vulnerabilities in over 20 car manufacturers leaked owners info

  • by
  • 3 min read

AI-generated image via Dall-E

Security researcher Sam Curry has discovered API vulnerabilities in over 20 car manufacturers’ code, including names like BMW, Mercedes and Ferrari, allowing hackers to remotely unlock, start and track cars and leaking owners’ personal information. 

Curry and his team had previously discovered a security vulnerability affecting the vehicle telematics service used by Hyundai and Genesis cars, allowing complete takeover using the vehicles’ remote control app. The researchers disclosed the bug on Twitter after working with Hyundai to develop a fix. 

This discovery impacts multiple brands, including Acura, BMW, Ferrari, Ford, Honda, Hyundai, Infiniti, Jaguar, KIA, Land Rover, Mercedes-Benz, Nissan, Porsche, Roll Royce, Toyota, and Genesis. Additionally, the vulnerabilities also affect vehicle technology brands Reviver and Spireon and the streaming service SiriusXM. 

Curry and his team were able to access a KIA car’s cameras remotely. | Source: Sam Curry

Following a 90-day disclosure period, Curry revealed the vulnerabilities. At the time of writing, the respective manufacturers have fixed all issues, and the bugs aren’t exploitable anymore. 

The vulnerabilities impact different manufacturers differently and range from giving attackers remote access to start/stop cars and tracking them to giving access to SSO (Single Sign-on) systems, eventually making internal tools accessible. 

For BMW, the researchers could access internal dealer portals, query VINs and access sales documents containing sensitive user information. Mercedes-Benz was a similar case where they could access internal company tools, including multiple private GitHub and AWS instances, internal chat channels on Mattermost, and XENTRY systems used to connect to customer cars, among other things. 

The researchers could access superuser privileges on Ferrari’s app remotely. | Source: Sam Curry

Ferrari also had a poorly implemented SSO system that exposed backend API routes. This made it possible to extract useful information and credentials using JavaScript snippets. Attackers can exploit these vulnerabilities to access, modify or delete customer accounts and even set themselves as the vehicle owner. 

Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, KIA, Mercedes-Benz, Nissan, Porsche, Roll Royce, and Toyota cars had API vulnerabilities that revealed owners’ personally identifiable information (PII). This data includes customer address, sale information and even the physical location of the cars. 

Spireon’s GPS navigation systems, used by 15.5 million cars, also suffered from a vulnerability that exposed the cars’ historical location data. Additionally, this could’ve also provided the attackers access to the cars’ remote management systems allowing them to remotely unlock the car, start the engine or even disable the starter mechanisms.

Spireon’s admin dashboard giving access to cars’ historic location data. | Source: Sam Curry.

Digital license plate maker Reviver was also at risk of remote, unauthorised access to its admin panel, giving attackers access to location data, user records and the ability to change license plate messaging, among other things. They could also mark a car stolen remotely, causing unnecessary problems for the owner and law enforcement. 

In the News: Another Twitter database with over 200 million profiles leaked

>