Global Car Brands Had Multiple Hackable Vulnerabilities In Cars And Applications
Vulnerabilities in Toyota, BMW, Ferrari, Ford and others led to account takeover, remote code execution, arbitrary command execution, and information theft.
More than one-and-a-half dozen major global car or related brands have vulnerabilities in APIs, telematics, and other components that could enable threat actors to control car functions, such as unlocking and starting engines and even fully taking over applications and vehicles.
According to findings by a group of seven researchers, including bug bounty hunter and Yuga Labs staff security engineer Sam Curry, products of as many as 16 major car manufacturers and three vehicle tech vendors had security gaps that could lead to account takeover, remote code execution (RCE), not to mention the execution of commands leading to physical control of the vehicle.
Some vulnerabilities can also allow information theft by leading a hacker straight to the car user’s personally identifiable information (PII) stored on the car application.
Curry first disclosed security bugs in Hyundai, Genesis, Honda, Acura, Nissan, Infinity, and SiriusXM in November 2022, the research spawned from the discovery of vulnerabilities in a fleet of electric scooters through which they could tinker with the scooters’ headlights.
Curry and six other researchers, including Assetnote founder Shubham Shah, Rivian senior red team vehicle security engineer Neiko Rivera, Yugalabs staff security engineer Brett Buerhaus, Robinhood bug hunter Ian Carroll, Western Regional Collegiate Cyber Defense Competition security researcher Justin Rhinehart and bug hunter Maik Robert, shared detailed findings week as part of the responsible vulnerability disclosure practices.
The flaws, now fixed, existed in GPS provider Spireon, vehicle communications systems vendor SiriusXM and automotive platform-as-a-service provider Reviver and downstream customers including Roll Royce, BMW, Ferrari, Mercedes-Benz, Jaguar, Porsche, Land Rover, Toyota, Honda, Nissan, Hyundai, Ford, KIA, Acura, Genesis, and Infiniti.
Disconcertingly, all Spireon products, used in 15.5 million vehicles and having 1.2 million accounts, were impacted. One of these vulnerabilities led to remote code execution on core systems used for managing user accounts, devices, and fleets.
Another bug, which Curry described to The Daily Swig as the “most alarming finding,” allowed the full administrator access to a company-wide administration panel that could allow hackers to read any device location, flash/update device firmware, and send arbitrary commands to unlock the vehicle, start its engine, disable the starter (including those of police, ambulances, and law enforcement vehicles), etc.
Similarly, the vulnerability in Reviver could enable an attacker to gain full super administrative access to the management of all user accounts and Revier-connected vehicles. This can expose the GPS location, alter license plates, update vehicle status to ‘STOLEN,’ access all user records and the fleet management functionality.
All the same, the SiriusXM bug leaked AWS keys having full organizational read and write access to its S3 bucket, through which an attacker could retrieve all files, including user databases, source code, and config files for the product.
Additionally, Mercedes-Benz cars were vulnerable because of an improperly configured SSO key, which led the researchers to multiple Github instances, an internal chat tool used across the company, SonarQube, Jenkins, and other build servers, internal cloud deployment services, and more. Cars by the German automaker were also vulnerable to RCE, PII disclosure, and account access.
Mercedes-Benz Chat Tool Access Through Vulnerability | Source: Independent Research
See More: Over 57K Microsoft Exchange Servers Still Featuring ProxyNotShell Vulnerability
Bug in Ferrari allowed zero-interaction account takeover of any customer account, customer records; create, modify, delete employee administrator user accounts; etc.
BMW and Rolls Royce cars had core SSO vulnerabilities that could allow a hacker to access internal dealer portals (retrieve VIN number and sales documents), and access all applications secured with the SSO as an employee.
BMW Portal Access Through Vulnerability | Source: Independent Research
Toyota vehicles were vulnerable to IDOR or insecure direct object references vulnerability allowing the exposure of the name, phone number, email address, and loan status of any Toyota financial customers. Jaguar and Land Rover also had an IDOR bug that could expose the password hash, name, phone number, physical address, and vehicle information.
Kia, Honda, Infiniti, Nissan, Acura, Hyundai and Genesis vehicles could be fully locked and unlocked remotely. Hackers could also start and stop engines, locate the car, flash headlights, and honk vehicles using only the VIN number.
These cars were also vulnerable to remote account takeover and PII, including name, phone number, email address, physical address, and disclosure via VIN number. Moreover, the bug in Kia transmitted feed from a 360-view camera and live images. Ford and Porsche have respective issues in telematics that can expose location, PII, and more.
“From what it seems, car companies really rushed to install these devices,” Curry told The Daily Swig. “Currently, these installations mostly have limited functionality so you can only do things like track, unlock, and start the vehicle, but with companies like Tesla and Rivian building more connected vehicles which can actually be controlled remotely, I’m worried that market pressure will force these companies to build half-baked solutions which are open to attack.”
For technical details on all vulnerabilities, refer to Curry’s blog post.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON VULNERABILITY MANAGEMENT
