A carmaker’s online dealership portal has been found leaking the private information and vehicle data of its customers. This also meant that anyone with access could remotely break into a car.
Researcher Eaton Zveare shared his discovery with TechCrunch. Although he said he has chosen not to disclose the vendor’s name, he revealed that it is a well-known automaker with several popular sub-brands and more than 1,000 dealerships across the United States.
Zveare says it wasn’t easy to find the flaw, but once he did, it allowed him to modify the code at the portal’s login page so he could bypass the login security checks. This permitted him to create a new national administrator account.
Not only did this allow him to access all the data of these dealerships, he also found a national consumer lookup tool that allowed any logged-in portal user to look-up the vehicle and driver data of that carmaker.
Real life tests learned that taking a vehicle’s unique identification number (VIN) from the windshield of a car allowed anyone with access to the portal to look up the name of the owner. It was also possible to pair any vehicle with a mobile account which could then be used to remotely control a car’s functions, such as unlocking the vehicle.
Since both a VIN or someone’s first and last name were enough to find and transfer ownership of an account to one under control of an attacker, they would—at least—be able to open the car and steal everything inside. The researcher did not test whether he was able to drive away in it.
Although he found no evidence of anyone else exploiting the flaw, the portals were a security nightmare waiting to happen. It even allowed administrator accounts, such as the one he was able to create, access to other dealer systems as if they were that user without needing their logins, and found personally identifiable customer data, some financial information, and telematics systems that allowed the real-time location tracking of rental or courtesy cars.
As we have said before, this is exactly the sort of thing the Federal Communications Commission (FCC) wants car manufacturers to make harder for stalkers, not easier.
Zveare will be presenting his findings at Defcon. He reported the bugs he found to the car maker, and says it took them a week to fix them.
Tips to keep a stalker from tracking your car
Not all cars offer these options, and the tips may not apply to your situation, but here are some general tips for people that are afraid they are the target of a stalker:
- Use the navigation app on your phone (such as Google Maps, Waze, etc), rather than the one built into your car.
- Do not store places you visit regularly in the car’s navigation.
- Consider using a VPN when you connect to your car’s hotspot.
- Find out which devices can access the car or its location data using any “remote access” apps for the car, and remove the devices that are not under your control.
- Familiarize yourself with the car manufacturer’s privacy policy so you know where your data might be sent. To give you an idea, data might end up with advertisers, law enforcement, service providers, the car manufacturer and its dealers, tech giants like Apple, Google, and Amazon, connected service providers, and government agencies.
- Keep the software updated to make sure your car is equipped with the latest protection against potential intrusions.
- If a suspected stalker has been near your vehicle, inspect it thoroughly for trackers and other unfamiliar hardware.
- Try not to travel alone and always park in a well-lit, busy area if you are concerned about your physical safety.
- If you have a dashcam that uses cloud storage, check who has access to the images. They can be used to track your movements.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Source link
