Hackers could have performed malicious activities through API security vulnerabilities in nearly twenty car manufacturers and services. As a result of these vulnerabilities, hackers could be able to perform the following activities:-
- Unlocking cars
- Starting cars
- Tracking cars
- Exposing customers’ personal information
All the twenty car brands are well-known brands that were affected by these security flaws. Among the brands affected by the vulnerabilities are also streaming services and other vehicle technology brands like:-
- Spireon
- Reviver
- SiriusXM
A team of researchers led by Sam Curry discovered these API flaws after conducting extensive research on the API. Earlier this year, Curry revealed how hackers used these bugs in order to unlock and start cars with these flaws.
There are no exploits available at this time as all of the issues presented in this report have been fixed by the impacted vendors. However, BMW and Mercedes-Benz were found to have the most severe API flaws.
Affected Car Brands and Respective Vulnerabilities
There are several vulnerabilities that have been identified in the companies listed below, and we have summarized them below:-
Kia, Honda, Infiniti, Nissan, Acura
- Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number
- Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address)
- Ability to lock users out of remotely managing their vehicle, change ownership
- For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car
Mercedes-Benz
- Access to hundreds of mission-critical internal applications via improperly configured SSO.
- Access to Multiple Github instances behind SSO.
- Access to Company-wide internal chat tool, ability to join nearly any channel.
- Access to SonarQube, Jenkins, misc. build servers.
- Access to Internal cloud deployment services for managing AWS instances.
- Access to Internal Vehicle related APIs.
- Remote Code Execution on multiple systems.
- Memory leaks leading to employee/customer PII disclosure, account access.
Hyundai, Genesis
- Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the victim email address.
- Fully remote account takeover and PII disclosure via victim email address (name, phone number, email address, physical address).
- Ability to lock users out of remotely managing their vehicle, change ownership.
BMW, Rolls Royce
- Company-wide core SSO vulnerabilities which allowed us to access any employee application as any employee.
- Access to internal dealer portals where you can query any VIN number to retrieve sales documents for BMW.
- Access any application locked behind SSO on behalf of any employee, including applications used by remote workers and dealerships.
Ferrari
- Full zero-interaction account takeover for any Ferrari customer account.
- IDOR to access all Ferrari customer records.
- Lack of access control allowing an attacker to create, modify, delete employee “back office” administrator user accounts and all user accounts with capabilities to modify Ferrari owned web pages through the CMS system.
- Ability to add HTTP routes on api.ferrari.com (rest-connectors) and view all existing rest-connectors and secrets associated with them (authorization headers).
Spireon
- Full administrator access to a company-wide administration panel with ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start engine, disable starter, etc.), read any device location, and flash/update device firmware.
- Remote code execution on core systems for managing user accounts, devices, and fleets. Ability to access and manage all data across all of Spireon.
- Ability to fully takeover any fleet (this would’ve allowed us to track & shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles, e.g. “navigate to this location”).
- Full administrative access to all Spireon products.
- Access to 15.5 million devices (mostly vehicles).
- Access to 1.2 million user accounts (end user accounts, fleet managers, etc.).
Ford
- Full memory disclosure on production vehicle Telematics API discloses.
- Discloses customer PII and access tokens for tracking and executing commands on vehicles.
- Discloses configuration credentials used for internal services related to Telematics.
- Ability to authenticate into customer account and access all PII and perform actions against vehicles.
- Customer account takeover via improper URL parsing, allows an attacker to completely access victim account including vehicle portal.
Reviver
- Full super administrative access to manage all user accounts and vehicles for all Reviver connected vehicles.
- Track the physical GPS location and manage the license plate for all Reviver customers (e.g. changing the slogan at the bottom of the license plate to arbitrary text).
- Update any vehicle status to “STOLEN” which updates the license plate and informs authorities.
- Access all user records, including what vehicles people owned, their physical address, phone number, and email address.
- Access the fleet management functionality for any company, locate and manage all vehicles in a fleet.
Porsche
- Ability to send retrieve vehicle location, send vehicle commands, and retrieve customer information via vulnerabilities affecting the vehicle Telematics service.
Toyota
- IDOR on Toyota Financial that discloses the name, phone number, email address, and loan status of any Toyota financial customers.
Jaguar, Land Rover
- User account IDOR disclosing password hash, name, phone number, physical address, and vehicle information.
SiriusXM
- Leaked AWS keys with full organizational read/write S3 access, ability to retrieve all files including (what appeared to be) user databases, source code, and config files for Sirius.
Using GPS to Track the Location of a Vehicle
Furthermore, these vulnerabilities could have also given hackers the possibility of tracking cars in real time, exposing millions of car owners to potential safety risks and being able to invade their privacy without their knowledge.
A flaw in Porsche’s telematics system enabled attackers to retrieve the location of vehicles as well as send commands using the flaw, making it one of the brands touched by this issue.
There were also vulnerabilities in Spireon, a GPS-tracking software solution. Giving attackers full access to the remote management panel of the company, making them capable of:-
- Unlocking cars
- Starting engines
- Disabling starters
Additionally, the digital license plate maker, Reviver is also vulnerable and that made its admin panel eminently vulnerable to unauthenticated remote access.
Recommendation
Vehicle owners can minimize the risk of these vulnerabilities by making sure that their vehicles or mobile companion apps only have limited personal information about them.
To ensure that the most private mode is selected on the in-car telematics system and to understand how the data will be used, it is also vital to read the privacy policies.
Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book