Security experts have recently discovered a security vulnerability affecting millions of cars, affecting almost all major car brands in the world. Hackers can exploit vulnerabilities in your car’s telematics system, car APIs, and supporting infrastructure to do everything from remote control to a complete takeover of your car.
Mercedes-Benz, BMW, Rolls-Royce, Ferrari, Ford, Porsche, Toyota, Jaguar, and Land Rover have been affected, as well as fleet management company Spireon and digital license plate company Reviver.
Sam Curry of Yuga Labs found vulnerabilities in several Hyundai and Genesis models during his research on cracking cars, and found that Sirius XM’s Connected Vehicle Services vulnerability affects Honda, Nissan, Infiniti and Acuras.
“The affected companies all fixed the issues within a day or two of reporting them. We worked with all of these companies to validate them and make sure there were no bypasses for these vulnerabilities,” Curry said.
Based on Curry’s vulnerability research, security experts have successively discovered multiple security vulnerabilities with a wide range. From a public safety standpoint, the most serious breach was discovered at Spireon, which owns several GPS vehicle tracking and fleet management brands, including OnStar, GoldStar, LoJack, FleetLocate and NSpire, covering 15 million connected vehicles.
Curry and team discovered multiple vulnerabilities in SQL injection and authorization bypass, allowing remote code execution on all Spireons and complete takeover of any fleet vehicle.
“This will allow us to track and deactivate the starters of police, ambulance and law enforcement vehicles in a number of different large cities and issue commands to these vehicles,” the researchers wrote.
“The vulnerabilities also gave them full administrator access to Spireon Corporation and a company-wide admin panel from which an attacker could send arbitrary commands to all 15 million vehicles to remotely unlock the doors,” the researchers wrote. , honk, start the engine and disable the starter”.
Additionally, the researchers discovered an over-permission access control vulnerability targeting Ferrari cars that allowed them to access the JavaScript code of several internal applications. The code contained API keys and credentials that could have allowed an attacker to access customer records and take over (or delete) customer accounts.
The researchers say an attacker could POST to the “/core/api/v1/Users/:id/Roles” endpoint, edit their user roles, set themselves to have superuser privileges or become a Ferrari owner.
