Luxury cars and emergency services vehicles vulnerable to remote takeover according to new report
According to a new report, several automotive makers including Ferrari, Rolls Royce, Mercedes, Porsche, and BMW are using software systems with vulnerabilities that could allow hackers to remotely take control of the vehicles, steal customer data, or take complete control over user accounts.
Vulnerabilities flagged down include poorly managed APIs and improperly configures Single Sign Ons (SSO).
The researchers also found a critical flaw in code used by Spireon, a telematics company that provides GPS services to more than 15 million vehicles. The Spireon devices are very common in emergency services vehicles.
Head of the research, Sam Curry together with his team used an SQL injection attack to gain access to the Spireon devices allowing them to track the live locations of the vehicles and also execute code that unlocks the car and starts the engine.
Further lateral attacks into the system allowed the researchers to compromise an admin dashboard with access to the system’s 1.2 million user accounts, as well as vehicle identification numbers (VINs) and fleet location data.
A vulnerability in Mercedes allowed the researchers to register the vehicle with an associated repair website and they could further use the registered account to access Mercedes-Benz GitHub.
All this gave the researchers an avenue for remote code execution and access to Mercedes-Benz communications channels as well as Amazon Web Services (AWS) control panels.
These findings are the conclusion of an investigation by a team of web application security researchers led by Curry which lasted several months.
Curry notes that a lot of the manufacturers had implemented SSO as a security measure but they were able to bypass it by leveraging flaws in the APIs used.
Speaking on the issue, Yaniv Balmas the VP of research at Salt Security notes that there is an increased use of APIs due to the functionality benefits it brings but it has come at the cost of privacy and security.
“Like many other industries, the automotive industry has incorporated heavy usage of APIs across many of its public services,” Balmas said. “Rapid API adoption allows car manufacturers to publish more functionality to be used by car owners, dealerships, and others and is meant to provide a better user experience. However, human nature and history teach us that, unfortunately, usability will always be prioritised over security and privacy - and the results are very well shown by the report. We congratulate Sam Curry for publishing this wonderful research and highlighting the global API security issue."
Other major car brands that were found to have vulnerabilities in their systems include Ford, Kia, Hyundai, Honda, Nissan, Infiniti, Acura, Genesis, Jaguar, and even Toyota.
All the affected brands have already been notified and the vulnerabilities have been patched.