These API vulnerabilities exposed vehicles to information theft, account takeover, remote code execution (RCE), and even hijacking of physical commands such as starting and stopping engines.
Millions of vehicles belonging to 16 different manufacturers had completely exposed API vulnerabilities which could be abused to unlock, start, and track cars while also impacting the privacy of the vehicle owners.
These vulnerabilities were found by security researcher Sam Curry who conducted in-depth research into the security loopholes of the automotive industry along with researchers Neiko Rivera, Brett Buerhaus, Maik Robert, Ian Carroll, Justin Rhinehart, and Shubham Shah.
In a detailed report, Curry laid out vulnerabilities found in the automotive APIs powering several automotive giants including the following:
- Kia
- BMW
- Ford
- Honda
- Acura
- Jaguar
- Nissan
- Porsche
- Toyota
- Ferrari
- Spireon
- Reviver
- Genesis
- Hyundai
- Infiniti
- SiriusXM
- Land Rover
- Rolls Royce
- Mercedes-Benz
According to researchers, information theft to account takeover, remote code execution (RCE), and even hijacking physical commands such as starting and stopping engines of cars were all real possibilities that hackers could access before the security vulnerabilities were fixed by respective manufacturers following responsible disclosure.
Spireon’s telematics solution faced the most serious of issues which could have been exploited to gain full administrator access to the company’s platform, enabling a threat actor to issue arbitrary commands to about 15.5 million vehicles as well as update device firmware.
RELATED NEWS
- How Hackers Could Remotely Unlock/Start Honda Cars
- Honda and Nissan Cars Hacked by Knowing VIN number
- Unlocking Tesla Cars, Smart Devices with Bluetooth Flaws
- Intel chip flaw left cars, medical and IoT devices vulnerable
- Self-driving cars can be fooled by displaying virtual objects
“Using our access, we could access all user accounts, devices (vehicles), and fleets,” Curry said. “Some of the fleets on the website included ambulances, police cruisers, and large trucks. Using the Spireon access, we could send fully arbitrary commands and update device configurations.”
Another vulnerability reported in the researchers’ findings showed that a poorly configured API endpoint for generating one-time passwords for the web portals of BMW and Rolls Royce could allow attackers to take over the accounts of any employee and contractor, thereby gaining access to sensitive customer and vehicle information.
A poorly implemented SSO functionality in Ferrari’s web applications allowed the researchers to gain unrestricted access to the JavaScript code of several internal applications. The source code contained internal API keys and usage patterns, allowing potential attackers to create and modify users’ or (worse yet) give themselves superuser permissions. The vulnerabilities effectively allowed attackers to take ownership of Ferrari cars.
A misconfiguration in the Mercedes-Benz single sign-on (SSO) system enabled the researchers to gain access to several internal company assets, including private GitHub repositories and internal communication tools.
Attackers could pose as employees, allowing them to access sensitive information, send commands to customer vehicles, perform RCE attacks, and use social engineering to escalate their privileges across the Mercedes-Benz infrastructure.
“There were some car companies where you’d own one, then copy the exact same methodology to another car company and get in with the same vulnerability,” Curry wrote in a blog post.
The researchers found that some flaws existed across the platforms of several companies, including tons of exposed actuators (vehicle component control), debug endpoints, and administrative functions for managing vehicles, purchase contracts, and telematic devices.
This only goes to show that as much of a hurry as these car companies were to install these devices, they completely overlooked the task of securing their online ecosystem.