Multiple bugs affecting millions of vehicles from 16 different manufacturers can be exploited to unlock, start and track vehicles, and potentially impact vehicle owners’ privacy there is.
Security vulnerabilities in automotive APIs and software in Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, Toyota Discovered in From Reviver, SiriusXM, and Spireon.
Vulnerabilities range from those that allow access to internal systems and user information to vulnerabilities that allow attackers to remotely send commands and execute code.
The study builds on early findings late last year by Yuga Labs researcher Sam Curry and colleagues detailing security flaws in connected car services offered by SiriusXM.
The most serious problem with Spireon’s telematics solution is that it can be exploited to gain full administrative access, allowing an adversary to issue arbitrary commands to approximately 15.5 million vehicles or to modify device firmware. could have been updated.
“This would have allowed us to track and intercept the starters of police, ambulance and law enforcement vehicles in various large cities and send commands to those vehicles,” the researchers said.
A vulnerability identified in Mercedes-Benz could allow access to internal applications via an improperly configured single sign-on (SSO) authentication scheme, while others could lead to user account takeover. and disclosure of confidential information.
Other flaws allow access or modification of customer records, internal dealer portals, tracking vehicle GPS location in real time, managing license plate data for all Reviver customers, and even updating vehicle status “stolen”. .
All security vulnerabilities have since been remediated by their respective manufacturers following responsible disclosure, but the findings highlight the need for a defense-in-depth strategy to contain threats and mitigate risks.
“If an attacker were able to discover vulnerabilities in the API endpoints used by vehicle telematics systems, they could honk their horns, flash their lights, remotely track their vehicles, lock/unlock them, and launch them completely remotely. / can be stopped, ”said the researchers.
