A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car functions and start or stop the engine.
Multiple other security defects, the researchers say, allowed them to access a car maker’s internal applications and systems, leading to the exposure of personally identifiable information (PII) belonging to customers and employees, and account takeover, among others. The hacks targeted telematic systems, automotive APIs, and infrastructure.
Impacted car models include Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota. The vulnerabilities were identified over the course of 2022. Car manufacturers were informed about the security holes and they released patches.
According to the researchers, they were able to send commands to Acura, Genesis, Honda, Hyundai, Kia, Infiniti, Nissan, and Porsche vehicles.
Using only the VIN (vehicle identification number), which is typically visible on the windshield, the researchers were able to start/stop the engine, remotely lock/unlock the vehicle, flash headlights, honk vehicles, and retrieve the precise location of Acura, Honda, Kia, Infiniti, and Nissan cars.
They could also lock users out of remote vehicle management and could change car ownership.
“For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car,” security researcher Sam Curry explains in a writeup of the identified vulnerabilities.
For Genesis and Hyundai vehicles, the researchers were able to perform the same actions using the victim’s email address. In the case of Porsche, they could retrieve a car’s location and send commands to the vehicle.
Curry initially disclosed several of the identified vulnerabilities in November. Some of those flaws were found in a connected vehicle service provided by a subsidiary of satellite radio company Sirius XM.
In addition to vulnerabilities related to Sirius XM Connected Vehicle Services, the researchers found issues in Spireon vehicle tracking solutions and Reviver digital license plates.
Security issues in Spireon vehicles allowed the researchers to fully take over any fleet, including “track and shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles”.
The researchers were also able to retrieve the location of Reviver vehicles and change their license plates.
Other vulnerabilities allowed the researchers to access various types of information within the impacted car maker’s environment, including customer accounts and personally identifiable information.
For Acura, Honda, Kia, Infiniti, and Nissan, the VIN number provided them with access to names, addresses, phone numbers, and email addresses.
At Mercedes-Benz, improperly configured SSO provided the researchers with access to ‘hundreds of mission-critical internal applications’, including multiple GitHub instances, internal chat and servers (SonarQube, Jenkins, and build servers), internal cloud deployment services, and vehicle related APIs.
The researchers say they could also achieve remote code execution (RCE) on multiple systems and could retrieve PII belonging to customers and employees.
The bugs found at Genesis and Hyundai could be exploited to take over accounts remotely and to access PII via a victim’s email address.
SSO vulnerabilities affecting BMW and Rolls Royce provided the researchers with access to employee applications, enabling them to access internal dealer portals and query VIN numbers to retrieve sales documents of BMW cars, and to access applications used by remote workers and dealerships.
At Ferrari, the researchers could take over any customer account with zero-interaction, gain access to customer records, manipulate ‘back office’ administrator user accounts (which provided access to the Ferrari CMS system), and could tamper with rest-connectors to view sensitive information.
Flaws identified in production vehicle Telematics API at Ford resulted in PII disclosure, in the exposure of access tokens for tracking and executing commands on vehicles, the disclosure of configuration credentials for internal Telematics-related services, and the ability to authenticate into customer accounts and retrieve PII. A bug leading to customer account takeover was also identified.
Vulnerabilities in Porsche’s vehicle telematics service allowed the researchers to retrieve customer information and send commands to the vehicle.
At Jaguar, Land Rover, and Toyota, the researchers were able to access PII.
The researchers also obtained access to a company-wide administration panel at Spireon, allowing them to send arbitrary commands to roughly 15 million vehicles, retrieve car location, and flash/update device firmware.
They also gained the ability to remotely execute code on core Spireon systems, with the ability to access and manage data across the entire company. They also gained administrative access to all Spireon products, including GoldStar, LoJack, FleetLocate, NSpire, and Trailer & Asset. A total of 1.2 million user accounts were impacted.
At Reviver, the researchers found an issue providing them with administrative access to account and vehicle management, enabling them to retrieve car location, change license plates, access user PII, and access fleet management functionality for any company.
Curry told SecurityWeek that all the vulnerabilities have been patched. The vendors responded to notifications within 1-2 days and were keen to fix the discovered issues.
*updated with information on patches