Multiple bugs affecting millions of vehicles from almost all major car brands could allow miscreants to perform any manner of mischief — in some cases including full takeovers — by exploiting vulnerabilities in the vehicles’ telematic systems, automotive APIs and supporting infrastructure, according to security researchers.
Specifically, the vulnerabilities affect Mercedes-Benz, BMW, Rolls Royce, Ferrari, Ford, Porsche, Toyota, Jaguar and Land Rover, plus fleet management company Spireon and digital license plate company Reviver.
The research builds on Yuga Labs’ Sam Curry’s earlier car hacking expeditions that uncovered flaws affecting Hyundai and Genesis vehicles, as well as Hondas, Nissans, Infinitis and Acuras via an authorization flaw in Sirius XM’s Connected Vehicle Services.
All of the bugs have since been fixed.
“The affected companies all fixed the issues within one or two days of reporting,” Curry told The Register. ” We worked with all of them to validate them and make sure there weren’t any bypasses.”
The most serious bugs, at least from a public safety perspective, were found in Spireon, which owns several GPS vehicle tracking and fleet management brands including OnStar, GoldStar, LoJack, FleetLocate, and NSpire spanning 15 million connected vehicles.
Spireon, it turns out, would have been a treasure trove for miscreants. Curry and the team discovered multiple vulnerabilities in SQL injection and authorization bypass to perform remote code execution across all of Spireon and fully take over any fleet vehicle.
“This would’ve allowed us to track and shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles,” the researchers wrote.
The bugs also gave them full administrator access to Spireon and a company-wide administration panel from which an attacker could send arbitrary commands to all 15 million vehicles, thus remotely unlocking doors, honking horns, starting engines and disabling starters.
“Our cybersecurity professionals met with the security researcher to discuss and evaluate the purported system vulnerabilities and immediately implemented remedial measures to the extent required,” a Spireon spokesperson told The Register. “We also took proactive steps to further strengthen the security across our product portfolio as part of our continuing commitment to our customers as a leading provider of aftermarket telematics solutions.”
“Spireon takes all security matters seriously and utilizes an extensive industry leading toolset to monitor and scan its products and services for both known and novel potential security risks,” the spokesperson added.
Ferrari, BMW and Rolls Royce
Moving on to many petrol-head’s dream car: Ferrari.
“Additionally, an attacker could POST to the “/core/api/v1/Users/:id/Roles” endpoint to edit their user roles, setting themselves to have super-user permissions or become a Ferrari owner,” the researchers said.
The lack of access controls also could have allowed miscreants to create and delete employee “back office” admin user accounts, and then modify Ferrari-owned websites including its CMS system.
Meanwhile, a misconfigured single-sign on (SSO) portal for all employees and contractors of BMW, which owns Rolls-Royce, would have allowed access to any application behind the portal.
So, for example, an attacker could access an internal dealer portal, query a VIN number and then retrieve all of the sales documents associated with the vehicle.
Neither Ferrari nor BMW responded to The Register‘s requests for comment.
What not to say to a bug hunter
Similarly, a misconfigured SSO for Mercedes-Benz allowed the researchers to create a user account on a website intended for vehicle repair shops to request specific tools. They then used this account to sign in to the Mercedes-Benz Github, which held internal documentation and source code for various Mercedes-Benz projects including its Me Connect app used by customers to remotely connect to their vehicles.
The researchers reported this vulnerability to the automaker, and they noted that Mercedes-Benz “seemed to misunderstand the impact” and wanted further details about why this was a problem.
So the team used their newly created account credentials to login to several applications containing sensitive data. Then they “achieved remote code execution via exposed actuators, spring boot consoles, and dozens of sensitive internal applications used by Mercedes-Benz employees.”
One of these was the carmaker’s version of Slack. “We had permission to join any channel, including security channels, and could pose as a Mercedes-Benz employee who could ask whatever questions necessary for an actual attacker to elevate their privileges across the Benz infrastructure,” the researchers explained.
A Mercedes-Benz spokesperson confirmed that Curry contacted the company about the vulnerability and that it had been fixed.
“The security of our organization, products and services is one of our top priorities,” the spokesperson said, adding that “the identified vulnerability did not affect the security of our vehicles.”
Curry and friends also discovered vulnerabilities affecting Porsche’s telematics service that allowed them to remotely retrieve vehicle location and send vehicle commands.
Plus, they found an access-control vulnerability on the Toyota Financial app that disclosed the name, phone number, email address, and loan status of any customers. Toyota Motor Credit told The Register that it fixed the issue, and noted “this had no connection to Toyota vehicles or how they operate.”
Additionally, a Porsche spokesperson told The Register “the safety and protection of the car software in our vehicles is always a top priority for Porsche.”
“We permanently monitor our systems,” the spokesperson said. “We take any indications of vulnerabilities very seriously. Our top priority is to prevent unauthorized access to the systems in our vehicles by third parties.” ®