Multiple bugs affecting millions of vehicles from almost all major car brands could allow miscreants to perform any manner of mischief — in some cases including full takeovers — by exploiting vulnerabilities in the vehicles’ telematic systems, automotive APIs and supporting infrastructure, according to security researchers.
Specifically, the vulnerabilities affect Mercedes-Benz, BMW, Rolls Royce, Ferrari, Ford, Porsche, Toyota, Jaguar and Land Rover, plus fleet management company Spireon and digital license plate company Reviver.
The research builds on Yuga Labs’ Sam Curry’s earlier car hacking expeditions that uncovered flaws affecting Hyundai and Genesis vehicles, as well as Hondas, Nissans, Infinitis and Acuras via an authorization flaw in Sirius XM’s Connected Vehicle Services.
All of the bugs have since been fixed.
“The affected companies all fixed the issues within one or two days of reporting,” Curry told The Register. ” We worked with all of them to validate them and make sure there weren’t any bypasses.”
[…]
Curry and the team discovered multiple vulnerabilities in SQL injection and authorization bypass to perform remote code execution across all of Spireon and fully take over any fleet vehicle.
“This would’ve allowed us to track and shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles,” the researchers wrote.
The bugs also gave them full administrator access to Spireon and a company-wide administration panel from which an attacker could send arbitrary commands to all 15 million vehicles, thus remotely unlocking doors, honking horns, starting engines […]
[…]
With Ferrari, the researchers found overly permissive access controls that allowed them to access JavaScript code for several internal applications. The code contained API keys and credentials that could have allowed attackers to access customer records and take over (or delete) customer accounts.
[…]
a misconfigured single-sign on (SSO) portal for all employees and contractors of BMW, which owns Rolls-Royce, would have allowed access to any application behind the portal.
[…]
misconfigured SSO for Mercedes-Benz allowed the researchers to create a user account on a website intended for vehicle repair shops to request specific tools. They then used this account to sign in to the Mercedes-Benz Github, which held internal documentation and source code for various Mercedes-Benz projects including its Me Connect app used by customers to remotely connect to their vehicles.
The researchers reported this vulnerability to the automaker, and they noted that Mercedes-Benz “seemed to misunderstand the impact” and wanted further details about why this was a problem.
So the team used their newly created account credentials to login to several applications containing sensitive data. Then they “achieved remote code execution via exposed actuators, spring boot consoles, and dozens of sensitive internal applications used by Mercedes-Benz employees.”
One of these was the carmaker’s version of Slack. “We had permission to join any channel, including security channels, and could pose as a Mercedes-Benz employee who could ask whatever questions necessary for an actual attacker to elevate their privileges across the Benz infrastructure,” the researchers explained.
A Mercedes-Benz spokesperson confirmed that Curry contacted the company about the vulnerability and that it had been fixed.
[…]
vulnerabilities affecting Porsche’s telematics service that allowed them to remotely retrieve vehicle location and send vehicle commands.
Plus, they found an access-control vulnerability on the Toyota Financial app that disclosed the name, phone number, email address, and loan status of any customers. Toyota Motor Credit told The Register that it fixed the issue
[…]
