Modern cars contain more and more different electronics and rely on it more and more. And that can be a problem. According to security researcher Sam Curry, numerous vulnerabilities in the electronic systems of new cars could already allow attackers to remotely track and partially even control such cars. Worse, we are talking about vehicles of various emergency services.

The weak link in this case is the Spireon Systems website. It is this company that controls GPU data and other telematics for more than 15 million devices, most of which are cars, including police cars and rescue vehicles in the United States.

The problem is that the Spireon Systems website is outdated and lacks modern security methods. Vulnerabilities can allow attackers not only to track cars, but also unlock them, start engines, send navigation commands, and so on.

In addition, security researchers were able to access the corporate systems of BMW, Mercedes Benz and Rolls Royce. In this case, we are talking about other vulnerabilities, they do not allow you to gain control over the machine, but you can get access to confidential data. Security holes in Ferrari’s websites also allow access to administrative privileges and the removal of all customer information.

Another feature is digital license plates. It turned out that Californians are vulnerable to hackers due to security problems with the Reviver company, which just dealt with such signs in this state.

Kerry also shared data on which manufacturers have which security problems at the moment.

Kia, Honda, Infiniti, Nissan, Acura:

• Fully remote lock, unlock, start engine, stop engine, pinpoint location, flash headlights and signal vehicles using VIN number only.
• Completely remote account capture and PII disclosure via VIN number (name, phone number, email address, physical address)
• Ability to block users from remote control of their vehicle, change ownership
• For Kia, you can access the 360-degree camera remotely.

Mercedes Benz:

• Access to hundreds of mission-critical internal applications via misconfigured SSO, including, multiple Github instances behind SSO, company-wide internal chat, the ability to join virtually any channel, internal cloud deployment services for managing AWS instances, internal vehicle-related APIs
• Remote code execution on multiple systems
• Memory leaks leading to the disclosure of personal data of employees/customers, account access

Hyundai Genesis:

• Completely remote lock, unlock, start engine, stop engine, pinpoint location, flash headlights and alarm vehicles using just the victim’s email address.
• Completely remote account takeover and PII disclosure via victim’s email address (name, phone number, email address, physical address)
• Ability to block users from remote control of their vehicle, change ownership

BMW, Rolls Royce:

• The core company-wide SSO vulnerabilities that allowed us to access any employee app as any employee allowed us to access internal dealer portals where you can request any VIN to get BMW sales documents. It is also possible to access any application blocked by single sign-on on behalf of any employee, including applications used by remote workers and dealerships.

Ferrari:

• Full account takeover with zero interaction for any Ferrari customer account
• IDOR to access all Ferrari customer records
• Lack of access control allowing an attacker to create, modify, delete employee “back office” administrator accounts and all user accounts with the ability to modify Ferrari-owned web pages through the CMS system.
• Ability to add HTTP routes to api.ferrari.com (rest-connectors) and view all existing rest-connectors and their associated secrets (authorization headers)

Ford:

• Full disclosure of stock vehicle memory Telematics API exposes client PII and access tokens for tracking and executing commands on vehicles
• Reveals configuration credentials used for internal services related to Telematics.
• Ability to authenticate with a customer account and access all personal information and perform actions on vehicles.
• Hijacking a customer’s account by misparsing the URL allows the attacker to gain full access to the victim’s account, including the car’s portal.

Toyota:

• IDOR at Toyota Financial, which discloses the name, phone number, email address, and credit status of any Toyota financial customers.

And it’s not all companies.

Curry’s team informed all companies about the problems in advance, and some of them have already solved them.