16 Major Car Brands Vulnerable to CyberAttacks

Millions of automobiles from 16 different manufacturers could be exploited. The vulnerabilities allow hackers to monitor, start, and unlock cars and invade car owners’ privacy via security flaws in APIs.

The issues were discovered in software from Reviver, SiriusXM, and Spireon, as well as in the automotive APIs that power Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls-Royce, and Toyota.

The defects cover a broad range, from those that offer access to user information and internal business systems to those that would enable an attacker to transmit orders to execute malware remotely.

The study expands on prior discoveries from the latter part of last year when Sam Curry and colleagues from Yuga Labs discovered security weaknesses in a linked vehicle service offered by SiriusXM that may expose automobiles to remote attacks.

The most significant flaws include Spireon’s telematics system, which could have been used to get complete administrative access, allowing an attacker to upgrade device firmware and give arbitrary orders to around 15.5 million cars.

The researchers added that by doing this, they would have been able to locate and turn off the starters of police, ambulance, and law enforcement vehicles for many big cities and send directives to those vehicles.

Some of the vulnerabilities found in Mercedes-Benz might allow user account takeover and the exposure of sensitive data, while others could provide access to internal apps through a poorly configured single sign-on (SSO) authentication method.

Other vulnerabilities enable unauthorized access to or modification of customer information, internal dealer portals, real-time GPS tracking of vehicles, management of licence plate information for all Reviver clients, and even updating the “stolen” status of cars.

The results emphasize the necessity for a defence-in-depth approach to limit threats and minimize risk, even if the various manufacturers have now corrected all security flaws due to responsible disclosure.

The defects cover a broad range, from those that offer access to user information and internal business systems to those that would enable an attacker to transmit orders to execute malware remotely.

The study expands on prior discoveries from the latter part of last year when Sam Curry and colleagues from Yuga Labs discovered security weaknesses in a linked vehicle service offered by SiriusXM that may expose automobiles to remote attacks.

The most significant flaws include Spireon’s telematics system, which could have been used to get complete administrative access, allowing an attacker to upgrade device firmware and give arbitrary orders to around 15.5 million cars.

The researchers added that by doing this, they would have been able to locate and turn off the starters of police, ambulance, and law enforcement vehicles for many big cities and send directives to those vehicles.

Some of the vulnerabilities found in Mercedes-Benz might allow user account takeover and the exposure of sensitive data, while others could provide access to internal apps through a poorly configured single sign-on (SSO) authentication method.

Other vulnerabilities enable unauthorized access to or modification of customer information, internal dealer portals, real-time GPS tracking of vehicles, management of licence plate information for all Reviver clients, and even updating the “stolen” status of cars.

The results emphasize the necessity for a defence-in-depth approach to limit threats and minimize risk, even if the various manufacturers have now corrected all security flaws due to responsible disclosure.