fbpx

Millions of automobiles from 16 different manufacturers could be exploited. The vulnerabilities allow hackers to monitor, start, and unlock cars and invade car owners’ privacy via security flaws in APIs.

The issues were discovered in software from Reviver, SiriusXM, and Spireon, as well as in the automotive APIs that power Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls-Royce, and Toyota.

Car Brands Vulnerable to CyberAttacks

The defects cover a broad range, from those that offer access to user information and internal business systems to those that would enable an attacker to transmit orders to execute malware remotely.

The study expands on prior discoveries from the latter part of last year when Sam Curry and colleagues from Yuga Labs discovered security weaknesses in a linked vehicle service offered by SiriusXM that may expose automobiles to remote attacks.

The most significant flaws include Spireon’s telematics system, which could have been used to get complete administrative access, allowing an attacker to upgrade device firmware and give arbitrary orders to around 15.5 million cars.

The researchers added that by doing this, they would have been able to locate and turn off the starters of police, ambulance, and law enforcement vehicles for many big cities and send directives to those vehicles.

Some of the vulnerabilities found in Mercedes-Benz might allow user account takeover and the exposure of sensitive data, while others could provide access to internal apps through a poorly configured single sign-on (SSO) authentication method.

Other vulnerabilities enable unauthorized access to or modification of customer information, internal dealer portals, real-time GPS tracking of vehicles, management of licence plate information for all Reviver clients, and even updating the “stolen” status of cars.

The results emphasize the necessity for a defence-in-depth approach to limit threats and minimize risk, even if the various manufacturers have now corrected all security flaws due to responsible disclosure.

Car Brands Vulnerable to CyberAttacks

The defects cover a broad range, from those that offer access to user information and internal business systems to those that would enable an attacker to transmit orders to execute malware remotely.

The study expands on prior discoveries from the latter part of last year when Sam Curry and colleagues from Yuga Labs discovered security weaknesses in a linked vehicle service offered by SiriusXM that may expose automobiles to remote attacks.

The most significant flaws include Spireon’s telematics system, which could have been used to get complete administrative access, allowing an attacker to upgrade device firmware and give arbitrary orders to around 15.5 million cars.

The researchers added that by doing this, they would have been able to locate and turn off the starters of police, ambulance, and law enforcement vehicles for many big cities and send directives to those vehicles.

Some of the vulnerabilities found in Mercedes-Benz might allow user account takeover and the exposure of sensitive data, while others could provide access to internal apps through a poorly configured single sign-on (SSO) authentication method.

Other vulnerabilities enable unauthorized access to or modification of customer information, internal dealer portals, real-time GPS tracking of vehicles, management of licence plate information for all Reviver clients, and even updating the “stolen” status of cars.

The results emphasize the necessity for a defence-in-depth approach to limit threats and minimize risk, even if the various manufacturers have now corrected all security flaws due to responsible disclosure.

MANAGED CYBERSECURITY SOLUTIONS

Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.

GO TO CYBERSECURITY SOLUTIONS

About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

Privacy Preference Center