Research: Luxury cars and emergency services vehicles vulnerable to remote takeover

A number of automotive manufacturers use systems containing vulnerabilities that could allow threat actors to hack cars, steal customer data, or complete full account takeovers, research has revealed.

Brands including Ferrari, BMW, Rolls Royce, Mercedes-Benz, Porsche, and Ford were found critically vulnerable to endpoint attacks, with flaws such as poorly-managed APIs and improper SSO configuration enabling lateral attacks and remote access to vehicles.

Researchers also found major flaws in the code used by telematics firm Spireon, which provides GPS services for more than 15 million vehicles.

Using an SQL injection attack, Curry and his team gained remote access to all Spireon devices, used commonly by emergency services vehicles, allowing them to view live locations and remotely execute code to unlock and start the engine of vehicles, for example.

Further endpoint investigation and manipulation revealed an admin dashboard with access to the system’s 1.2 million user accounts, as well as vehicle identification numbers (VINs) and fleet location data.

Vulnerabilities in Mercedes-Benz cars allowed for public registration on an associated vehicle repair website, and this account gave the researchers access to the Mercedes-Benz GitHub.

Attackers could use this as a launch pad for remote code execution, as well as access to internal Mercedes-Benz communications channels and Amazon Web Services (AWS) control panels.

The findings were the result of months of investigation by web application security researcher Sam Curry and others, as detailed in a full report on his website.

Many attacks could be performed without any interaction with users at all. By searching for domains under “ferrari.com”, the team discovered a number of subdomains such as ‘api.ferrari.com’, ‘cms-dealer.ferrari.com’, ‘cms-new.ferrari.com’ and ‘cms-dealer.test.ferrari.com’.

Although manufacturers had implemented single sign-on (SSO) measures for these subdomains, Curry and his team found these were flawed. By extracting the Ferrari SSO JavaScript code, they could identify the specific API routes that each used. Queries to Ferrari’s production API allowed for information to be returned on any of the company’s customers.

Through this method, attackers could access, modify, create, or remove user accounts, as well as alter their account’s role to give themselves heightened positions or list themselves as a Ferrari owner.

"Like many other industries, the automotive industry has incorporated heavy usage of APIs across many of its public services,” said Yaniv Balmas, VP of research at Salt Security.

“We also encountered similar issues with some of these car manufacturers and others. We can confirm these are not isolated cases and do not cover the entire attack surface and existing vulnerabilities. They do, however, show the depth and magnitude of the API adaptation issues.

“Rapid API adoption allows car manufacturers to publish more functionality to be used by car owners, dealerships, and others and is meant to provide a better user experience.

"However, human nature and history teach us that, unfortunately, usability will always be prioritised over security and privacy - and the results are very well shown by the report. We congratulate Sam Curry for publishing this wonderful research and highlighting the global API security issue."

Household brands such as Kia and Ford were also found lacking in security. Kia’s systems allowed for remote access to vehicles including car cameras through token manipulation, while an endpoint attack on Ford’s APIs granted control over customer accounts and vehicle telematics.

Curry’s full report follows his November 2022 Twitter thread, which detailed the vulnerabilities that enabled remote hacking of Hyundai and Genesis cars through API exploitation.

The researchers have informed all the affected companies of the vulnerabilities, which have since been fixed.