Research: Luxury cars and emergency services vehicles vulnerable to remote takeover
A "global API issue" has been highlighted through months-long research into brands such as Ferrari and Mercedes-Benz, leaving owners open to hacking, account takeovers, and more
A number of automotive manufacturers use systems containing vulnerabilities that could allow threat actors to hack cars, steal customer data, or complete full account takeovers, research has revealed.
Brands including Ferrari, BMW, Rolls Royce, Mercedes-Benz, Porsche, and Ford were found critically vulnerable to endpoint attacks, with flaws such as poorly-managed APIs and improper SSO configuration enabling lateral attacks and remote access to vehicles.
Researchers also found major flaws in the code used by telematics firm Spireon, which provides GPS services for more than 15 million vehicles.
Using an SQL injection attack, Curry and his team gained remote access to all Spireon devices, used commonly by emergency services vehicles, allowing them to view live locations and remotely execute code to unlock and start the engine of vehicles, for example.
Further endpoint investigation and manipulation revealed an admin dashboard with access to the system’s 1.2 million user accounts, as well as vehicle identification numbers (VINs) and fleet location data.
Vulnerabilities in Mercedes-Benz cars allowed for public registration on an associated vehicle repair website, and this account gave the researchers access to the Mercedes-Benz GitHub.
Attackers could use this as a launch pad for remote code execution, as well as access to internal Mercedes-Benz communications channels and Amazon Web Services (AWS) control panels.
The findings were the result of months of investigation by web application security researcher Sam Curry and others, as detailed in a full report on his website.
Getting board-level buy-in for security strategy
Why cyber security needs to be a board-level issueFree Download
Many attacks could be performed without any interaction with users at all. By searching for domains under “ferrari.com”, the team discovered a number of subdomains such as ‘api.ferrari.com’, ‘cms-dealer.ferrari.com’, ‘cms-new.ferrari.com’ and ‘cms-dealer.test.ferrari.com’.
Through this method, attackers could access, modify, create, or remove user accounts, as well as alter their account’s role to give themselves heightened positions or list themselves as a Ferrari owner.
"Like many other industries, the automotive industry has incorporated heavy usage of APIs across many of its public services,” said Yaniv Balmas, VP of research at Salt Security.
“We also encountered similar issues with some of these car manufacturers and others. We can confirm these are not isolated cases and do not cover the entire attack surface and existing vulnerabilities. They do, however, show the depth and magnitude of the API adaptation issues.
“Rapid API adoption allows car manufacturers to publish more functionality to be used by car owners, dealerships, and others and is meant to provide a better user experience.
"However, human nature and history teach us that, unfortunately, usability will always be prioritised over security and privacy - and the results are very well shown by the report. We congratulate Sam Curry for publishing this wonderful research and highlighting the global API security issue."
Household brands such as Kia and Ford were also found lacking in security. Kia’s systems allowed for remote access to vehicles including car cameras through token manipulation, while an endpoint attack on Ford’s APIs granted control over customer accounts and vehicle telematics.
Curry’s full report follows his November 2022 Twitter thread, which detailed the vulnerabilities that enabled remote hacking of Hyundai and Genesis cars through API exploitation.
The researchers have informed all the affected companies of the vulnerabilities, which have since been fixed.
What 2023 will mean for the industry
What do most IT decision makers really think will be the important trends and challenges in the coming year?Free Download
2022 Magic quadrant for Security Information and Event Management (SIEM)
SIEM is evolving into a security platform with multiple features and deployment modelsFree Download
IDC MarketScape: Worldwide unified endpoint management services
2022 vendor assessmentFree Download
Magic quadrant for application performance monitoring and observability
Enabling continuous updating of diverse & dynamic application environmentsView Now