IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Research: Luxury cars and emergency services vehicles vulnerable to remote takeover

A "global API issue" has been highlighted through months-long research into brands such as Ferrari and Mercedes-Benz, leaving owners open to hacking, account takeovers, and more

A number of automotive manufacturers use systems containing vulnerabilities that could allow threat actors to hack cars, steal customer data, or complete full account takeovers, research has revealed.

Brands including Ferrari, BMW, Rolls Royce, Mercedes-Benz, Porsche, and Ford were found critically vulnerable to endpoint attacks, with flaws such as poorly-managed APIs and improper SSO configuration enabling lateral attacks and remote access to vehicles.

Researchers also found major flaws in the code used by telematics firm Spireon, which provides GPS services for more than 15 million vehicles.

Using an SQL injection attack, Curry and his team gained remote access to all Spireon devices, used commonly by emergency services vehicles, allowing them to view live locations and remotely execute code to unlock and start the engine of vehicles, for example.

Further endpoint investigation and manipulation revealed an admin dashboard with access to the system’s 1.2 million user accounts, as well as vehicle identification numbers (VINs) and fleet location data.

Vulnerabilities in Mercedes-Benz cars allowed for public registration on an associated vehicle repair website, and this account gave the researchers access to the Mercedes-Benz GitHub. 

Attackers could use this as a launch pad for remote code execution, as well as access to internal Mercedes-Benz communications channels and Amazon Web Services (AWS) control panels.

The findings were the result of months of investigation by web application security researcher Sam Curry and others, as detailed in a full report on his website.

Related Resource

Getting board-level buy-in for security strategy

Why cyber security needs to be a board-level issue

Intercity 'Getting board-level buy-in for security strategy' whitepaper coverFree Download

Many attacks could be performed without any interaction with users at all. By searching for domains under “ferrari.com”, the team discovered a number of subdomains such as ‘api.ferrari.com’, ‘cms-dealer.ferrari.com’, ‘cms-new.ferrari.com’ and ‘cms-dealer.test.ferrari.com’.

Although manufacturers had implemented single sign-on (SSO) measures for these subdomains, Curry and his team found these were flawed. By extracting the Ferrari SSO JavaScript code, they could identify the specific API routes that each used. Queries to Ferrari’s production API allowed for information to be returned on any of the company’s customers.

Through this method, attackers could access, modify, create, or remove user accounts, as well as alter their account’s role to give themselves heightened positions or list themselves as a Ferrari owner. 

"Like many other industries, the automotive industry has incorporated heavy usage of APIs across many of its public services,” said Yaniv Balmas, VP of research at Salt Security.

“We also encountered similar issues with some of these car manufacturers and others. We can confirm these are not isolated cases and do not cover the entire attack surface and existing vulnerabilities. They do, however, show the depth and magnitude of the API adaptation issues.

“Rapid API adoption allows car manufacturers to publish more functionality to be used by car owners, dealerships, and others and is meant to provide a better user experience.

"However, human nature and history teach us that, unfortunately, usability will always be prioritised over security and privacy - and the results are very well shown by the report. We congratulate Sam Curry for publishing this wonderful research and highlighting the global API security issue."

Household brands such as Kia and Ford were also found lacking in security. Kia’s systems allowed for remote access to vehicles including car cameras through token manipulation, while an endpoint attack on Ford’s APIs granted control over customer accounts and vehicle telematics.

Curry’s full report follows his November 2022 Twitter thread, which detailed the vulnerabilities that enabled remote hacking of Hyundai and Genesis cars through API exploitation.

The researchers have informed all the affected companies of the vulnerabilities, which have since been fixed. 

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023