Jump to content
  • Toyota, Mercedes, BMW API flaws exposed owners’ personal info

    alf9872000

    • 390 views
    • 4 minutes
     Share


    • 390 views
    • 4 minutes

    Almost twenty car manufacturers and services contained API security vulnerabilities that could have allowed hackers to perform malicious activity, ranging from unlocking, starting, and tracking cars to exposing customers' personal information.

     

    The security flaws impacted well-known brands, including BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis.

     

    The vulnerabilities also affected vehicle technology brands Spireon and Reviver and streaming service SiriusXM.

     

    The discovery of these API flaws comes from a team of researchers led by Sam Curry, who previously disclosed Hyundai, Genesis, Honda, Acura, Nissan, Infinity, and SiriusXM security issues in November 2022.

     

    While Curry's previous disclosure explained how hackers could use these flaws to unlock and start cars, now that a 90-day vulnerability disclosure period has passed since reporting these issues, the team has published a more detailed blog post about the API vulnerabilities.

     

    The impacted vendors have fixed all issues presented in this report, so they are not exploitable now.

    Accessing internal portals

    The most severe API flaws were found in BMW and Mercedes-Benz, which were affected by company-wide SSO (single-sign-on) vulnerabilities that enabled attackers to access internal systems.

     

    For Mercedes-Benz, the analysts could access multiple private GitHub instances, internal chat channels on Mattermost, servers, Jenkins and AWS instances, XENTRY systems that connect to customer cars, and more.

     

    mercedes-azure.jpg

    Internal Mercedes-Benz portal 
    Source: Sam Curry

     

    For BMW, the researchers could access internal dealer portals, query VINs for any car, and retrieve sales documents containing sensitive owner details.

     

    Additionally, they could leverage the SSO flaws to log in as any employee or dealer and access applications reserved for internal use.

     

    bmw-vin.jpg

    Accessing vehicle details on the BMW portal
    Source: Sam Curry

    Exposing owner details

    Exploiting other API flaws allowed the researchers to access PII (personally identifiable information) for owners of KIA, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Roll Royce, Ferrari, Ford, Porsche, and Toyota cars.

     

    In the cases of ultra-expensive cars, disclosing owner information is particularly dangerous as, in some cases, the data includes sales information, physical location, and customer addresses.

     

    Ferrari suffered from poorly implemented SSO on its CMS, exposing backend API routes and making it possible to extract credentials from JavaScript snippets.

     

    An attacker could exploit these flaws to access, modify, or delete any Ferrari customer account, manage their vehicle profile, or set themselves as car owners.

     

    ferrari-data.jpg

    Disclosing Ferrari user data details
    Source: Sam Curry

     

    Tracking vehicle GPS

     

    These vulnerabilities could have also allowed hackers to track cars in real time, introducing potential physical risks and impacting the privacy of millions of car owners.

     

    Porsche was one of the impacted brands, with flaws in its telematic systems enabling attackers to retrieve vehicle locations and send commands.

     

    GPS tracking solution Spireon was also vulnerable to car location disclosure, impacting 15.5 million vehicles using its services and even letting full administration access to its remote management panel, enabling attackers to unlock cars, start the engine, or disable the starter.

     

    spireon-panel.jpg

    Historic GPS data on the Spireon admin panel
    Source: Sam Curry

     

    The third impacted entity is Reviver, a digital license plate maker that was vulnerable to unauthenticated, remote access to its admin panel that could have given anyone access to GPS data and user records, the ability to change license plate messaging, and more.

     

    Curry illustrates how these flaws allowed them to mark a vehicle as "STOLEN" on the Reviver panel, which would automatically inform the police about the incident, putting the owner/driver at unnecessary risk.

     

    plates.jpg

    Modifying Reviver plates remotely
    Source: Sam Curry

    Minimizing exposure

    Car owners can protect themselves from these types of vulnerabilities by limiting the amount of personal information stored in vehicles or mobile companion apps. 

     

    It is also essential to set in-car telematics to the most private mode available and read privacy policies to understand how data is being used.

     

    Sam Curry also shared the following advice with BleepingComputer that owners should follow when purchasing a car.

     

    "When purchasing a used car, make sure that the prior owner's account has been removed. Use strong passwords and set up 2FA (two-factor authentication) if possible for apps and services which link to your vehicle," warned Curry in a statement to BleepingComputer.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...