INFO: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
Hi Guys,
When we connect cars to the internet, we ask for trouble, especially when the car manufacturers do not bother with security, as remote hackers can now target these cars.
In the past few months, I have reported on how easy it can be to hack into a car. You can read one of our posts here showing how a teenager hacked into a Tesla and another one here showing how some models of Honda cars can be remotely hacked.
In an explosive report, web application security researcher Sam Curry and his band of merry hackers have shown how easy it is to hack into many of the world’s top car brands, including Ferrari, BMW, Rolls-Royce, Porsche, and many more.
You can read the full post here, which is well worth reading if you’re thinking of buying one of these cars, but in a nutshell, here is the summary of the findings showing the vulnerabilities across all car brands. It is a terrifying report that some of these vulnerabilities allowed cars to be remotely started and even moved by remote hackers.
Kia, Honda, Infiniti, Nissan, Acura
- Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number
- Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address)
- Ability to lock users out of remotely managing their vehicle, change ownership
- For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car
Mercedes-Benz
- Access to hundreds of mission-critical internal applications via improperly configured SSO, including…
- Multiple Github instances behind SSO
- Company-wide internal chat tool, ability to join nearly any channel
- SonarQube, Jenkins, misc. build servers
- Internal cloud deployment services for managing AWS instances
- Internal Vehicle related APIs
- Remote Code Execution on multiple systems
- Memory leaks leading to employee/customer PII disclosure, account access
Hyundai, Genesis
- Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the victim email address
- Fully remote account takeover and PII disclosure via victim email address (name, phone number, email address, physical address)
- Ability to lock users out of remotely managing their vehicle, change ownership
BMW, Rolls Royce
- Company-wide core SSO vulnerabilities which allowed us to access any employee application as any employee, allowed us to…
- Access to internal dealer portals where you can query any VIN number to retrieve sales documents for BMW
- Access any application locked behind SSO on behalf of any employee, including applications used by remote workers and dealerships
Ferrari
- Full zero-interaction account takeover for any Ferrari customer account
- IDOR to access all Ferrari customer records
- Lack of access control allowing an attacker to create, modify, delete employee “back office” administrator user accounts and all user accounts with capabilities to modify Ferrari owned web pages through the CMS system
- Ability to add HTTP routes on api.ferrari.com (rest-connectors) and view all existing rest-connectors and secrets associated with them (authorization headers)
Ford
- Full memory disclosure on production vehicle Telematics API discloses
- Discloses customer PII and access tokens for tracking and executing commands on vehicles
- Discloses configuration credentials used for internal services related to Telematics
- Ability to authenticate into customer account and access all PII and perform actions against vehicles
- Customer account takeover via improper URL parsing, allows an attacker to completely access victim account including vehicle portal
Reviver
- Full super administrative access to manage all user accounts and vehicles for all Reviver connected vehicles. An attacker could perform the following:
- Track the physical GPS location and manage the license plate for all Reviver customers (e.g. changing the slogan at the bottom of the license plate to arbitrary text)
- Update any vehicle status to “STOLEN” which updates the license plate and informs authorities
- Access all user records, including what vehicles people owned, their physical address, phone number, and email address
- Access the fleet management functionality for any company, locate and manage all vehicles in a fleet
Porsche
- Ability to send retrieve vehicle location, send vehicle commands, and retrieve customer information via vulnerabilities affecting the vehicle Telematics service
Toyota
- IDOR on Toyota Financial that discloses the name, phone number, email address, and loan status of any Toyota financial customers
Jaguar, Land Rover
- User account IDOR disclosing password hash, name, phone number, physical address, and vehicle information
Spireon
- Full administrator access to a company-wide administration panel with ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start engine, disable starter, etc.), read any device location, and flash/update device firmware
- Remote code execution on core systems for managing user accounts, devices, and fleets. Ability to access and manage all data across all of Spireon
- Ability to fully takeover any fleet (this would’ve allowed us to track & shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles, e.g. “navigate to this location”)
- Full administrative access to all Spireon products
If you own or plan to buy one of these cars, you should talk to the dealer or the manufacturer about these problems.
Sending you all the best, wherever you are 🙂
Slainte,
Max Roberts
Incognito Privacy Care Team