Security researcher Sam Curry and his team have discovered numerous security flaws at various car manufacturers. These problems made it possible to start the car, switch on the lights and open the trunk, among other things. The manufacturers still need to comment on the findings.
Sam Curry and his team describe the results of their research in a detailed and technical blog.
It started with electric scooters.
It all started in the fall of 2022 when Curry and some of his friends travelled from Chicago to Washington to attend a cybersecurity conference. During the trip, they visited the University of Maryland. They saw dozens of electric scooters spread across the campus and decided to study the manufacturer’s application there. To their great surprise, they managed to sound the horn and switch on the lights of the scooters.
At that point, the ethical hackers had a hunch. “We brainstormed for a while and then realized that almost every car made in the last five years had pretty much the same functionality,” Curry writes on his blog. Then, he started a group chat, and everyone started thinking about possible vulnerabilities in the automotive industry.
Private data accessed by IDOR vulnerability
Then Curry and his team got to work. Things could be better with security at various car manufacturers, and they discovered an IDOR vulnerability in Ferrari, Toyota, Jaguar and Land Rover.
‘IDOR’ stands for Insecure Direct Object References. This vulnerability occurs when a web application or API uses an identifier to query an object in a database without a user’s authentication. This allows malicious parties to request private information from car owners, such as name, telephone number, email address, details about the car and financial information of customers.
Cars start and stop.
Security could have been better at Kia, Honda, Nissan, Hyundai, Genesis, Acura and Infiniti. Curry succeeded in ultimately unlocking the car with these brands. He could remotely start and stop the engine, find its exact location, turn on the headlights and sound the horn. All he needed for this was the vehicle identification number or VIN.
The Security researchers could also take over car owners’ accounts remotely. In Kia cars, the researchers had access to the live images of the built-in 360-degree camera. At Ford and Porsche, they could request personal information from car owners.
The tracking system as leaky as a basket
The security of expensive car brands such as Mercedes-Benz, BMW, Rolls Royce and Ferrari is no better. With a few adjustments, it was possible to perform a Remote Code Execution (RCE). The researchers could also abuse Single Sign-On (SSO) to request sales documents from local BMW dealers.
Another major security vulnerability that Curry and his team found was hidden in Spireon’s tracking system. Due to various exposures, the researchers had access to an administration panel that allowed them to send arbitrary commands to more than 15.5 million cars. This allowed them to unlock doors, start the car, retrieve location data and flash the car’s firmware, among other things. They could also take over an entire fleet of police cars and ambulances.
The automakers have not yet commented on the findings of Sam Curry and his associates.
Update (January 13, 2023): Hyundai tells Bloomberg news agency that it is working on a software update to prevent hacking of cars from this manufacturer and its subsidiary Kia. Videos on TikTok show that Hyundai and Kia cars without an anti-theft chip can be stolen with just a screwdriver and USB stick. The videos went viral under the heading ‘The Kia Challenge’.
The South Korean car manufacturer promises to release an update in March to remedy the problem. Kia also says it is working on a solution.
Find more articles here
Follow us on Facebook here