Researchers Find Serious Vulnerabilities In Systems In Mercedes, BMW, Porsche And Ferrari
JAKARTA - A group of researchers found loopholes from the world's largest car manufacturers, which hackers could exploit, not just stealing the owner's personal data but being able to drive the vehicle remotely.
The seven researchers, including the bug bounce hunter and security engineer Yuga Labs staff Sam Curry. They found that the products of 16 major automakers and three vehicle technology vendors had security holes.
This gap is very risky, it can lead to account takeover, long-range code execution (RCE), not to mention the implementation of orders leading to vehicle physical control.
Some vulnerabilities can also be used for information theft by directing hackers directly to Personal Introduction Information (PII) for car users stored in car applications.
One significant problem is that some automakers rely on third-party API software instead of building their own technology. According to Curry, the vulnerability affects Ford, Toyota, Mercedes, BMW, Porsche, Ferrari, and more.
As Curry and his fellow researchers dig deeper, they were very surprised by how much information and impact they could have with the Vehicle Identification Number (VIN).
"The VIN number is very common, you can walk to the car to get a VIN number. But with these many APIs, if you have a VIN number, it will only return the person's full name or vehicle battery level and you can add it to your account," Curry said.
Researchers can use the VIN number not only to take full control of the owner's vehicle account, which includes a large amount of personal information, they can also lock and unlock remotely, stop engines, find other vehicles such as Kia, Honda, Infinity, Nissan and Acura.
In addition, researchers can also achieve administrative access to manage all user accounts and vehicles for any vehicle connected to digital number plate company Reviver.
Vulnerabilities can be used by researchers to track the physical location of the vehicle through GPS and tag it stolen on the license plate. In a statement, Reviver said they found no evidence that the vulnerability was exploited and took further action to prevent this from happening in the future.
Each of these companies has a portal for credit loans. So, there's a lot of information like your name, your address, your bill information," Curry said.
Curry said, now all the shortcomings he reported and the team have been patched by the car company.
The current fixtures are on GPS provider Spireon, vehicle communications system vendor SiriusXM and automotive platform-a-service provider Reviver and downstream subscribers including Roll Royce, BMW, Ferrari, Mercedes-Benz, Jaguar, Porsche, Land Rover, Toyota, Honda, Nissan, Hyundai, Ford, KIA, Acura, Genesis, and Infinity.
"We will find a vulnerability to one car company and then we will report it, then we will switch to another car company and that will be exactly the same thing," Curry said in a blog post quoted by CyberScop, Monday, January 9.
These findings underscore the safety risks for consumers and automakers as automakers continue to increase the amount of software in vehicles and give app owners to connect with their cars. With Curry's discovery, it shows automakers should do more to focus on cybersecurity.