Nearly twenty car manufacturers and services contained API security vulnerabilities that could have allowed hackers to perform malicious activities, ranging from unlocking, starting and tracking cars to exposing customers’ personal information.

The security breaches affected well-known brands including BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota and Genesis.

The vulnerabilities also affected automotive technology brands Spireon and Reviver and streaming service SiriusXM.

The discovery of these API flaws comes from a team of researchers led by Sam Curry, who previously disclosed Hyundai, Genesis, Honda, Acura, Nissan, Infinity and SiriusXM security issues in November 2022.

While Curry’s previous disclosure explained how hackers could use these flaws to unlock and start cars, now that a 90-day vulnerability disclosure period has passed since these issues were reported, the team has released a more detailed blog post on API vulnerabilities.

The affected vendors have fixed all issues presented in this report, so they are not actionable at this time.

Access internal portals

The most severe API flaws were found at BMW and Mercedes-Benz, which were affected by enterprise-wide single-sign-on (SSO) vulnerabilities that allowed attackers to access internal systems .

For Mercedes-Benz, analysts could access several private GitHub instances, internal chat channels on Mattermost, servers, Jenkins and AWS instances, XENTRY systems that connect to customers’ cars, and more.

For BMW, researchers were able to access internal dealership portals, query the VINs of any car, and retrieve sales documents containing sensitive owner details.

In addition, they could take advantage of SSO loopholes to log in as an employee or reseller and access applications reserved for internal use.

Expose owner details

Exploitation of other API flaws allowed researchers to access PII (Personally Identifiable Information) of KIA, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Roll car owners Royce, Ferrari, Ford, Porsche and Toyota. .

In the case of ultra-expensive cars, the disclosure of owner information is particularly dangerous because, in some cases, the data includes information on sales, physical location and customer addresses.

Ferrari suffered from poorly implemented SSO on its CMS, exposing backend API routes and allowing credentials to be extracted from JavaScript code snippets.

An attacker could exploit these flaws to access, modify or delete any Ferrari customer account, manage their vehicle profile or define themselves as a car owner.

vehicle tracking gps

These vulnerabilities could also have allowed hackers to track cars in real time, introducing potential physical risks and impacting the privacy of millions of car owners.

Porsche was one of the brands affected, with flaws in its telematics systems allowing attackers to retrieve vehicle locations and send commands.

GPS tracking solution Spireon was also vulnerable to car location disclosure, affecting 15.5 million vehicles using its services and even leaving full administrative access to its remote management panel, allowing attackers to unlock cars. cars, start the engine or deactivate the starter.

The third entity affected is Reviver, a maker of digital license plates that was vulnerable to unauthenticated remote access to its admin panel that could have given anyone access to GPS data and user records. ability to change license plate messaging, etc.

Curry illustrates how these faults allowed them to mark a vehicle as “STOLEN” on the Reviver panel, which would automatically notify the police of the incident, putting the owner/driver at unnecessary risk.

Minimize exposure

Car owners can protect themselves from these types of vulnerabilities by limiting the amount of personal information stored in vehicles or accompanying mobile apps.

It is also essential to set in-vehicle telematics to the most private mode available and read privacy policies to understand how data is used.

Sam Curry also shared the following tips with BleepingComputer that owners should follow when buying a car.

“When buying a used car, make sure the previous owner’s account has been deleted. Use strong passwords and set up 2FA (two-factor authentication) if possible for apps and services related to your vehicle,” Curry warned in a statement to BleepingComputer.

Update 1/4 – A Spireon spokesperson sent BleepingComputer the following comment:

Our cybersecurity professionals met with the security researcher to discuss and assess the alleged system vulnerabilities and immediately implemented corrective measures to the extent required.

We have also taken proactive steps to further strengthen the security of our product portfolio as part of our continued commitment to our customers as a leading provider of aftermarket telematics solutions.

Spireon takes all security matters seriously and uses an extensive set of industry-leading tools to monitor and analyze its products and services for both known and new potential security risks.