Ferrari owners, beware: you may not be the only one with control over your luxury car. Cybersecurity researchers have discovered vulnerabilities in the telematics systems of multiple popular car brands, including Mercedes-Benz, BMW, Rolls Royce, Ferrari, Ford, Porsche, Toyota, Jaguar, and Land Rover, as well as fleet management company Spireon. These vulnerabilities could potentially allow attackers to control the affected vehicles completely.
Spireon, which owns many GPS car tracking and fleet management brands and covers 15 million linked vehicles, was discovered to have multiple problems in its system, including SQL injection and RCE authentication bypass vulnerabilities that may give attackers complete access to any vehicle.
These flaws could potentially give hackers access to the administration panel of the entire Spireon company, allowing them to send arbitrary commands to all 15 million cars, such as opening doors, activating the horn, starting the engine, and disabling starters. This could be particularly dangerous if attackers could disable the starters of emergency vehicles, police cars, ambulances, and law enforcement vehicles in major cities.
Ferrari’s systems were found to have exposed JavaScript code to several internal applications, which contained API keys and credentials that could allow attackers to take over or delete their accounts. It was also possible to set superuser rights or become the owner of a Ferrari through a POST request. The lack of access control in these systems could also allow cyber criminals to create and delete employee back-office administrator accounts and modify websites owned by Ferrari, including its CMS system.
BMW and Rolls Royce were found to have a misconfigured single sign-on (SSO) system that allowed hackers to access the internal dealer portal, request a VIN, and obtain all documents for the sale of a car. A misconfigured SSO system at Mercedes-Benz allowed researchers to create a user account on a car service site and request tools and parts. They could also access Mercedes GitHub, which held internal documentation and source code for different firm initiatives, including the Me Connect app, which consumers use to remotely connect to their automobiles. Hackers could even infiltrate the Slack communication channel and impersonate a company employee, using social engineering to increase their privileges in the Mercedes-Benz infrastructure.
Vulnerabilities in Porsche and Toyota systems allowed for the remote location and sending of commands to Porsche vehicles and the discovery of the name, phone number, email address, and credit status of Toyota Motor Credit customers.
Fortunately, these vulnerabilities have been reported to the affected automakers and have since been corrected. However, this serves as a reminder of the importance of regularly updating and patching telematics systems to ensure the safety and security of connected vehicles.
