Critical Vulnerabilities Found in Luxury Cars Now FixedFerrari, BMW, Rolls Royce, Porsche Software Flaws Exposed Data, Vehicle Controls
Software vulnerabilities installed by luxury car manufacturers including Ferrari, BMW, Rolls Royce and Porsche that could allow remote attackers to control vehicles and steal owners' personal details have been fixed. Cybersecurity researchers uncovered the vulnerabilities while vacationing.
The vulnerabilities potentially allowed hackers to perform tasks such as starting and stopping vehicles, remote tracking and locking and unlocking.
The affected vehicles include Infiniti, Nissan, Acura, Mercedes-Benz, Genesis, BMW, Rolls Royce, Ferrari, Ford, Porsche, Toyota, Jaguar, Kia, Honda and Land Rover.
The research team also discovered flaws in the services provided by technology brands Reviver, Spireon and streaming service provider SiriusXM.
Sam Curry, a staff security engineer at blockchain technology company Yuga Labs, along with fellow cybersecurity researchers uncovered these flaws during a vacation, Curry says, "We brainstormed for a while and then realized that nearly every automobile manufactured in the last five years had nearly identical functionality."
Curry says if an attacker can find vulnerabilities in the API endpoints that vehicle telematics systems used, they could perform various tasks remotely.
"I'd hope that car manufacturers continue to work with security researchers in fixing these types of issues and taking these types of attacks seriously," Curry tells Information Security Media Group.
Full Account Takeover
During the analysis of BMW assets, Curry says, the group identified a custom single sign-on portal for employees and contractors of the automotive manufacturer.
"This was super interesting to us," says Curry. "Any vulnerabilities identified here could potentially allow an attacker to compromise any account connected to all of BMWs assets."
They found a vulnerability that exposed API endpoints on the host by sending an HTTP request, which helps access a resource on the server. Researchers found the HTTP response contained all available REST endpoints on the xpita host, a password management system of the BMW Group.
The representational state transfer, or REST, is a software architectural style that describes a uniform interface between physically separate components, often across the internet.
"We began enumerating the endpoints and sending mock HTTP requests to see what functionality was available. One immediate finding was that we were able to query all BMW user accounts via sending asterisk queries in the user field API endpoint," Curry says. "This allowed us to enter something like "sam*" and retrieve the user information for a user named "sam.curry" without having to guess the actual username."
Once they uncovered this vulnerability, Curry says, they continued testing the other accessible API endpoints and found that the
/rest/api/chains/accounts/:user_id/totp endpoint contained a word -
totp" that meant "one-time password generation." In a separate HTTP request to this endpoint using the SSO user ID that they gained from "the wildcard query paired with the TOTP endpoint, it returned a random 7-digit number."
This HTTP request generated a TOTP for the user's account and it worked with the "forgot password" function. Curry says they were able to retrieve TOTP code from the user's two-factor authentication device - email or phone - and were able to gain full control of the account.
"At this point, it was possible to completely take over any BMW or Rolls Royce employee account and access tools used by those employees," Curry says.
To demonstrate the impact of this vulnerability, researchers opened the BMW dealer portal and used their own account to access the dealer portal mainly used by the sales associates working at BMW and Rolls Royce dealerships.
Once logged in, they observed that the account they took over using TOTP was actually tied to an actual dealership, where the researchers were able to access all the functions that dealers can access, including the "ability to query a specific VIN number and retrieve sales documents for the vehicle."
With the access, researchers say they could perform several functionalities against the BMW and the Rolls Royce customer accounts and customer vehicles.
At this point, the researchers say, they stopped testing and reported the vulnerabilities to the automobile companies. Those vulnerabilities have since been fixed.
Other Vulnerabilities Found
Researchers uncovered more vulnerabilities in car brands including Kia, Honda, Infiniti, Nissan and Acura. They were able to remotely lock, unlock, engine start, engine stop, precision locate, flash headlights and honk vehicles using only the VIN number.
They were also able to remotely take over and recover name, phone number, email address and physical address via VIN number. Curry says they also gained the ability to lock users out of remotely managing their vehicles and changing ownership.
For Kia vehicles, they were able to remotely access the 360-degree-view camera and view live images from the car.
For Mercedes-Benz vehicles, researchers say they were able to access hundreds of mission-critical internal applications via improperly configured SSO that includes a companywide internal chat tool, the ability to join nearly any channel, internal cloud deployment services for managing AWS instances, internal vehicle-related APIs, remote code execution on multiple systems and memory leaks leading to the employee and customer PII disclosure and account access.
In Hyundai and Genesis cars, researchers were able to fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights and honk horns using only the victim's email address.
They were also able to gain control of the accounts; get the name, phone number, email address and physical address of the victims; and lock users out of remotely managing their vehicles and changing ownership.
"For consumers, I'd suggest they use a strong password for their automotive accounts and validate that prior owners of their used vehicles no longer have access to their vehicles remote data," Curry advises.