Ferrari, BMW, Rolls Royce, Porsche and more fix vulnerabilities giving car takeover capabilities
Several of the biggest car brands in the world have fixed dozens of vulnerabilities, some of which could have allowed for the full takeover of vehicles, according to a team of security researchers.
The bugs were found in Mercedes-Benz, BMW, Rolls Royce, Ferrari, Ford, Porsche, Toyota, Jaguar and Land Rover vehicles, as well as GPS tracking company Spireon and digital license plate company Reviver.
The findings build on issues discovered in November by Yuga Labs staff security engineer Sam Curry, who drew attention two months ago for finding vulnerabilities in Hyundai and Genesis vehicles as well as issues related to SiriusXM that affected Nissan, Infiniti, Honda and Acura vehicles.
Curry told The Record that the latest findings are an extension of his initial work on those vehicle brands.
In a lengthy blog post, Curry and a team of researchers explained that the vulnerabilities ranged from ones that gave widespread access to internal company systems and customer data to others that would allow an attacker to send commands to a vehicle.
“At the time of last year’s disclosure these were not fixed, so we disclosed the fixed ones in this blog post. We’ve spoke to all affected companies, verified their fixed, and told them that we would disclose eventually through traditional 90 day disclosure standards,” Curry said.
“Vehicle security is a really hard problem and there’s a lot of really smart people working in this space, but these companies are so large that they’re still going to have traditional vulnerabilities. The problem with car companies is that you have this huge 5,000 LB computer on wheels that a consumer can interact with using their cell phone. It becomes a really bad problem when those traditional vulnerabilities can be used to harm or track drivers.”
Curry confirmed that all of the companies mentioned in the blog post fixed the vulnerabilities within a week and were very responsive. His team worked closely with all of the companies and spoke over the phone with some to better explain issues.
Only Porsche, Mercedes-Benz and Spireon responded to requests for comment from The Record.
When it comes to Porsche vehicles, Curry’s team said they discovered they could send and retrieve vehicle location, send vehicle commands, and retrieve customer information through vulnerabilities affecting the vehicle’s Telematics service.
A Porsche spokesperson said they “permanently monitor” their systems and “take any indications of vulnerabilities very seriously.”
“Our top priority is to prevent unauthorized access to the systems in our vehicles by third parties,” the spokesperson said.
A Mercedes-Benz spokesperson said their work with the researchers was an important part of their efforts to “create better, safer products and services through our vulnerability disclosure program.”
The researchers said they were able to access hundreds of mission-critical internal applications at Mercedes-Benz through an improperly configured single-sign on solution.
The bug gave them access to multiple company GitHub instances, the company-wide internal chat tool, as well as the ability to join nearly any channel.
They were also able to access several other internally-used development tools as well as vehicle-related application programming interfaces. Through the bugs, they were able to access employee and customer personal information and widespread account access.
The Mercedes-Benz spokesperson confirmed that Curry contacted them about the “improperly configured authorization management” and said the issues have been fixed.
“The identified vulnerability did not affect the security of our vehicles,” the spokesperson said.
Spireon had similar issues, with Curry and his team able to gain full administrator access to a company-wide administration panel with ability to send arbitrary commands to an estimated 15.5 million vehicles.
This included commands that would allow an attacker to unlock a car, start the engine, disable the starter, read any device’s location and more.
The bugs also allowed attackers to access user accounts and “fully takeover any fleet.”
“This would’ve allowed us to track and shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles, e.g. ‘navigate to this location’,” Curry’s team wrote.
They were also able to gain full administrative access to all of Spireon’s products like GoldStar, LoJack, FleetLocate, NSpire and more.
In total the bugs gave access to 15.5 million devices, most of which were vehicles, and 1.2 million user accounts.
In a statement, Spireon told The Record that its team met with Curry to discuss and evaluate the vulnerabilities.
The company “immediately implemented remedial measures to the extent required.”
“We also took proactive steps to further strengthen the security across our product portfolio as part of our continuing commitment to our customers as a leading provider of aftermarket telematics solutions,” the spokesperson said.
“Spireon takes all security matters seriously and utilizes an extensive industry leading toolset to monitor and scan its products and services for both known and novel potential security risks.”
Several cybersecurity experts were alarmed by Curry’s findings. Approov CEO Ted Miracco said it is “well past time for the automotive industry to embrace a defense in depth cybersecurity strategy.”
Many recent breaches have been enabled by a single point of failure, such as exploiting user credentials or API keys to unlock cars, Miracco noted, adding that they are “consistently finding secrets (including API Keys) hidden but within reach in automotive applications on both iOS and Android.”
“In the short term, we see a bumpy road ahead for the automotive sector where cybersecurity is concerned. Legacy approaches like code obfuscation have proven insufficient to thwart attack, and additional security is immediately needed to secure vehicles,” he said.
“As more companies use mobile devices to unlock vehicles, look for an uptick in theft that shocks consumers and reverberates across insurance companies and law enforcement.”
Cequence Security’s Jason Kent noted that Curry suggests car owners should take responsibility by limiting their input of personally identifiable information, using the highest privacy settings on telematics and implementing two-factor authentication. But Kent said it shouldn’t come to this.
“Automotive manufacturers have to assume responsibility and securely configure and regularly test their APIs by looking from the outside in as an attacker would. API Security is the number one attack vector for a reason,” Kent said.
“There is very little that is done to test for these types of problems which is why researchers are able to exploit simple flaws and blow the whistle on enterprises that have billions of dollars at their disposal and build solutions the general public has learned to trust.”