Technology NewsAPI Vulnerabilities Uncovered in 16 Major Car Brands

API Vulnerabilities Uncovered in 16 Major Car Brands

-


Jan 09, 2023Ravie LakshmananAutomotive Security

API Vulnerabilities Uncovered in 16 Major Car Brands

Multiple bugs affecting millions of vehicles from 16 different manufacturers could be abused to unlock, start, and track cars, plus impact the privacy of car owners.

The security vulnerabilities were found in the automotive APIs powering Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, Toyota as well as in software from Reviver, SiriusXM, and Spireon.

The flaws run a wide gamut, ranging from those that give access to internal company systems and user information to weaknesses that would allow an attacker to remotely send commands to achieve code execution.

The research builds on earlier findings from late last year, when Yuga Labs researcher Sam Curry et al detailed security flaws in a connected vehicle service provided by SiriusXM that could potentially put cars at risk of remote attacks.

The most serious of the issues, which concern Spireon’s telematics solution, could have been exploited to gain full administrative access, enabling an adversary to issue arbitrary commands to about 15.5 million vehicles as well as update device firmware.

car hacking
car hacking
car hacking

“This would’ve allowed us to track and shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles,” the researchers said.

Vulnerabilities identified in Mercedes-Benz could grant access to internal applications via an improperly configured single sign-on (SSO) authentication scheme, while others could permit user account takeover and disclosure of sensitive information.

Other flaws make it possible to access or modify customer records, internal dealer portals, track vehicle GPS locations in real time, manage the license plate data for all Reviver customers, and even update vehicle status as “stolen.”

While all the security vulnerabilities have since been fixed by the respective manufacturers following responsible disclosure, the findings highlight the need for defense-in-depth strategy to contain threats and mitigate risk.

“If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely,” the researchers noted.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest news

New OPPO Reno8 T and Reno8 T 5G, 100 megapixel camera and 120 Hz screen

OPPO has launched a new series within its Reno line: this is the Reno8 T and Reno8 T...

ஒரு செயற்கை இரசாயன கடிகாரம் சர்க்காடியன் தாளங்களின் மர்மமான சொத்தை எவ்வாறு பின்பற்றுகிறது

சர்க்காடியன் தாளங்கள் ஒரு தனித்துவமான பண்புகளைக் கொண்டுள்ளன, இதில் வெப்பநிலை ஏற்ற இறக்கங்கள் இருந்தபோதிலும் சுழற்சி காலம் மாறாமல் இருக்கும், பல உயிர்வேதியியல் எதிர்வினைகளின்...

ChatGPT – OpenAI plans to introduce an optional subscription for users of its tool

ChatGPT is one of the most interesting technological curiosities of recent months. Much has already been written...

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

Feb 02, 2023Ravie LakshmananCyber Risk / Threat Detection The State Cyber Protection Centre (SCPC) of Ukraine has called out...

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

Feb 02, 2023Ravie LakshmananCyber Risk / Threat Detection The State Cyber Protection Centre (SCPC) of Ukraine has called out...

New HeadCrab malware infects 1,200 Redis servers to mine Monero

New stealthy malware designed to hunt down vulnerable Redis servers online has infected over a thousand of them...

Must read

New SH1MMER Exploit for Chromebook Unenrolls Managed ChromeOS Devices

Feb 01, 2023Ravie LakshmananEnterprise Security A new exploit has...

it will be a special version of the realme 10 Pro

The most famous soft drink in the world...