A group of security researchers led by Sam Curry found major security vulnerabilities across 16 major car manufacturers. Throughout 2022, Curry and his team began testing APIs across brands such as BMW, Ferrari, Jaguar, Land Rover, and Mercedes-Benz. To their surprise, the API vulnerabilities would allow an attacker to remotely start/stop the engine, report the car as stolen, track the car’s location, and unlock/lock the car.
Some vulnerabilities even allowed access to internal systems: the team found “BMW and Mercedes-Benz could have been affected by company-wide SSO (single sign-on) vulnerabilities that enabled attackers access to internal systems.”
All vulnerabilities have since been patched. The full list of affected car manufacturers are:
- Acura
- BMW
- Ferrari
- Ford
- Genesis
- Honda
- Hyundai
- Infiniti
- Jaguar
- Kia
- Land Rover
- Mercedes-Benz
- Nissan
- Porsche
- Rolls Royce
- Toyota
The full writeup on Sam Curry’s blog is nothing short of eye-opening, as he walks through each auto manufacturer’s vulnerabilities and what they were able to gain access to.
With Mercedes-Benz, remote code execution and access to hundreds of internal tools were possible via misconfigured SSO. Once Curry and his team were in, they had access to the same database as the core employee LDAP system, built for repair shops.
For Ferrari, Curry was able to perform a “full account takeover”, and the vulnerabilities allowed an attacker to access, modify, or delete all customer information. Not to mention, gain administrative access to all Ferrari content management systems powering Ferrari websites.
As a result of these findings, Curry recommends auto owners “take responsibility by limiting their input of personally identifiable information (PII), using the highest privacy settings on telematics and implementing two-factor authentication (2FA).”
With the continuing connectivity of everything through the Internet of Things, these security vulnerabilities seem egregious on the part of auto manufacturers. Companies such as BMW and Mercedes-Benz have billions of dollars to invest and should be held accountable for security standards and best practices. To place the burden of security on the consumer is untenable.
