API vulnerabilities leaked client data from BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota and Genesis

by · January 4, 2023

API vulnerabilities leaked client data from BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota and Genesis

Hackers may have been able to perform malicious activity, such as unlocking, starting and tracking cars, as well as exposing customers’ personal information, because nearly twenty car manufacturers and services contained API security vulnerabilities. These vulnerabilities may have been exploited by hackers.

Well-known manufacturers such as BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota and Genesis were all affected by the security problems.

In the course of the research work, they discovered the following security flaws in the organizations mentioned below:

Kia, Honda, Infiniti, Nissan, Acura

Using only your vehicle identification number (VIN), you can remotely lock and unlock cars, start and stop engines, find their location, flash headlights and blow horns. You can also remotely take over accounts and disclose personally identifiable information (name, phone number, email address, physical address)
The capacity to prevent users from remotely controlling their vehicles, as well as transferring ownership.
In the case of Kias in particular, we had the ability to remotely access the 360-degree camera and observe live images coming from the vehicle.

Mercedes-Benz

Access to hundreds of mission-critical internal apps via an SSO configuration that was not set up correctly, including…
Multiple instances of Github hidden behind single sign-on tools for company-wide internal communication with the ability to join almost any channel
SonarQube, Jenkins, etc. Construct web servers.
Internal cloud deployment services used to manage instances of AWS
APIs related to the vehicle’s internal functions
Executing code remotely on a variety of different platforms
Memory leaks can lead to the disclosure of personally identifiable information about employees or customers and account access

See also  Garena Free Fire Max Redeem Codes for January 23rd: Claim Your Daily Rewards

Hyundai, Genesis

Using only the victim’s email address, one can gain complete remote access to lock and unlock cars, start and stop engines, find their location, flash headlights and blow horns. Full remote account takeover and PII disclosure can also be achieved using the victim’s email address (name, phone number, email address, physical address)

The capacity to prevent users from remotely controlling their vehicles, as well as transferring ownership.

Rolls Royce and BMW

SSO vulnerabilities, which allow us to access any employee application as any employee, allowed us to…
Access to internal dealer portals where you can get sales documentation for BMW based on which VIN number you enter.
Access, on behalf of any employee, any application locked by SSO. This includes apps used by remote employees and retailers.

Ferrari

Takeover of any Ferrari customer account with minimal input necessary for IDOR to access all Ferrari customer information
Absence of access controls that would prevent an attacker from creating, modifying or deleting employee “back office” administrator user accounts as well as any user accounts that can modify Ferrari-owned websites using the CMS system.
The ability to add HTTP routes to the Ferrari API (rest-connectors), as well as the ability to inspect all existing rest-connectors and the secrets associated with them (authorization headers)

Spireon

Multiple vulnerabilities, including:
Full administrator access to an enterprise-wide management panel, including the ability to send arbitrary commands to an estimated 15.5 million cars (such as unlock, start the engine, disable the starter, and so on), read any device location, and flash or update device firmware.
Running code remotely on essential systems used to manage user accounts, gadgets and fleets of vehicles. Ability to access and manage all of Spireon’s data across the organization.
Ability to take complete control of any fleet (this would have allowed us to locate and disable starters for emergency vehicles, police cars and ambulances in a number of different major cities, as well as send orders to such vehicles, such as “go to this area”)
Full administrative access to all products manufactured by Spireon,
Overall it was totally…
15.5 million units (mostly vehicles)
1.2 million different user profiles (end user accounts, fleet managers, etc.)

See also  Five steps to eliminate passwords

Ford

Complete exposure of the memory system on the production vehicle Telematics API reveals
Disclose personally identifiable information about customers as well as access tokens for the purpose of monitoring and using instructions on vehicles
The configuration credentials used for internal services related to telematics are shown here.
Ability to log into a customer account, access all personally identifiable information and take action against cars.
By exploiting a flaw in the URL parsing, an attacker can take control of a customer account and have full access to the victim account, including the car portal.

Revive

Full access to all Reviver’s administrative functions, including the ability to manage user accounts and vehicles for all Reviver’s connected vehicles. The following are examples of actions that an attacker can perform:
Track the actual GPS locations of all Reviver’s customers and take care of the management of their signs (e.g. change the tagline at the bottom of the sign to arbitrary text)
Change the status of any car to “STOLEN”, which will cause the license plate to update and will alert the police.
Access all user data, including information about people’s physical addresses, phone numbers and email addresses, as well as the cars they own.
Access the fleet management capabilities of any company and find and manage all the cars in a fleet.

By exploiting security flaws in the car telematics service, Porsche was able to transmit and obtain information about the location of vehicles, send instructions to those vehicles and obtain information about customers.

Porsche

By exploiting weaknesses in the car telematics service, it is possible to transfer and obtain location information for vehicles, send instructions to vehicles and retrieve information about customers.

See also  Samsung Galaxy A23 5G review: Annoyingly laggy

Toyota

IDOR at Toyota Financial which discloses the name, phone number and email address of any Toyota Financial customers as well as their current loan status

Land Rover and the Jaguar brand

IDOR for the user account which reveals the hash of the password, as well as the user’s name, phone number, physical address and car details

SiriusXM

AWS keys that had been compromised provided full organizational read/write access to S3, as well as the ability to download all files, including (what appeared to be) user databases, source code, and configuration files for Sirius.

By limiting the amount of personally identifiable information stored in cars or mobile companion applications, vehicle owners can protect themselves from the kinds of vulnerabilities described above.

Telematics in the car should also be set to the most private mode possible, and you should familiarize yourself with the company’s privacy rules to understand how the data is used.

Related posts:

  1. Contentful reveals vision for composable content and new capabilities for Contentful® Composable Content Platform at its annual Fast Forward event
  2. Fujifilm Diosynth breaks ground on $300 million expansion project in Texas – Endpoints News
  3. Zhiyun Smooth 5S Review | PCMag
  4. The year in review: ROG Flow Z13 to Galaxy Book2 Pro, five best laptops of 2022

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *