Car hackers discover vulnerabilities that could let them hijack millions of vehicles
Written by Christian Vasquez
The vulnerabilities could allow attackers to remotely track, stop or control a car – even an entire fleet of emergency vehicles. Another could give hackers access to around 15.5 million cars, allowing them to send commands to control breaching systems.
In total, a group of ethical car hackers discovered at least 20 vulnerabilities in the application programming interfaces, or APIs, that automakers rely on to allow the technology inside the cars to interact. The vulnerabilities affected Ford, Toyota, Mercedes, BMW, Porsche, Ferrari and others.
“We would find a vulnerability at one car company and then we would report it, then we would switch to another car company and it would be exactly the same,” said Sam Curry, a security researcher who detailed the findings in a blog posted this week .
The findings underscore the security risks for both consumers and automakers as automakers continue to increase the amount of software in vehicles and provide owners with apps to connect to their cars. It also shows that although car manufacturers have done more to focus on cyber security, much remains to be done.
“The automotive industry faces many challenges in this area,” said Ted Miracco, CEO of security firm Approov, which provides mobile cybersecurity services to auto companies. “I think there was a rush to get a lot of applications out there with a lot of functionality very quickly, and some of the rush to do those things is coming back to haunt a number of manufacturers.”
A key problem is that some automakers rely on third-party API software instead of building the technology in-house, he said. “A lot of it comes down to APIs: everything will connect to everything else. So there’s been a proliferation of APIs and a single mobile app can have dozens of API calls.”
Software vulnerabilities inside cars have been a long-standing concern. In one of the most high-profile examples of how hackers could potentially exploit a security vulnerability in a vehicle, cybersecurity journalist Andy Greenberg demonstrated in 2015 that hackers could tamper with a Jeep Cherokee while it was driving.
But when hackers take over a car while someone is driving, it’s a moment made for movies, and vulnerabilities in GPS systems, motion sensors, keyless systems and operating systems become more of a privacy and security issue, experts say. Also, the software errors can lead to vehicle theft. Some of the vulnerabilities that Curry and the other researchers discovered would allow a hacker to change the ownership status of the car.
As Curry and his fellow researchers dug in, they were particularly surprised by how much information and impact they could have with vehicle identification numbers. “VIN numbers are super public, you can walk up to a car to get a VIN number,” Curry said. “But with a lot of these APIs, if you have the VIN number, it will just return the full name of the person or the battery level of the vehicle, and you can just add that to your account.”
The researchers were able to use a VIN number to not only take complete control of an owner’s vehicle account, which included a significant amount of private information, they were also able to remotely lock and unlock, stop engines, locate vehicles for Kia , Honda , Infiniti, Nissan and Acura.
They were also able to gain “full super administrative access to manage all user accounts and vehicles” for any vehicle connected to digital license plate company Reviver. The vulnerability allows researchers to track the physical location of a vehicle through GPS and mark it stolen on the license plate.
In a statement, Reviver said it found no evidence that the vulnerability was exploited and “took additional measures to prevent this from happening in the future.”
In addition, financial information can also be found. “Each of these companies has a portal for credit loans,” Curry said. “So it’s a ton of information like your name, your address, your billing information.”
Curry said the vast majority of companies were happy to discuss the vulnerability and generally had positive interactions, but noted that most did not have any kind of bug bounty program for researchers to report their findings. That said, all of the bugs that Curry and the team reported have been fixed.
