Major security flaws have been found in Mercedes, Ferrari and other top luxury cars that could have allowed threat actors to steal owners’ personally identifiable information, track their vehicles, and in some cases – even unlock and start the cars.
Nearly two dozen car brands were affected by the failures, including top brands such as BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis .
In addition to the automakers, automotive technology manufacturers Spireon and Reviver were also affected, as well as streaming service provider SiriusXM.
Access to private data
The flaws were discovered by cybersecurity researcher Sam Curry who has a history of discovering security flaws in connected cars. In early December 2022, he discovered a flaw in SiriusXM that allowed threat actors to gain access to connected vehicles.
In this case, different manufacturers had different vulnerabilities. BMW and Mercedes-Benz have had a flawed Single-Sign-On (SSO) feature that allowed threat actors to gain access to internal systems, giving them access to GitHub instances, private chats, servers, AWS instances, and more.
With BMW, potential attackers could have gained access to internal dealer portals, car VIN numbers, as well as sales documents with sensitive owner details.
Besides the two big brands, owners of KIA, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Roll Royce, Ferrari, Ford, Porsche and Toyota cars could have had their personally identifiable information (PII) leaked.
Ferrari was also heavily affected, as the SSO flaw allowed threat actors to access, modify or delete any Ferrari customer account. They could even have set themselves up as car owners. With Porsche, flaws in the telematics systems allowed the threat actors to pinpoint the exact location of the cars, and even send commands to the vehicles.
All the affected suppliers were notified of the findings, and have since corrected the errors.
GPS vehicle tracking provider Spireon, reportedly used in more than 15 million vehicles, had a flaw that, among other things, allowed threat actors to unlock the cars, start the engine or disable the starter.
To protect against such errors in the future, researchers suggest that vehicle owners store as little personal information in vehicles and mobile apps as possible.
Via: BleepingComputer (opens in a new tab)
