Multiple Global Car Brands Discovered to Have API Vulnerabilities

Connected cars are a way of life for millions, but that also means they provide additional attack vectors for threat actors. Recently, security researchers found multiple API endpoint vulnerabilities among 16 global automotive manufacturers. Here’s what you need to know. 

Which car brands were affected?

Affected well-known brands and services included Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce and Toyota.  

What kinds of vulnerabilities were discovered?

The vulnerabilities identified included account takeover, remote code execution (RCE), arbitrary code execution and SQL injection.  

What did these vulnerabilities allow researchers to do?

When exploited, these vulnerabilities gave researchers the ability to remotely honk the horn, flash the lights, start or stop the engine, lock or unlock the car, track the location, take over an account, and disclose personal information and vehicle identification numbers (VINs). 

The vulnerability in BMW and Rolls Royce endpoints allowed a complete account takeover via a misconfigured single sign-on (SSO) portal. Security researchers were able to send a specially crafted HTTP request to an exposed API endpoint and receive a response for a time-based one-time password (TOTP) for the user’s account. From there, the security researchers used the TOTP codes to bypass two-factor authentication (2FA). In addition, Mercedes-Benz and Rolls-Royce endpoints were both found to be vulnerable to a RCE flaw that allowed security researchers to take control of accounts and access internal tools.  

In Ferrari endpoints, security researchers could exploit an unpatched vulnerability by creating an arbitrary account, gaining access to sensitive customer data and using administrative CMS functionality to navigate Ferrari websites. Spireon systems were vulnerable to SQL injection attacks and regular expression (regex) authorization bypass. As a result, security researchers could send arbitrary commands to 15 million telematics systems, potentially compromising fleet management systems for police departments, ambulance services, truckers and other business fleet systems in a worst-case scenario. 

Additionally, security researchers could exploit a vulnerability in Reviver software to remotely track and overwrite virtual license plates, track and administer Reviver fleets, and manipulate stored user information. 

According to the security reports, all vulnerabilities were reported ethically during the fall of 2022, and the car manufacturers responded to notifications within one to two days. Some manufacturers even released patches within 24 hours.

As of this writing, all known vulnerabilities have been patched and there are no indications of exploitation in the wild.
 

What should I do?

More technology added to vehicles brings additional attack vectors and complexity to the environment. Automotive organizations, dealerships and owners should ensure they are keeping their vehicles’ firmware updated to patch vulnerabilities. 

• Maintain your vehicle’s updates. While it may differ between specific manufacturers, most vehicles provide over-the-air (OTA) functionality to push updates.  
• Monitor your vehicle for manufacturers’ recalls and follow the guidance provided.  
• When receiving service from your dealership, make sure to ask if your vehicle has any required firmware updates.