Automakers in pursuit of active and passive safety at the time would like to think about information.
While BMW, Mercedes, Toyota and other popular manufacturers were engaged in crash tests of their cars, cybersecurity researcher Sam Curry and his colleagues discovered many vulnerabilities in cars and services implemented by automotive solution providers.
As it turned out, more than a dozen car manufacturers use vulnerable APIs that can allow potential attackers to perform malicious actions. Moreover, the identified bugs allow you to perform a fairly wide range of malicious actions, ranging from unlocking cars to tracking them.
The shortcomings discovered by experts affected cars of popular brands, including Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Genesis, BMW, Rolls Royce, Ferrari, Ford, Porsche, Toyota, Jaguar, Land Rover.
The research team also found flaws in the services provided by Reviver, SiriusXM and Spireon.
No matter how ridiculous it may sound, but not only the owner of a wonderful car can "manage a dream" and use "the best or nothing", since the exploitation of some vulnerabilities gives access to hundreds of critical internal applications.
For example, in Mercedes, through an incorrectly configured SSO (single sign-on), an attacker could use remote code execution in several systems, which allowed access to the contents of the memory of some systems and lead to the disclosure of personal data of an employee or client.
The researchers managed to gain access to private GitHub instances, internal chat channels on Mattermost (which works like slack), servers, Jenkins and AWS instances, XENTRY systems that connect to customers' cars and much more.
In the case of BMW and Rolls Royce, experts were able to access internal dealer portals, request a VIN for any car and obtain sale documents, including confidential information about the owner.
In the scenario with Kia, the specialists managed to achieve a complete seizure of cars through an outdated dealer portal.
A vulnerability was identified with Porsche related to the possibility of obtaining information about the location of the car, sending commands for the car and obtaining information about customers.
The experts also demonstrated how to use some flaws to gain access to the Reviver license plate service and update the status of any vehicle to "stolen", which updates the license plate and informs law enforcement agencies.
If you believe the manufacturers and service providers, then all the vulnerabilities discovered by experts have been eliminated, but the bell is extremely alarming and, probably, in the future we will still see a truly uprising of machines.