Tweet
While visiting the University of Maryland, they noticed e-scooters all over the place. So they decided to check out the scooters' app. "To our surprise, our actions caused all the scooters' horns and headlights to turn on for 15 minutes," Curry explained.
When everything settled down again and the students were able to continue sleeping, the safety researchers sent a report to the e-scooter manufacturer. "We thought about it for a while and then realised that almost every car made in the last five years has an almost identical feature," Curry said.
If an attacker were able to find vulnerabilities in the API endpoints used by vehicle telemetry systems, they could honk the horn, flash the lights, lock and unlock the vehicles or start and stop them - all remotely. It would also be possible to track the vehicles.
The security researchers started a chat group and set to work to find corresponding vulnerabilities - and found what they were looking for. They found extensive and far-reaching security vulnerabilities in many well-known manufacturers, including Mercedes-Benz, BMW, Porsche, Jaguar, Ford, Hyundai, Honda, Kia and Ferrari.
With fuzzing and trial and error, the security researchers discovered API endpoints from BMW. A first vulnerability allowed them to query all BMW user accounts by sending an asterisk in the user field to the API endpoint. Another vulnerability allowed them to query the TOTP codes for two-factor authentication (2FA) via the API.
They then tested the password reset function with a sample account. When asked for the 2FA code, they used the previously used vulnerability and provided the TOTP code thus obtained. This actually worked: they were able to reset the sample account and any other accounts of BMW employees or partners - and thus take them over.
To demonstrate the impact of the vulnerability, the security researchers searched for BMW's dealer portal, which is used by BMW and Rolls-Royce dealers. "After logging in, we found that the demo account we had taken over was connected to a real dealer and we could access all the functions that the dealers themselves had access to," Curry wrote. Among them, for example, were vehicle sales records.
"With our access rights, we could have used a variety of functions for BMW and Rolls-Royce customer accounts and customer vehicles. We stopped testing at that point and reported the vulnerability," the security researcher explained. But these were by no means all the security vulnerabilities that the researchers were able to discover. In the case of Kia, they were even able to lock, unlock or start and stop the cars.
The researchers also looked for errors in the SSO service at Mercedes-Benz, but could not find any at first. Then they discovered a website that the car manufacturer had set up for car workshops. This offered the possibility to register as a user. So the security researchers filled out the relevant forms and clicked their way to an account. With this account, they then tried to log in to services that were obviously intended for employees of the car manufacturer.
In fact, they were able to log into git.mercedes-benz.com, the Github of Mercedes Benz, with the access data. After logging in, they were asked to set up two-factor authentication (2FA), which the security researchers promptly did. Then they started looking around the platform.
"After a few minutes, we saw that the Github instance contained internal documentation and source code for various Mercedes-Benz projects, including the Mercedes Me Connect app, which allows customers to connect to their vehicles remotely," Curry wrote. Already at this point, the security researchers reported the vulnerability, but only received a response by email after several days. However, Mercedes-Benz did not understand the impact of the vulnerability and asked the researchers to demonstrate it.
The security researchers used the employee account to log in to numerous services and view sensitive data. They even succeeded in remote code execution (RCE) via spring boot actuators. In addition, they were able to join almost every channel of the internal communication service Mattermost, including the channels that were about security. There, a real attacker could have asked questions, for example, to further extend his privileges in the Mercedes-Benz infrastructure.
The security researchers also analysed a website where Kia dealers could activate Kia Connect for vehicle buyers. On the website, they were able to bypass the authorisation check for the vehicle number. Combined with a session token from the owners.kia.com website, which customers use to connect to their vehicles remotely, the security researchers were able to link a vehicle number to a customer account.
They then received a link by email that completed the pairing process via the supposed dealer through an activation portal. Here, the security researchers still had to fill out a form and wait one to two minutes until Kia Connect was fully initialised. Now they had full access and could send commands such as lock, unlock, remote start or remote stop to the Kia vehicle. Access to the vehicle's cameras was also possible, as well as tracking and remote access, which Curry describes as "particularly interesting".
In the case of Porsche, it was possible to retrieve the location of the vehicle and customer information as well as send commands to the vehicle via vulnerabilities in the telemetry service. However, the security researchers did not publish any detailed information on this.
At Ferrari, they were able to take over every customer account. This also included accounts of administrators for employees in the back office as well as accounts with which Ferrari's websites can be changed, created or deleted via the CMS system. The researchers also found security vulnerabilities at several other car manufacturers, a producer of digital car licence plates and the telecommunications provider AT&T.