No announcement yet.

Security researchers hack several car manufacturers


  • Security researchers hack several car manufacturers

    Security researchers hack several car manufacturers​Using the API endpoints of the telemetry systems of several car manufacturers, security researcher Sam Curry and his friends have managed to take over and control functions in cars. They came up with the idea for the hacks on a trip to a cyber security conference last autumn.

    While visiting the University of Maryland, they noticed e-scooters all over the place. So they decided to check out the scooters' app. "To our surprise, our actions caused all the scooters' horns and headlights to turn on for 15 minutes," Curry explained.

    When everything settled down again and the students were able to continue sleeping, the safety researchers sent a report to the e-scooter manufacturer. "We thought about it for a while and then realised that almost every car made in the last five years has an almost identical feature," Curry said.

    If an attacker were able to find vulnerabilities in the API endpoints used by vehicle telemetry systems, they could honk the horn, flash the lights, lock and unlock the vehicles or start and stop them - all remotely. It would also be possible to track the vehicles.

    The security researchers started a chat group and set to work to find corresponding vulnerabilities - and found what they were looking for. They found extensive and far-reaching security vulnerabilities in many well-known manufacturers, including Mercedes-Benz, BMW, Porsche, Jaguar, Ford, Hyundai, Honda, Kia and Ferrari.

    With fuzzing and trial and error, the security researchers discovered API endpoints from BMW. A first vulnerability allowed them to query all BMW user accounts by sending an asterisk in the user field to the API endpoint. Another vulnerability allowed them to query the TOTP codes for two-factor authentication (2FA) via the API.

    They then tested the password reset function with a sample account. When asked for the 2FA code, they used the previously used vulnerability and provided the TOTP code thus obtained. This actually worked: they were able to reset the sample account and any other accounts of BMW employees or partners - and thus take them over.

    To demonstrate the impact of the vulnerability, the security researchers searched for BMW's dealer portal, which is used by BMW and Rolls-Royce dealers. "After logging in, we found that the demo account we had taken over was connected to a real dealer and we could access all the functions that the dealers themselves had access to," Curry wrote. Among them, for example, were vehicle sales records.

    "With our access rights, we could have used a variety of functions for BMW and Rolls-Royce customer accounts and customer vehicles. We stopped testing at that point and reported the vulnerability," the security researcher explained. But these were by no means all the security vulnerabilities that the researchers were able to discover. In the case of Kia, they were even able to lock, unlock or start and stop the cars.

    The researchers also looked for errors in the SSO service at Mercedes-Benz, but could not find any at first. Then they discovered a website that the car manufacturer had set up for car workshops. This offered the possibility to register as a user. So the security researchers filled out the relevant forms and clicked their way to an account. With this account, they then tried to log in to services that were obviously intended for employees of the car manufacturer.

    In fact, they were able to log into, the Github of Mercedes Benz, with the access data. After logging in, they were asked to set up two-factor authentication (2FA), which the security researchers promptly did. Then they started looking around the platform.

    "After a few minutes, we saw that the Github instance contained internal documentation and source code for various Mercedes-Benz projects, including the Mercedes Me Connect app, which allows customers to connect to their vehicles remotely," Curry wrote. Already at this point, the security researchers reported the vulnerability, but only received a response by email after several days. However, Mercedes-Benz did not understand the impact of the vulnerability and asked the researchers to demonstrate it.

    The security researchers used the employee account to log in to numerous services and view sensitive data. They even succeeded in remote code execution (RCE) via spring boot actuators. In addition, they were able to join almost every channel of the internal communication service Mattermost, including the channels that were about security. There, a real attacker could have asked questions, for example, to further extend his privileges in the Mercedes-Benz infrastructure.

    The security researchers also analysed a website where Kia dealers could activate Kia Connect for vehicle buyers. On the website, they were able to bypass the authorisation check for the vehicle number. Combined with a session token from the website, which customers use to connect to their vehicles remotely, the security researchers were able to link a vehicle number to a customer account.

    They then received a link by email that completed the pairing process via the supposed dealer through an activation portal. Here, the security researchers still had to fill out a form and wait one to two minutes until Kia Connect was fully initialised. Now they had full access and could send commands such as lock, unlock, remote start or remote stop to the Kia vehicle. Access to the vehicle's cameras was also possible, as well as tracking and remote access, which Curry describes as "particularly interesting".

    In the case of Porsche, it was possible to retrieve the location of the vehicle and customer information as well as send commands to the vehicle via vulnerabilities in the telemetry service. However, the security researchers did not publish any detailed information on this.

    At Ferrari, they were able to take over every customer account. This also included accounts of administrators for employees in the back office as well as accounts with which Ferrari's websites can be changed, created or deleted via the CMS system. The researchers also found security vulnerabilities at several other car manufacturers, a producer of digital car licence plates and the telecommunications provider AT&T.​​
      Posting comments is disabled.

    Article Tags


    Latest Articles


    • VW - German, German - VW: Volkswagen employees write bizarre dictionary
      by Redaktion
      ​Volkswagen employees have come up with something whimsical for the turn of the year and compiled the "Volkswagen Business Dictionary". It contains idioms from everyday business life with quite idiosyncratic new interpretations not only for VW employees.

      The Volkswagen Group's "Technical Development" department has developed its own dictionary. The unofficial reference work with the name "Business Dictionary Volkswagen" looks like a conventional Langenscheidt...
      01-03-2023, 07:44 PM
    • Security researchers hack several car manufacturers
      by Redaktion
      ​Using the API endpoints of the telemetry systems of several car manufacturers, security researcher Sam Curry and his friends have managed to take over and control functions in cars. They came up with the idea for the hacks on a trip to a cyber security conference last autumn.

      While visiting the University of Maryland, they noticed e-scooters all over the place. So they decided to check out the scooters' app. "To our surprise, our actions caused all the scooters' horns and headlights...
      01-03-2023, 07:40 PM
    • e.GO Life receives special equipment suitable for the disabled
      by Redaktion
      The Aachen-based e-car manufacturer Next e.GO Mobile, together with the vehicle manufacturer Sodermanns Automobile, presented an e.GO Life that was converted for people with disabilities. In total, the small electric car comes up with 20 different adjustments in this version.

      The converted e.GO Life can be ordered from e.GO Mobile or from one of the manufacturer's sales partners. The conversion will then take place at Sodermanns in Wassenberg, North Rhine-Westphalia. "The e.GO...
      12-07-2021, 07:21 PM
    • Jeep will only bring the 2022 Wrangler as PHEV in most of Europe
      by Redaktion
      With the new model year 2022, Jeep will only be offering its Wrangler in the European left-hand drive markets as a plug-in hybrid. The slightly redesigned 2022 model of the Jeep Wrangler 4xe is also receiving some minor updates, including a whole host of new ADAS features.

      Introduced last year , Jeep will only market the 2022 Wrangler as part-time electricity in large parts of Europe. This is in line with the goal of selling 70 percent of the Jeep range worldwide as electrified vehicles...
      12-07-2021, 07:20 PM
    • Volkswagen: Obviously, DIESS can stay, but it has to give up power
      by Redaktion
      A solution is emerging in the power struggle at Volkswagen. According to insiders, Volkswagen boss Herbert Diess can continue to run the Wolfsburg-based group, but has to give up power. The solution apparently provides, among other things, that VW brand boss Ralf Brandstätter ascends to the group's board of directors.

      Both the news agency Reuters and the "Handelsblatt" quote sources close to the group, according to which it is going in the direction of "that...
      12-07-2021, 07:19 PM
    • Is the successor to the XC90 called Embla?
      by Redaktion
      The all-electric successor to the Volvo XC90 could be called Embla. A hint from Volvo boss Hakan Samuelsson now led to the potential model name of the E-SUV built in the USA.

      It has long been known that Volvo wants to deviate from the previous alphanumeric naming scheme for future e-models - the XC90 successor is supposed to start here. Volvo boss Hakan Samuelsson now revealed in an interview with "Automotive News" that the model name of the electric XC90 successor...
      12-06-2021, 06:52 PM