Cars waiting on the road showing car manufacturer API security flaws

Severe API Security Flaws Affect Millions of Vehicles from 16 Car Manufacturers, Including BMW, Mercedes and Toyota

Hackers could remotely control, track, and transfer vehicles and leak personal information from over a dozen car manufacturers, including Mercedes-Benz, Ferrari, Porsche and Toyota, by leveraging new API security flaws.

According to security researcher Sam Curry and his friends, an attacker could remotely honk, flash, remotely track, lock or unlock, and start or stop vehicles after discovering the API vulnerabilities affecting the vehicle telematics service. Additionally, they could compromise millions of car manufacturers’ and dealers’ accounts, gain administrative access to internal systems, take over fleets, and access customer and employee information.

The researchers discovered at least 20 API security vulnerabilities on various car models from 16 manufacturers.

Severe API security flaws in luxurious car manufacturers

The researchers discovered severe API security flaws in Ferrari, BMW, Rolls Royce, Porsche, and Mercedes-Benz, exposing internal systems to various attacks.

For example, hackers had access ability to internal applications via improperly configured SSO (Single Sign-On) on Mercedes-Benz vehicles. SSO vulnerabilities could allow hackers to access Mercedes-Benz’s GitHub repositories, build servers such as SonarQube and Jenkins, internal chat tools and join almost any channel, and internal cloud deployment services for managing AWS instances.

Additionally, they could perform remote code execution (RCE) on numerous systems and trigger memory leaks exposing employee and customer information and taking over accounts. SSO vulnerabilities on BMW and Rolls Royce could also allow hackers to access any application as employees, including applications used by remote workers and dealerships. For example, hackers could access internal dealer portals, query any VIN number, and retrieve BMW’s sales documents.

Other API security flaws on Ferrari could allow hackers to take over any Ferrari customer account and access customer records. Circumventing access controls on Ferrari APIs also left hackers capable of creating, modifying, and deleting employee back office administrator user accounts. Additionally, an attacker could add HTTP routes on Ferrari’s API host (api.ferrari.com) and discover all existing rest-connectors and secrets associated with them (authorization headers).

Hackers could also obtain any Porsche vehicle’s location, send control commands, and access customer information.

They could also gain privileged access on Spireon’s administration panel and send arbitrary commands to 15.5 million devices, mostly vehicles and compromise 1.2 million user accounts. Additionally, hackers could access and manage all data, take over and control any Spireon fleet, including ambulances and law enforcement vehicles, read any device location, and flash or update the firmware.

“Since these devices were very ubiquitous and were installed on things like tractors, golf carts, police cars, and ambulances, the impact of each device differed,” Curry wrote. “For some, we could only access the live GPS location of the device, but for others, we could disable the starter and send police and ambulance dispatch locations.”

A remote attacker could access name, phone number, physical address, vehicle information, and password hash on Jaguar, Landrover, and others and overwrite customers’ digital license plates on Reviver vehicles.

Regular cars are also vulnerable to API attacks

The researchers also found that Honda, Infiniti, Nissan, Acura, and other regular vehicles had API security flaws that could allow hackers to fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number.

Subsequently, hackers could take over accounts remotely, disclose PII via the VIN number (name, phone number, email address, physical address), prevent owners from remotely managing their vehicles, and change ownership of these brands.

According to the researchers, an attacker could remotely access KIA’s 360-view camera and view live images from the car.

The researchers attributed the widespread API security flaws to various car manufacturers using systems with nearly identical functionality in the last five years. This discovery suggests that car manufacturers rushed to implement applications to secure a spot in the smart car industry.

According to Jason Kent, Hacker in Residence at Cequence Security, car manufacturers are hardly testing their applications.

“These automotive manufacturers obviously aren’t testing their APIs. The question as to why is simple: there aren’t great tools out there, and it mostly has to be done manually. As the researcher showed, however, just a little bit of manual effort pays off.”

Likely, multiple car manufacturers also depend on a handful of third-party software vendors instead of developing in-house solutions.

Impacted car manufacturers have patched the API security flaws making them unexploitable now. Unfortunately, this might not be the last time we hear about smart car API vulnerabilities affecting multiple automakers.

“It’s well past time for the automotive industry to embrace a defense-in-depth cybersecurity strategy,” said Ted Miracco, CEO at Approov. “Many recent breaches have been enabled by a single point of failure, such as exploiting user credentials or API keys to unlock cars.

According to Miracco, zero-trust systems could verify the user, device, or application attempting to gain entry, start an engine, or make a payment.