Security researchers have discovered a number of API vulnerabilities in cars from a wide range of manufacturers that would allow bad actors to access and control several vehicle functions.
With manufacturer APIs varying in what bad actors would be able to achieve, cars from Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls-Royce, and Toyota were all impacted.
Software from Reviver, SiriusXM and Spireon, which are commonly found in modern cars, also contained security vulnerabilities.
The bugs were discovered by a team of seven security researchers led by Sam Curry, staff security engineer at Yuga Labs.
Cars from Acura, Honda, Nissan, Genesis, Hyundai, Kia and Porsche could be commanded using no more than the car’s VIN number, allowing hackers to remotely start the engine, honk the horn, unlock the doors, flash the headlights and more.
In addition, Acura, Honda, Kia, Infiniti and Nissan vehicles could also have their precise location retrieved.
Researchers also found they could access and lock users out of remote vehicle management, and change the vehicle ’s ownership.
Additional security issues came from other vehicle brands, such as Mercedes, BMW and Rolls-Royce, all of which had vulnerabilities with single sign-on (SSO) that would allow hackers to access customer data, but to access “any employee application as any employee,” according to Curry.
“At this point, it was possible to completely take over any BMW or Rolls-Royce employee account and access tools used by those employees.”
Arguably, the most concerning of the vulnerabilities were the ones found with Spireon, a company that provides GPS vehicle tracking solutions, which are often found in law enforcement and police vehicles, as well as ambulances, golf carts and tractors.
Spireon provides solutions for 15.5 million devices (mostly vehicles), and has a database of 1.2 million user accounts, covering fleet managers, end users and more.
Curry and his team discovered that vulnerabilities with the software allowed them to gain full administrative access and then track and send commands to entire fleets of vehicles, such as dispatch locations.
“[The takeover] would’ve allowed us to track and shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles,” he said.
Curry and his team have since advised car and software manufacturers that have released patches to correct the issues.
Curry’s full report and list of each manufacturer and its vulnerabilities can be found here.
Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.
Hackers able to remotely hijack cars from 16 manufacturers
Last Updated: 10 January 2023
Published: 11 January 2023