The vulnerabilities could let attackers remotely track, stop or control a car — even an entire fleet of emergency vehicles. Another could give hackers access to some 15.5 million automobiles, allowing them to send commands to control braking systems.
In total, a group of ethical car hackers discovered at least 20 vulnerabilities within the application programming interfaces, or APIs, that automakers rely on so technology inside cars can interact. The vulnerabilities affected Ford, Toyota, Mercedes, BMW, Porsche, Ferrari and others.
“We would find a vulnerability on one car company and then we would report it, then we would switch to a different car company and it’d be the exact same thing,” said Sam Curry, a security researcher who detailed the findings in a blog posted this week.
The findings underscore the security risks for consumers and automakers alike as car manufacturers continue to increase the amount of software in vehicles and provide owners with apps to connect with their cars. It also shows that while automakers have done more to focus on cybersecurity, much remains to be done.
“The automotive industry is facing a lot of challenges in this area,” said Ted Miracco, CEO of security firm Approov, which provides mobile cybersecurity services to car companies. “I think that there was a rush to get a lot of applications out with a lot of functionality very quickly and some of the rush to do these things is coming back to haunt a number of the manufacturers.”
One significant issue is that some automakers are relying on third-party API software instead of building the technology in-house, he said. “A lot of it comes down to API’s: everything wants to connect with everything else. So there’s been a proliferation of API interfaces and a single mobile app can have dozens of API calls.”
Software vulnerabilities inside cars has been a long-standing concern. In one of the most high-profile examples of how hackers could potentially exploit a vehicle vulnerability, cybersecurity journalist Andy Greenberg demonstrated in 2015 that hackers could manipulate a Jeep Cherokee as he was driving.
But while hackers taking over a car while someone is driving it is a made-for-movie moment, vulnerabilities in GPS systems, motions sensors, keyless systems, and operating systems are becoming more of a privacy and security concern, say experts. What’s more, the software flaws could lead to vehicle theft. Some of the vulnerabilities that Curry and the other researchers discovered would allow a hacker change the ownership status of the car.
As Curry and his fellow researchers dug in, they were particularly surprised at how much information and impact they could have with vehicle identification numbers. “VIN numbers are super public, you can walk up to a car to get a VIN number,” Curry said. “But with a lot of these APIs, if you have the VIN number it would just return the full name of the person or the battery level of the vehicle and you can just add it to you account.”
The researchers were able to use a VIN number to not only take complete control of an owners’ vehicle account, which included a significant amount of private information, they were also able to remotely lock and unlock, stop engines, locate vehicles for Kia, Honda, Infiniti, Nissan and Acura.
They also were able to achieve “full super administrative access to manage all user accounts and vehicles” for any vehicle connected to digital license plate company Reviver. The vulnerability let the researchers track the physical location of a vehicle through GPS and mark it stolen on the license plate.
In a statement, Reviver said they did not find any evidence that the vulnerability was exploited and “took further measures to prevent this from occurring in the future.”
Additionally, financial information could be found, as well. “Each one of these companies has a portal for credit loans,” Curry said. “So there’s a ton of info like your name, your address, your billing information.”
Curry said that the vast majority of the companies were happy to discuss the vulnerability and overall had positive interactions, but noted that most did not have any form of bug bounty program for the researchers to report their findings. That said, all the flaws that Curry and team reported have been patched.