Your car may be squealing, even when you're not peeling out.
Automotive vulnerabilities discovered.
Over the course of 2022, a security research team led by Sam Curry found vulnerabilities affecting vehicles from sixteen leading car manufacturers. The car manufacturers have since released patches for the flaws, and Curry’s team earlier this week published an extensive writeup on the vulnerabilities.
Flaws affected sixteen car manufacturers.
The type and severity of the vulnerabilities varied by model. In some cases, an attacker could unlock the car, start the engine, report the vehicle as stolen, or track the car’s location.
The affected vehicles included models manufactured by Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota.
In addition to vulnerabilities affecting individual cars, the researchers discovered API vulnerabilities that could grant an attacker access to sensitive company accounts. BleepingComputer notes that BMW and Mercedes-Benz could have been "affected by company-wide SSO (single-sign-on) vulnerabilities that [might have] enabled attackers to access internal systems.”
Industry comment.
Jason Kent, Hacker in Residence at Cequence Security, offers thoughts on how these vulnerabilities came about:
“These automotive manufacturers obviously aren’t testing their APIs. The question as to why is simple: there aren’t great tools out there and it mostly has to be done manually. As the researcher showed, however, just a little bit of manual effort pays off.
“Flaws that live in the OWASP Top 10 are easily found and exploited. After the initial foray of testing for the OWASP API Security Top Ten, then some Business Logic testing the investigation revealed additional flaws. But in each of the cases here the researcher used simple tools and techniques to find and create points of compromise on these flaws.
“The researcher suggests car owners should take responsibility by limiting their input of personally identifiable information (PII), using the highest privacy settings on telematics and implementing two-factor authentication (2FA) but it shouldn’t come to this. Automotive manufacturers have to assume responsibility and securely configure and regularly test their APIs by looking from the outside in as an attacker would.
“API Security is the number one attack vector for a reason. There is very little that is done to test for these types of problems which is why researchers are able to exploit simple flaws and blow the whistle on enterprises that have billions of dollars at their disposal and build solutions the general public has learned to trust.”