A hot potato: Security researchers discovered severe vulnerabilities last fall that would let hackers steal vehicles and customer data from multiple manufacturers. In a new update, one of the researchers writes that the vulnerabilities are more wide-reaching and can even affect law enforcement and emergency services vehicles.
Multiple vulnerabilities could have let attackers remotely track and control police vehicles, ambulances, and consumer vehicles from various manufacturers, according to researcher Sam Curry’s latest report. The update follows a similar notice from November.
The weak point for the emergency services rigs is the website for the company controlling the GPS and Telematics for over 15 million devices, most of them vehicles –Spireon Systems. The researchers described Spireon’s website as outdated and could log into it with an administrator account with some ingenuity.
From there, they could remotely track and control fleets of police vehicles, ambulances, and business vehicles. Attackers could unlock the cars, start their engines, disable their ignition switches, dispatch navigation commands to entire fleets, and control firmware updates to potentially deliver malware.
Last year, Curry said that SiriusXM’s remote systems vulnerabilities could let hackers steal Acura, Honda, Infiniti, and Nissan vehicles using only each car’s Vehicle Identification Number. They could also access customers’ personal information. The new report reveals similar dangers with Kia, Hyundai, and Genesis models.
Furthermore, misconfigured single sign-on systems let the researchers access BMW, Mercedes Benz, and Rolls Royce internal corporate systems. The flaws didn’t grant direct vehicle access. Still, attackers could have breached internal communications at Mercedes Benz, accessed BMW dealership information, and hijacked any BMW or Rolls Royce employee account. Security holes at Ferrari’s websites also let researchers access administrative privileges and delete all customer information.
The researchers also found that most, if not all, California digital license plates were vulnerable to attackers. After the state legalized digital plates last year, a company called Reviver handled possibly all of them, and security faults emerged in Reviver’s internal systems. Digital license plate holders can use Reviver to update their plates and report them as stolen remotely. However, vulnerabilities allowed attackers to give ordinary Reviver accounts elevated privileges that could track, change, and delete any registrationo in the system.
Curry’s latest blog post extensively details the methodology behind these and other hacks for those interested in the nitty gritty. His team reported the vulnerabilities to the affected companies before disclosure. At least some of them confirmed issuing security patches.