A brief history of software vulnerabilities in vehicles (Update 2023)
Updated in 2023:
- 2023: Sam Curry: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
- Kia, Honda, Infiniti, Nissan, Acura
- Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number
- Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address)
- Ability to lock users out of remotely managing their vehicle, change ownership
- For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car
- Mercedes-Benz
- Access to hundreds of mission-critical internal applications via improperly configured SSO, including…
- Multiple Github instances behind SSO
- Company-wide internal chat tool, ability to join nearly any channel
- SonarQube, Jenkins, misc. build servers
- Internal cloud deployment services for managing AWS instances
- Internal Vehicle related APIs
- Remote Code Execution on multiple systems
- Memory leaks leading to employee/customer PII disclosure, account access
- Access to hundreds of mission-critical internal applications via improperly configured SSO, including…
- Hyundai, Genesis
- Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the victim email address
- Fully remote account takeover and PII disclosure via victim email address (name, phone number, email address, physical address)
- Ability to lock users out of remotely managing their vehicle, change ownership
- BMW, Rolls Royce
- Company-wide core SSO vulnerabilities which allowed us to access any employee application as any employee, allowed us to…
- Access to internal dealer portals where you can query any VIN number to retrieve sales documents for BMW
- Access any application locked behind SSO on behalf of any employee, including applications used by remote workers and dealerships
- Company-wide core SSO vulnerabilities which allowed us to access any employee application as any employee, allowed us to…
- Ferrari
- Full zero-interaction account takeover for any Ferrari customer account
- IDOR to access all Ferrari customer records
- Lack of access control allowing an attacker to create, modify, delete employee “back office” administrator user accounts and all user accounts with capabilities to modify Ferrari owned web pages through the CMS system
- Ability to add HTTP routes on api.ferrari.com (rest-connectors) and view all existing rest-connectors and secrets associated with them (authorization headers)
- Spireon
- Multiple vulnerabilities, including:
- Full administrator access to a company-wide administration panel with ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start engine, disable starter, etc.), read any device location, and flash/update device firmware
- Remote code execution on core systems for managing user accounts, devices, and fleets. Ability to access and manage all data across all of Spireon
- Ability to fully takeover any fleet (this would’ve allowed us to track & shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles, e.g. “navigate to this location”)
- Full administrative access to all Spireon products, […]
- In total, there were…
- 15.5 million devices (mostly vehicles)
- 1.2 million user accounts (end user accounts, fleet managers, etc.)
- Multiple vulnerabilities, including:
- Ford
- Full memory disclosure on production vehicle Telematics API discloses
- Discloses customer PII and access tokens for tracking and executing commands on vehicles
- Discloses configuration credentials used for internal services related to Telematics
- Ability to authenticate into customer account and access all PII and perform actions against vehicles
- Customer account takeover via improper URL parsing, allows an attacker to completely access victim account including vehicle portal
- Full memory disclosure on production vehicle Telematics API discloses
- Reviver
- Full super administrative access to manage all user accounts and vehicles for all Reviver connected vehicles. An attacker could perform the following:
- Track the physical GPS location and manage the license plate for all Reviver customers (e.g. changing the slogan at the bottom of the license plate to arbitrary text)
- Update any vehicle status to “STOLEN” which updates the license plate and informs authorities
- Access all user records, including what vehicles people owned, their physical address, phone number, and email address
- Access the fleet management functionality for any company, locate and manage all vehicles in a fleet
- Full super administrative access to manage all user accounts and vehicles for all Reviver connected vehicles. An attacker could perform the following:
- Porsche
- Ability to send retrieve vehicle location, send vehicle commands, and retrieve customer information via vulnerabilities affecting the vehicle Telematics service
- Toyota
- IDOR on Toyota Financial that discloses the name, phone number, email address, and loan status of any Toyota financial customers
- Jaguar, Land Rover
- User account IDOR disclosing password hash, name, phone number, physical address, and vehicle information
- SiriusXM
- Leaked AWS keys with full organizational read/write S3 access, ability to retrieve all files including (what appeared to be) user databases, source code, and config files for Sirius
- Kia, Honda, Infiniti, Nissan, Acura
Car Hacking News Timeline 2017-2019 [1]
- 2019: Hack of an OEM’s automotive cloud via third-party services and tier-1 supplier network
- 2019: Memory vulnerability at a cloud provider exposed data incl. passwords, API keys, and tokens
- 2019: A malware infection caused significant production disruption at a car parts manufacturer
- 2019: Vehicle data exposed during registration allowed for remote denial-of-service attacks on cars
- 2019: Malware infected the back end, making laptops installed in police cars unusable
- 2018: An ex-employee breached the company network and downloaded large volumes of personal information
- 2018: Cloud servers hacked and used for cryptomining
- 2018: Researchers exploited vulnerabilities of some infotainment systems and gained control of microphones, speakers, and navigation systems
- 2018: Security issues discovered in 13 car-sharing apps
- 2018: Researchers demonstrated >10 vulnerabilities in various car models, gaining local and remote access to infotainment, telematics, and CAN buses
- 2018: EV home chargers could be controlled by accessing the home Wi-Fi network
- 2017: Rental car companies exposed personal data
- 2017: Ransomware caused the stop of production across several plants
Car Hacking News Timeline 2002-2015 [2]
- 2015: Researchers remotely sent commands to the CAN bus of a specific car that had an OBD2 dongle installed to control the car’s windshield wipers and breaks
- 2015: Researchers demonstrated vulnerabilities within the back end, gaining access to door control
- 2015: “Hackers remotely kill a Jeep on the highway – with me in it” – Wired
- 2015: “Markey, Blumenthal To Introduce Legislation to Protect Drivers from Auto Security and Privacy Vulnerabilities with Standards and “Cyber Dashboard”” – Senator Edward Markey
- 2015: “Markey Report Reveals Automobile Security and Privacy Vulnerabilities” – Senator Edward Markey
- 2015: “Hackers Can Take Control of Cars From 3,000 Miles Away” – NBC 4 New York
- 2014: “A Survey of Remote Automotive Attack Surfaces” – IOActive
- 2014: “Auto Alliance Initiates New CyberSecurity Forum” – Auto Industry Alliance
- 2014: “Most Hackable Cars” – CNN Money
- 2014: “How to Hack a Car” – Vice
- 2014: “The Robot Car of Tomorrow May Just Be Programmed to Hit You” – Wired
- 2014: Open Garages
- 2013: Sen Markey (D-MA) Letter to GM
- 2013: “Digital Carjackers Show Off New Attacks” – Forbes
- 2013: “Jury Finds Toyota Liable in Fatal Wreck in Oklahoma” – New York Times
- 2013: “Adventures in Automotive Networks and Control Units” – IOActive
- 2013: “Car Hacking: Your Computer-Controlled Vehicle Could Be Manipulated Remotely” – CBS
- 2013: “How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles” – Jason Stags, Defcon 21
- 2013: “Digital Carjackers Show Off New Attacks” – Forbes
- 2012: “Can Science Stop Crime – Car-Hacking” – NOVA Science Now
- 2011: Google Self-Driving Car
- 2011: “Can Your Car be Hacked?” – Car and Driver
- 2011: “Comprehensive Experimental Analyses of Automotive Attack Surfaces” – Center for Automotive Embedded Systems Security (CAESS)
- 2010: “Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study” – Rutgers, USC
- 2010: “Experimental Security Analysis of a Modern Automobile” – Center for Automotive Embedded Systems Security (CAESS)
- 2010: “Hacker disables more than 100 cars remotely” – Wired
- 2007: “Hackers can take over car navigation system” – The Telegraph
- 2007: DARPA Urban Challenge
- 2005: “RFID Chips in Car Keys and Gas Pump” – John Hopkins University
- 2005: DARPA Grand Challenge
- 2005: “Linux Bluetooth hackers hijack car audio” – The Register
- 2005: “Hacking the Hybrid Vehicle” – Wired
- 2004: DARPA Grand Challenge
- 2004: “DRIVING; Altering Your Engine With New Chip” – NY Times
- 2003: “Gentlemen, Start Hacking Your Engines” – NY Times
- 2002: “How To Hack Your Car” – Forbes
Sources:
- McKinsey – Cybersecurity in automotive
- https://www.iamthecavalry.org/domains/automotive/
- https://smart.gi-de.com/automotive/brief-history-car-hacking-2010-present/