Car hacking: API vulnerabilities put vehicle safety at risk
by Tina Siering
The US-American Sam Curry is a 23-year-old hacker who has already successfully proven a security vulnerability to the electric car manufacturer Tesla in the past - and was rewarded with 10,000 dollars for it. Now he and several comrades-in-arms from his team have spent months looking for security vulnerabilities at 16 different car manufacturers and several car equipment suppliers - and apparently found some everywhere. Overall, vulnerabilities in the application programming interfaces (APIs) could be found almost everywhere, in some cases including far-reaching authorisations:
The vulnerabilities allowed the attackers to access internal on-board networks, stored user information, even the execution of code was possible in some cases. Especially unused or outdated APIs that have not been deactivated represent a perfect gateway. The following car manufacturers were examined: Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce and Toyota.
Sam Curry's team recently processed all the findings and published them in detail.
In addition to the insufficiently protected APIs, the hackers also discovered log-in services that unauthorised persons should not have found in the first place. These were used to reset online accounts or log into internal systems, such as those at BMW, Mercedes-Benz and Rolls-Royce.
In other cases (Kia, Honda, Infiniti, Nissan, Acura, Hyundai and Genesis), they were able to remotely access car owners' personal data, locate and unlock cars and even start engines. This was apparently achieved by transmitting the vehicle identification number (VIN) via HTTP request to the endpoint. Premium manufacturers - such as Porsche and Ferrari - had internal company data, customer data and employee information read out via poorly configured single sign-on interfaces in the dealer portals, and hundreds of internal tools could be used. Curry and his colleagues could theoretically have listed themselves as Ferrari owners.
Serious problem at Spireon
The ethical hackers also took on the outdated website of the company Spireon. Spireon is a US provider that networks ambulances and police vehicles, among other things. The cyber specialists tried their hand at the publicly accessible internet address "admin.spireo.com". All it took was a few entries in the user name and password mask - and the hackers had an admin account with extensive user rights. A real cyber attack would have permanently blocked the starters of the vehicles - or worse - sent the emergency vehicles (15.5 million registered vehicles!) randomly to alleged locations.
According to Curry, the extent of the security vulnerabilities at all affected manufacturers is within the "normal" range, only "a little surprised by the security level of some remotely controllable vehicle functions"."
German security researcher Ruben Gonzales also confirmed in an interview with SPIEGEL Online that the security vulnerabilities discovered were "completely trivially exploitable vulnerabilities in web applications". At least the critical car communication of German manufacturers is much better secured than the "poorly maintained web portals", so the expected consequences of the vulnerabilities are not as serious as with other companies. However, the security researcher does not leave Spireon out in the cold. The discovered error in the system can only be described as "grossly negligent".
Spireon told SPIEGEL that it takes all security issues very seriously and has immediately taken the necessary measures to remedy the situation, as well as actively taking steps to further optimise the security of its own products.
Reactions of the car manufacturers
So far, the affected companies have reacted very differently: BMW stated that the vulnerability in question had been known since the beginning of November 2022 and had been dealt with in accordance with applicable security standards. Mercedes-Benz confirmed that the vulnerability found by Curry had been fixed, it had not affected the safety of the vehicles.
Nissan wrote in a tweet that its IT managers had fixed the bugs in the configuration of the APIs.
According to expert predictions for 2023, a further increase in attacks on APIs can be expected and the advancing digitalisation increases the attack surface. The security vulnerabilities uncovered show a certain carelessness on the part of manufacturers who have connected their poorly maintained web portals directly to critical IoT devices - in this case cars. The risk of attack is enormous - measures that reliably and sustainably protect APIs from cyber attacks are correspondingly indispensable.