Significant security flaws have been found in Mercedes, Ferrari and other luxury cars that could have allowed threat actors to steal their owners’ personally identifiable information, track their cars, and in some cases – even unlock and start the cars.
Almost two dozen car brands were affected by the defect, including top brands such as BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, And Infiniti, and Nissan, and Acura, and Hyundai, and Toyota. and Genesis.
Besides auto manufacturers, auto technology makers Spireon and Reviver, as well as SiriusXM Connected Vehicle Services, have also been affected.
Access to private data
The flaws were discovered by cybersecurity researcher Sam Curry who has a history of finding security flaws in connected cars. In early December 2022, he discovered a flaw in SiriusXM’s connected vehicle services that enabled actors to access connected vehicles.
In this case, different manufacturers had different vulnerabilities. BMW and Mercedes-Benz have a flawed single sign-on (SSO) feature that allows threat actors to gain access to internal systems, granting them access to GitHub instances, private chats, servers, AWS instances, and more.
With BMW, potential attackers can access internal dealership portals and vehicle VIN numbers, as well as sales documents containing sensitive owner details.
Besides the two major brands, owners of Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Roll-Royce, Ferrari, Ford, Porsche and Toyota vehicles could have had their personally identifiable information Their (PII) leaked.
Ferrari was also hit hard, as the SSO flaw allowed threat actors to access, modify, or delete any Ferrari customer account. They could even designate themselves as the owners of the cars. With Porsche, flaws in its telematics systems allowed threat actors to pinpoint the exact location of cars, and even send commands to the vehicles.
All affected vendors were notified of the findings, and have since fixed the defects.
GPS vehicle tracking service provider Spireon, which has allegedly been used in more than 15 million vehicles, carried a flaw that, among other things, allowed threat actors to unlock cars, start the engine, or disable the starter.
To guard against such flaws in the future, the researchers suggest that vehicle owners store as little personal information as possible in vehicles and mobile companion apps.
Via: BleepingComputer (Opens in a new tab)