API Vulnerabilities causing Vehicles at Risk

Vehicles from multiple manufacturers could be abused to unlock, start, and track cars, plus impact the privacy of car owners with multiple bugs

Flaws were found in the automotive APIs powering Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, Toyota as well as in software from Reviver, SiriusXM, and Spireon. They can give access to the systems and user information and allow attacker to perform remote code execution.

Most critical of the issues were from Spireon’s telematics solution, which could have been exploited to gain complete access to perform arbitrary commands to about 15.5 million vehicles as well as update device firmware.

Vulnerabilities identified in Mercedes-Benz could grant access to internal applications via an improperly configured single sign-on (SSO) authentication. while others could permit user account takeover and disclosure of sensitive information.

Other vulnerabilities will allow accessing or modify customer records and internal dealer portals, track vehicle GPS locations in real time, manage the license plate data for all Reviver customers, and even update vehicle status as stolen.

These vulnerabilities have been fixed by the respective manufacturers following responsible disclosure. The findings highlight the need for a defense-in-depth strategy to contain threats and mitigate risk.