Get Ready to Patch Your: Ferrari, Rolls, Porsche and BMW
Also get ready to patch your Infiniti, Nissan, Acura, Mercedes, Genesis, Ford, Toyota, Jaguar, Kia, Honda and Land Rover.
As car makers attach more bells and whistles to your new car, assume a steady stream of recalls. The problem is that the car makers are not patching older cars, so they will remain vulnerable until they are crushed and melted down.
The researchers who discovered the flaws were just brainstorming, probably over adult beverages, while on vacation – meaning a somewhat low level of effort was required.
Just like all other software, car software has weak spots.
In this case, it involved APIs, the dealer management software and crappy software design on the part of the manufacturer.
Using this knowledge, the researchers hacked the dealer portal and were able to log on as a real dealer and take over the account and use the same tools dealers use.
For one make, they were able to query a specific VIN and retrieve sales documents. So far, a violation of privacy but not security. At this point they stopped and notified the company.
For Kia cars, they were able to remotely access the 360 degree view camera and view live images from around the car.
For some brands, including Kia, Honda, Infiniti and others, they were able to remotely lock and unlock the car, start the engine, stop the engine, precisely locate the car, flash the headlights and do other tasks.
For Mercedes, they were able to access hundreds of mission critical internal applications via improperly configured single sign on, including internal, vehicle related APIs, perform remote code execution on multiple systems and create memory leaks leading to customer and employee PII disclosure and account access.
They could even lock customers out of their own car accounts.
With all of the software in place today, it is unlikely to get any better until it costs the car makers and other companies more money not to fix it than to fix it. I don’t know if there will be lawsuits here, but probably.
Credit: Data Breach Today