- Apr 24, 2016
Almost twenty car manufacturers and services contained API security vulnerabilities that could have allowed hackers to perform malicious activity, ranging from unlocking, starting, and tracking cars to exposing customers' personal information.
The security flaws impacted well-known brands, including BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis.
The vulnerabilities also affected vehicle technology brands Spireon and Reviver and streaming service SiriusXM.
The discovery of these API flaws comes from a team of researchers led by Sam Curry, who previously disclosed Hyundai, Genesis, Honda, Acura, Nissan, Infinity, and SiriusXM security issues in November 2022.
While Curry's previous disclosure explained how hackers could use these flaws to unlock and start cars, now that a 90-day vulnerability disclosure period has passed since reporting these issues, the team has published a more detailed blog post about the API vulnerabilities.
The impacted vendors have fixed all issues presented in this report, so they are not exploitable now.
Security analysts disclosed severe API security flaws impacting numerous car makers, enabling them to access vehicle owner information, take over accounts, access internal systems, modify records, and track their position.