Toyota, Mercedes, BMW API flaws exposed owners’ personal info

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,606
Content source
https://www.bleepingcomputer.com/news/security/toyota-mercedes-bmw-api-flaws-exposed-owners-personal-info/
Almost twenty car manufacturers and services contained API security vulnerabilities that could have allowed hackers to perform malicious activity, ranging from unlocking, starting, and tracking cars to exposing customers' personal information.

The security flaws impacted well-known brands, including BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis.

The vulnerabilities also affected vehicle technology brands Spireon and Reviver and streaming service SiriusXM.

The discovery of these API flaws comes from a team of researchers led by Sam Curry, who previously disclosed Hyundai, Genesis, Honda, Acura, Nissan, Infinity, and SiriusXM security issues in November 2022.

While Curry's previous disclosure explained how hackers could use these flaws to unlock and start cars, now that a 90-day vulnerability disclosure period has passed since reporting these issues, the team has published a more detailed blog post about the API vulnerabilities.

The impacted vendors have fixed all issues presented in this report, so they are not exploitable now.
Click to expand...
www.bleepingcomputer.com

Toyota, Mercedes, BMW API flaws exposed owners’ personal info

Security analysts disclosed severe API security flaws impacting numerous car makers, enabling them to access vehicle owner information, take over accounts, access internal systems, modify records, and track their position.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
  • Thanks
Reactions: vtqhtr413, Stopspying, upnorth and 2 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
  • Ferrari
    • Full zero-interaction account takeover for any Ferrari customer account
    • IDOR to access all Ferrari customer records
    • Lack of access control allowing an attacker to create, modify, delete employee “back office” administrator user accounts and all user accounts with capabilities to modify Ferrari owned web pages through the CMS system
    • Ability to add HTTP routes on api.ferrari.com (rest-connectors) and view all existing rest-connectors and secrets associated with them (authorization headers)
Click to expand...
Ferrari, again! :rolleyes:

malwaretips.com

RansomEXX Ransomware Team added Ferrari to the Victim's List

malwaretips.com malwaretips.com
 
  • Like
  • Sad
Reactions: vtqhtr413, Stopspying and Gandalf_The_Grey
Stopspying

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814

Attachments

  • 1963_Bond_250G_(16372612291).jpg
    1963_Bond_250G_(16372612291).jpg
    21.8 KB · Views: 53
  • Applause
  • Like
Reactions: vtqhtr413 and Gandalf_The_Grey
vtqhtr413

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,494
Security researchers discovered severe vulnerabilities last fall that would let hackers steal vehicles and customer data from multiple manufacturers. In a new update, one of the researchers writes that the vulnerabilities are more wide-reaching and can even affect law enforcement and emergency services vehicles. Multiple vulnerabilities could have let attackers remotely track and control police vehicles, ambulances, and consumer vehicles from various manufacturers, according to researcher Sam Curry's latest report. The update follows a similar notice from November. The weak point for the emergency services rigs is the website for the company controlling the GPS and Telematics for over 15 million devices, most of them vehicles --Spireon Systems. The researchers described Spireon's website as outdated and could log into it with an administrator account with some ingenuity. From there, they could remotely track and control fleets of police vehicles, ambulances, and business vehicles. Attackers could unlock the cars, start their engines, disable their ignition switches, dispatch navigation commands to entire fleets, and control firmware updates to potentially deliver malware.
Click to expand...
samcurry.net

Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More

During the fall of 2022, a few friends and I took a road trip from Chicago, IL to Washington, DC to attend a cybersecurity conference and (try) to take a break from our usual computer work. While we were visiting the University of Maryland, we came across a fleet of electric scooters scattered...
samcurry.net samcurry.net

www.techspot.com

Researchers find serious vulnerabilities in cars and emergency vehicles, including BMW, Mercedes, Honda, Nissan, more

Multiple vulnerabilities could have let attackers remotely track and control police vehicles, ambulances, and consumer vehicles from various manufacturers, according to researcher Sam Curry's latest report. The...
www.techspot.com www.techspot.com
 
Last edited:
  • Like
Reactions: Stopspying, upnorth and harlan4096
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Security News Eagers Automotive halts trading in response to cyberattack
Replies
0
Views
1,133
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Wow
    • +Reputation
    • Like
Privacy News Toyota warns customers of data breach exposing personal, financial info
Replies
0
Views
1,106
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • +Reputation
    • Like
    • Applause
Pendragon car dealer refuses $60 million LockBit ransomware demand
Replies
0
Views
558
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top