Toyota, Mercedes, BMW API flaws exposed owners’ personal info


Level 74
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
Almost twenty car manufacturers and services contained API security vulnerabilities that could have allowed hackers to perform malicious activity, ranging from unlocking, starting, and tracking cars to exposing customers' personal information.

The security flaws impacted well-known brands, including BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis.

The vulnerabilities also affected vehicle technology brands Spireon and Reviver and streaming service SiriusXM.

The discovery of these API flaws comes from a team of researchers led by Sam Curry, who previously disclosed Hyundai, Genesis, Honda, Acura, Nissan, Infinity, and SiriusXM security issues in November 2022.

While Curry's previous disclosure explained how hackers could use these flaws to unlock and start cars, now that a 90-day vulnerability disclosure period has passed since reporting these issues, the team has published a more detailed blog post about the API vulnerabilities.

The impacted vendors have fixed all issues presented in this report, so they are not exploitable now.


Staff Member
Malware Hunter
Jul 27, 2015
  • Ferrari
    • Full zero-interaction account takeover for any Ferrari customer account
    • IDOR to access all Ferrari customer records
    • Lack of access control allowing an attacker to create, modify, delete employee “back office” administrator user accounts and all user accounts with capabilities to modify Ferrari owned web pages through the CMS system
    • Ability to add HTTP routes on (rest-connectors) and view all existing rest-connectors and secrets associated with them (authorization headers)
Ferrari, again! :rolleyes:



Level 19
Top Poster
Jan 21, 2018


  • 1963_Bond_250G_(16372612291).jpg
    21.8 KB · Views: 40


Level 26
Top Poster
Aug 17, 2017
Security researchers discovered severe vulnerabilities last fall that would let hackers steal vehicles and customer data from multiple manufacturers. In a new update, one of the researchers writes that the vulnerabilities are more wide-reaching and can even affect law enforcement and emergency services vehicles. Multiple vulnerabilities could have let attackers remotely track and control police vehicles, ambulances, and consumer vehicles from various manufacturers, according to researcher Sam Curry's latest report. The update follows a similar notice from November. The weak point for the emergency services rigs is the website for the company controlling the GPS and Telematics for over 15 million devices, most of them vehicles --Spireon Systems. The researchers described Spireon's website as outdated and could log into it with an administrator account with some ingenuity. From there, they could remotely track and control fleets of police vehicles, ambulances, and business vehicles. Attackers could unlock the cars, start their engines, disable their ignition switches, dispatch navigation commands to entire fleets, and control firmware updates to potentially deliver malware.

Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.