Updated on 2023-01-09: Security Flaws Affect Millions of Cars
Researchers have detected security bugs affecting vehicles from 16 companies in the automotive industry. The flaws could be exploited to lock and unlock cars, to start and stop engines, take over accounts, execute code remotely, and track the location of vehicles, and conduct other troublesome activity.
- This write-up reads like car makers (or the app developers they hire) trying to play OAWASP Bingo by hitting all the OWASP Top 10 in their apps. Just because your app is new and cool doesn’t mean you can forget about the basics.
- A common thread here is customer service sites using weak single sign on implementations to make it easier for customers to access services via apps and web browsers. But really, you can find pretty much every one of the OWASP Top 10 vulnerabilities being found in just this one effort. Very obvious that no meaningful security testing has been done on many of the automotive sites before opening them to the public. If you work for an automotive company, use this to drive immediate attention to customer facing sites and apps. If you own one of those vehicles, if you have to use those apps at least use a unique password to reduce impact of an inevitable breach.
- Back when we just had to worry about static vs. rolling code capture to impersonate the key-fob, this was less of a deal. Now that we have network connections, mobile apps, ties to services operated by the manufacturer, the cliche of the weakest link is in play. As consumers expect de-facto remote access/control of their vehicles, manufacturers are rolling out products faster than they can secure them. This is a case of compromise of the applications and infrastructure which can access the vehicle as opposed to compromising the vehicle itself, with attacks leveraging SQLi, flawed SSO, CMS issues and even scrutinizing publicly reachable code repositories. Note that the discovered flaws have been patched. Takeaway for you: make sure that you are checking externally produced components (such as an API interface) to make sure it’s secure, address identified flaws immediately.
- As manufacturers use more and more software in auto designs, the need for developers with a background in secure software development increases dramatically. Currently, that is a commodity in short supply, so they do the next best thing: leverage existing functionality across the industry. Software from third party suppliers has to be fully tested, as would in-house developed code. The outcome of this research is that secure software design and testing will become an increasingly important part of the automotive manufacturing process.
Updated on 2023-01-07: The ‘h’ in Honda means “hacked”
A group of seven hackers found multiple flaws in several major car makers’ platforms, including Honda, Nissan and Hyundai, allowing wide remote access to millions of vehicles. Major security and privacy risks here, but that’s the price we pay for bundling high-privilege telematics systems with every modern vehicle. Read more: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
Super excited to release our car hacking research discussing vulnerabilities affecting hundreds of millions of vehicles, dozens of different car companies:https://t.co/xCHG5oLYWK
Contributors:@_specters_ @bbuerhaus @xEHLE_ @iangcarroll, @sshell_ @infosec_au @NahamSec @rez0__
— Sam Curry (@samwcyo) January 3, 2023
Overview: API vulnerabilities in carmakers’ infrastructure
A team of security researchers has found a bevy of vulnerabilities in the API infrastructure of several carmakers, including big names such as Mercedes-Benz, Ford, Porsche, Honda, Nissan, Kia, Hyundai, BMW, Land Rover, Rolls Royce, Jaguar, Ferrari, Toyota, and others. Some of the vulnerabilities could lead to full account and vehicle takeover and remote code execution. Read more: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More