A Florida-based cybersecurity researcher recently released a report detailing critical vulnerabilities in several major automobile companies. The companies with the largest exploits found include Toyota, Kia, Honda, BMW, and Mercedes-Benz. Smaller, but still damaging, exploits were found in companies like Jaguar, Ford, and Spireon.
The research came after a small team found an easy exploit in a popular scooter brand. Eager to see what other vulnerabilities they could find and report, they spent months analyzing various automobile companies.
The report breaks down the full extent of the vulnerabilities it found in each major company’s telematic systems, automobile APIs, and surrounding infrastructure supporting the company.
While the full release goes into extensive detail, here are the key takeaways you should know.
For Kia, Honda, Infinity, Nissan, and Acura, the exploits allow for someone to start and stop an engine, control lights, locks, and more using just a vehicle’s VIN number. Even worse, using that same VIN number you could control the ownership of the car and fully take over a customer’s account.
Hyundai and Genesis saw similar exploits, where they allowed for remote takeover of your full account and ownership of the vehicle and its engine, flashlights, locks, and more, though instead of a VIN, it required an email address.
Spireon, BMW, and Rolls Royce each had security vulnerabilities that allowed for remote access of confidential employee information. Ferrari had a blatant lack of access control which could have let threat actors modify their systems or create backdoors and also had an exploit that allowed for zero-interaction account takeover.
Toyota had a problem found in its IDOR, and the vulnerabilities allowed actors to see the name, phone number, email address, and loan status of any Toyota financial customers
Needless to say, the security exploits found in these major companies were vital and may have prevented the disaster of the wrong person finding out about them.