Toyota, Mercedes and BMW API flaws expose owners’ private information

Nearly twenty automotive manufacturers and service providers had API security flaws that allowed hackers to do malicious activities, including unlocking, starting and tracking vehicles, as well as exposing customer personal information.

Security flaws affected well-known brands like BMW, Roll Royce and Mercedes-Benz as well as Porsche, Jaguar Land Rover, Ford, Jaguar, Jaguar, Land Rover and Ford.

These vulnerabilities affected both Spireon, Reviver vehicle technology brands and the streaming service SiriusXM.

These API flaws were discovered by a group of researchers headed by Sam Curry. Sam Curry previously revealed security problems in for Hyundai, Genesis and Acura as well as Infinity and SiriusXM.

Curry had previously disclosed how hackers could exploit these flaws in order to unlock or start vehicles. However, after a period of 90 days has passed since the issue was reported, the team published an more comprehensive blog post on the API vulnerabilities.

All issues raised in the report have been resolved by affected vendors, and they can no longer be exploited.

Accessing internal portals

Most severe API flaws were discovered in BMW and Mercedes-Benz. These were caused by SSO vulnerabilities (single-sign-on), which allowed attackers access to internal systems.

Mercedes-Benz analysts had access to multiple private GitHub instances and internal chat channels via Mattermost. They could also have access to servers, Jenkins, AWS instances and XENTRY systems which connect with customer cars.

Internal Mercedes-Benz portal

Source: Sam Curry

BMW researchers had access to internal portals and could query VINs of any vehicle. They also were able to retrieve documents that contained sensitive owner information.

They could also use the SSO flaws for access to internal applications and log in as any dealer or employee.

Accessing vehicle details on the BMW portal

Source: Sam Curry

Exposing owner details

Researchers were able to gain access to PII for Toyota, KIA and Infiniti owners by exploiting API flaws.

Particularly dangerous is disclosing information about the owner of expensive cars. This includes information such as sales data, physical locations, customer addresses, and even information regarding customers.

Ferrari was affected by poorly implemented SSO in its CMS. This exposed backend API routes, making it possible for JavaScript snippets to be used to retrieve credentials.

These flaws could be exploited by an attacker to gain access to, modify or delete Ferrari customer accounts, manage their vehicles profile or become car owners.

Disclosing Ferrari user data details

Source: Sam Curry

Tracking vehicle GPS

This vulnerability could also have allowed hackers to monitor cars real-time, potentially posing physical threats and affecting the privacy rights of millions.

Porsche was among the brands that were affected by flaws within its telematics systems, which allowed attackers to access vehicle locations and issue commands.

Spireon’s GPS tracking software was also susceptible to car location disclosure. It affected 15.5 million vehicles and allowed full admin access to its remote management panel. This enabled attackers to lock cars, disable starters, start engines, and unlock them.

Historic GPS data on the Spireon admin panel

Source: Sam Curry

Reviver is the third affected entity. This was a digital platemaker that was susceptible to remote, unauthenticated access to its admin panel. Anyone could have accessed GPS data, user records and even license plate messaging.

Curry demonstrates how they were able to label a vehicle “STOLEN” on the Reviver panel. This would immediately inform police and put the driver/owner at unnecessary risk.

Modifying Reviver plates remotely

Source: Sam Curry

Minimizing exposure

These vulnerabilities can be avoided by car owners who limit the personal data stored on their vehicles and mobile companion apps.

You should also set your in-car Telematics to the most private setting and review privacy policies to see how data is used.

shared this advice with BleepingComputer:

When purchasing a car used, ensure that all accounts belonging to the previous owner have been deleted. Curry advised BleepingComputer to use strong passwords, and to set up 2FA (two factor authentication), if you can for any apps or services that link to your car.

Update 1/4 –

A Spireon spokesperson has sent BleepingComputer the following comment:

The security researcher met with our cybersecurity specialists to discuss the system flaws and to implement the necessary remedial steps.

As part of our ongoing commitment to customers, we also took proactive measures to strengthen security in our product portfolio.

Spireon is serious about security and uses a wide range of industry-leading toolsets to scan all its products for known or unknown security threats.