A group of white hat hackers cracked customer and back-end operations of a variety of automakers, including BMW, Ferrari, Ford, Jaguar-Land Rover, Mercedes-Benz, Porsche and Rolls-Royce.
The findings are a followup to the group’s discovery late last year of flaws in SiriusXM’s telematics service that created breaches in Honda, Hyundai, Nissan and Toyota models.
The latest round of vulnerabilities gave the hackers access to detailed customer information and internal administrative functions that was not disclosed until earlier this month because of a self-imposed 90-day moratorium, Sam Curry, an Omaha, Neb., security engineer, told Automotive News.
The moratorium, inspired by the policies of the Google Project Zero security research team, is designed to express intent to disclose, but also to allow time to work with vendors to plug the security gaps, Curry said. The researchers also hacked service providers Spireon and Reviver, Curry said.
Ford, Mercedes-Benz, Reviver and Spireon told Automotive News that they have closed the breaches.
Ford said it fixed the problem after learning of the issue through its “bug bounty” program.
Porsche Cars North America spokesperson Marcus Kabel said the company permanently monitors its systems. “We take any indications of vulnerabilities very seriously,” he said. “Our top priority is to prevent unauthorized access to the systems in our vehicles by third parties.”
BMW, Ferrari and Jaguar-Land Rover did not respond to Automotive News’ questions about the security breach.
Executives from auto cybersecurity firms told Automotive News the Curry group’s research is important because of the industry’s digitization efforts and push to offer software-based subscription services in vehicles.
While automakers have moved quickly into electrification, autonomous technology and Internet connectivity, security sometimes takes a back seat to those efforts, said Ronen Smoly, CEO of Israeli auto cybersecurity company Argus.
“So what white hat hackers are doing is basically finding all kinds of errors and issues or vulnerabilities in the car and notifying the car manufacturers, which is a good thing,” Smoly said.
Curry’s research is a wakeup call to the auto industry and U.S. policymakers, said Shira Sarid-Hausirer, vice president of marketing at Upstream Security, another Israeli auto cybersecurity firm.
“Sam Curry’s research is unique because it was relatively easy to do and he was able to gain control over millions of models from multiple OEMs and penetrate them remotely,” Sarid-Hausirer said.
The Curry group’s hacks are akin to a home burglar robbing millions of homes at the same time as opposed to a single residence, Sarid-Hausirer said.
Citing a report authored by Upstream, Sarid-Hausirer said the number of automotive application programming interface attacks jumped 380 percent in 2022 over 2021. This came despite automakers using advanced information technology cybersecurity protections, she added.
Among the breaches, Curry said the group was able to take over any Ferrari customer account. It also could discover configuration credentials used for telematics on Ford vehicles.
The group also hacked some of Porsche’s telematics, allowing it to track vehicles, send vehicle commands and access customer information.
The BMW and Mercedes-Benz hacks tapped into information that might have been leveraged by black hat hackers to gain deep access to those automakers’ internal operations, Curry said.
“For BMW specifically, we had full organizational employee-level access to customer information,” he said. “We could have logged into pretty much any application as any user.
“With Mercedes-Benz, we accessed their internal chat tools and a ton of other internal applications,” Curry said.
“An external researcher (Sam Curry) contacted us regarding improperly configured authorization management in some Mercedes-Benz applications that allowed the researcher to get access to these applications,” Mercedes-Benz said in a statement. “The reported vulnerability is fixed. The identified vulnerability did not affect the security of our vehicles.”
Curry said the breach into Ferrari’s back-end is also notable.
“One thing that was kind of fun was the Ferrari vulnerability,” Curry said. “We had everybody who bought a Ferrari, and we could get their full name, address, phone number, physical address and information about their vehicle.
“We could just take over anybody’s Ferrari account and pretend to be them and retrieve their sales documents,” he added.
The group also breached Spireon’s back-end. Spireon provides device-independent telematics to fleet vehicles and vehicles operating on its OnStar and GoldStar platforms.
“I think people should be worried about Spireon’s vulnerabilities,” Curry said. “They have 15 million different vehicles. Spireon has lots of fleet and end-user vehicles with GoldStar or OnStar and tons of other vehicle solutions.
“We could send commands to cars to disable the starter, to remotely unlock it, remotely start it, and we had full administrative access where we could basically do whatever we wanted with those devices,” he said.
Curry said the Spireon vulnerabilities are concerning because many vehicle owners, even if they do not subscribe to OnStar, have the service on their cars.
“Spireon is so deeply embedded in the car ecosystem — they have so many different functionalities they provide to so many different customers, millions of users and millions of vehicles,” Curry said. “If we wanted to invite ourselves to the Cincinnati State police, we could have remotely disabled police cars and ambulance starters and stuff like that with this breach.”
Spireon said its cybersecurity professionals evaluated “the purported system vulnerabilities and immediately implemented remedial measures to the extent required. We also took proactive steps to further strengthen the security across our product portfolio as part of our continuing commitment to our customers as a leading provider of aftermarket telematics solutions.”
Curry also hacked Reviver, a company that sells digital license plates to consumers and fleets. He was able to gain full “super administrative access” to manage all Reviver user accounts and vehicles.
The functions he could perform remotely included tracking the physical GPS location of all Reviver customers. He could update any vehicle status to “stolen,” which updates the license plate and informs law enforcement, and access all user records. The hackers could determine what vehicles people owned, their physical address, phone number and email addresses.
A Reviver spokesperson said company executives met with Curry and data security and privacy professionals to fix the company’s vulnerabilities.
“Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report,” Reviver said. “As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections.”
Curry told Automotive News that he and his fellow auto security researchers will now focus on vulnerabilities in the auto-related services that major telecommunications providers offer the industry.
“We’re really curious about AT&T and Verizon,” Curry said. “So I think that’d be kind of a fun thing to explore because they have all this connected vehicle stuff, but their actual SIM cards are really interesting.”