Major car companies, telematics vendors, and fleet operators have significant vulnerabilities in their web applications and APIs, according to a report by security researcher Sam Curry and his team.
The vulnerabilities range from information theft to account takeover and remote code execution and even include the ability to hijack physical commands such as starting and stopping car engines.
These findings suggest that the automotive industry has not prioritized the security of its online systems as it has rushed to introduce digital features.
The researchers identified several critical vulnerabilities across various systems, including poorly configured APIs for BMW and Rolls Royce that could allow attackers to take over employee and contractor accounts and access sensitive customer and vehicle information.
A misconfigured single sign-on system at Mercedes-Benz enabled the researchers to gain access to internal assets, including private GitHub repositories and internal communication tools, and to pose as employees to access sensitive information and send commands to customer vehicles.
Vulnerabilities were also found in Kia, Ferrari, Hyundai, Genesis, Honda, Nissan, Infiniti, and Acura systems.
The team discovered a SQL injection vulnerability in the admin portal of Spireon, which services 15 million vehicles, that gave them administrator access to the platform and the ability to access all user accounts, devices, and fleets, including ambulances, police cruisers, and large trucks.