Security News > 2023 > January > Millions of Vehicles at Risk: API Vulnerabilities Uncovered in 16 Major Car Brands

Multiple bugs affecting millions of vehicles from 16 different manufacturers could be abused to unlock, start, and track cars, plus impact the privacy of car owners.

The research builds on earlier findings from late last year, when Yuga Labs researcher Sam Curry et al detailed security flaws in a connected vehicle service provided by SiriusXM that could potentially put cars at risk of remote attacks.

The most serious of the issues, which concern Spireon's telematics solution, could have been exploited to gain full administrative access, enabling an adversary to issue arbitrary commands to about 15.5 million vehicles as well as update device firmware.

"This would've allowed us to track and shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles," the researchers said.

Other flaws make it possible to access or modify customer records, internal dealer portals, track vehicle GPS locations in real time, manage the license plate data for all Reviver customers, and even update vehicle status as "Stolen."

"If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely," the researchers noted.

News URL

https://thehackernews.com/2023/01/millions-of-vehicles-at-risk-api.html