Car Owners Beware: A Major Flaw Lets Hackers Steal Your Car Remotely
Read in other languages:
Your cars are integrating more digital technologies faster than ever, but this also increases the risk of security threats, ranging from infotainment exploits to keyless attacks. There are rare instances where the carmaker itself puts its customers and drivers at risk through security lapses. A similar case has now occurred with one carmaker, potentially exposing millions to the risk of hijacking.
Security researcher Eaton Zveare has shared a finding with TechCrunch, which revealed serious vulnerabilities in a centralized dealership web portal of an unnamed major carmaker. The flaws exposed sensitive customer and vehicle data and could have allowed hackers to perform nefarious actions like unwanted remote control and hijacking.
Portal Flaw Lets Hackers Hijack Cars Remotely
It's detailed that the security flaws related to "two weak API authentications" allowed Zveare to bypass login security on the web portal and create an unrestricted national-level admin account by modifying some browser-loaded code, without needing valid credentials.
Subsequently, this granted the created account access to over 1,000 dealership systems in the United States. The dealership portal is reportedly the same platform that employees and associates are authorized to access for viewing customer and vehicle information. What's worse is that the portal's single sign-on could enable users to jump between different dealer systems.
Once access was gained, Zveare said that it was very easy for someone with an unrestricted account to search for a customer's name and match it with the vehicle's information through an internal tool. Likewise, it was possible to check a car in a parking lot and look up its owner.
However, what's more concerning is that vehicles with a connected mobile account pose a greater risk of attacks and hijacks. Zveare told the outlet that admins could control or transfer user accounts without security authentication.
He demonstrated how the exploit could work in a real-world scenario. Through permission from a friend with a vehicle in the portal, the researcher was able to remotely control it, such as by unlocking the car via the mobile app. This has serious implications in instances of organized carjacking and theft.
Major Security Bug Was Fixed
Zveare did not disclose which carmaker this was. However, it is said to be a well-known vendor with multiple sub-brands. It was also not known if the security flaws affected comparable portals of this carmaker outside the U.S., though there might be potential similar loopholes in overseas subsidiaries.
Additionally, Zveare stated that this discovery was reported to the vendor in February and that the bugs were patched within a week. While there was no evidence of prior exploitation in the wild, this was very alarming nonetheless.
This is not the only case where a carmaker was the reason for major security vulnerabilities. Last year, researchers exploited Kia's dealer portal to remotely control vehicles using license plate numbers. Meanwhile, Volkswagen was reported to have exposed the personal data of more than 800,000 EV owners.
In your case, what safeguards can you suggest to help protect your data and your vehicle from hacking? Should we really trust these companies with our data? We want to hear your answers in the comments.
Source: TechCrunch
