New lines of smart, Internet-connected vehicles were the rage at the annual Consumer Electronics Show (CES), which has been taking place in Las Vegas in recent days. But a new report from a group of cybersecurity researchers should give consumers pause before hopping into a late model, connected car: exposing vehicle management systems rife with security vulnerabilities that could give even low-skill hackers access to driver data and critical vehicle systems.
The report “Web hackers versus the Auto Industry,” was published by a group of seven researchers led by Sam Curry (@samwcyo). It found wide ranging security failings in systems relied on by 16 separate car makers and powering millions of vehicles. The faults include vulnerable single sign on systems and web application flaws that allowed the researchers to control remote vehicle locking and unlocking, start and stop engines and locate vehicles using GPS. Other flaws gave researchers full administrator access to a company wide administration panel that could send commands to more than 15 million deployed vehicles.
Millions of vehicles remotely hackable
Cars from model years 2014 and later are affected, and attacks could be carried out remotely, via the Internet with little more information than the Vehicle Identification Number (VIN) or the customer’s e-mail address, according to Sam Curry, the lead researcher on the project.
The report follows months of research on the security of web based systems used to manage access to late model vehicles. The researchers assessed systems relied on by a host of car makers including Mercedes, Ferrari, Kia, Honda, BMW and Nissan as well as those operated by auto industry suppliers including Sirrius XM and Spireon, owner of the OnStar vehicle assistance service and a provider of GPS services for consumer vehicles as well as first responders and agricultural equipment makers.
Cars: just like scooters…only bigger!
According to Curry, whose day job is as the Staff Security Engineer at the firm Yuga Labs, the decision to look into the web-based systems controlling connected cars came about after he and a group of fellow researchers were able to manipulate a mobile application used to control a scooter share system, allowing them to trigger horns and alarms on the scooters.
Curry collaborated with researchers Neiko Rivera (@_specters_); Brett Buerhaus (@bbuerhaus); Maik Robert (@xEHLE_); Ian Carroll (@iangcarroll); Justin Rhinehart (@sshell_) and Shubham Shah (@infosec_au) on his research. He said the group learned early on that the telematics systems for vehicles were almost identical to the scooter management system.
“The infrastructure for both the scooter and car companies are actually super similar as they both have (1) authentication into a user account, (2) a mobile app which takes authenticated vehicle commands, and then (3) underlying SIM card powered telematic systems which leverage APIs from telecommunication companies,” he said in an email to The Security Ledger.
Curry has released some of the group’s findings previously on Twitter. For example, he disclosed flaws in telematics software manufactured by Sirius XM that allowed him and his researchers to remotely lock, unlock, start, stop and honk the horn cars made by Honda, Nissan, Infiniti and Acura with just the vehicle’s VIN number. He and the researchers later reported a flaw that gave them full, remote control over Nissan and Infiniti vehicles. That hack was the result of changing a single word in an application request sent from Nissan’s mobile application, allowing him to send vehicle commands such as “lock,” “unlock,” “start,” “stop” and “track,” as well as claim any previously owned vehicles.
That flaw appeared to be the result of a developer error, Curry said, in which a “debug or staging API call” was left in the application and pushed into production. Normally, customers would have to enter their unique customer ID and validate their access with a password. But Curry found that he could prefix a request with the term ”vin”, and a vehicle’s VIN, and it would bypass those access checks.
A cyber dumpster fire puts remote ignition, tracking, access in the hands of hackers
The latest report expands on those earlier revelations, describing additional flaws discovered in reviews of mobile applications associated with leading automobile OEMs that expose serious security and privacy risks in modern vehicles.
- For Kia vehicles, for example, Curry and his fellow researchers discovered they could remotely access the 360-view camera and view live images from the car.
- For Mercedes-Benz, Curry and his researchers gained access to “hundreds of mission-critical internal applications” and “internal vehicle APIs.” The group was able to access raw source code via Mercedes private Github instances and join company-wide internal development and messaging environments.
- For Spireon, the GPS provider for vehicles, Curry and his fellow researchers claimed to have obtained “full administrator access to a company-wide administration panel with ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start engine, disable starter, etc.), read any device location, and flash/update device firmware.” They also claimed to be able to carry out a remote code execution (RCE) attack on “core systems for managing user accounts, devices, and fleets, and the ability to “fully takeover any fleet” including police department and first responder fleets that rely on Spireon’s services.
The flaws pose serious privacy and even physical security risks. For example, Curry notes that many vehicles are stored indoors in garages. With the ability to remotely turn on millions of vehicles, attackers could cause “carbon monoxide (to) spread through people’s homes,” he wrote.
Many of the automakers’ security “felt a few years behind,” Curry wrote in an email. ”But they have very complicated threat models and huge attack surfaces, so it wasn’t surprising to us to have found (the flaws).”
In an email statement, a Spireon spokesperson said the company is aware of the article recently posted by Curry and his colleagues. “Our cybersecurity professionals met with the security researcher to discuss and evaluate the purported system vulnerabilities and immediately implemented remedial measures to the extent required. We also took proactive steps to further strengthen the security across our product portfolio as part of our continuing commitment to our customers as a leading provider of aftermarket telematics solutions,” the statement read. The spokesperson said Spireon takes “all security matters seriously and utilizes an extensive industry leading toolset to monitor and scan its products and services for both known and novel potential security risks.”
A spokesperson for Mercedes-Benz said in an email response the company was also aware of the research and fixed the vulnerability Curry reported. The spokesperson said the flaw “did not affect the security of our vehicles.” “(Mercedes-Benz) appreciate working with researchers from around the world in order to help us create better, safer products and services through our vulnerability disclosure program. We take every vulnerability report very serious (sp),” the company said in a statement.
An email statement shared by a Kia America spokesman said that the company’s investigation of the flaw is ongoing and that Kia is “implementing countermeasures to further enhance the safety and security of our systems. We value our collaboration with security researchers and appreciate this team’s assistance.”
A spokesperson for the automotive industry ISAC (Information Sharing and Analysis Center) said that it could not provide a comment in time for publication. We will update this story with a statement from the auto ISAC once one is available.
Security Ledger sent additional requests for comments to other automakers including Honda, Infiniti, Nissan, and Acura. We will update this story when and if we hear from those companies.
Not (exactly) Miller and Valasek
Researchers weren’t able to send actual vehicle commands, as researchers Charlie Miller and Chris Valasek illustrated in their famous 2015 attack on a Jeep Cherokee, Curry said. “we were limited to the manufacturer functionality like starting the vehicle, unlocking it, tracking it, and opening the trunk,” he wrote.
Curry said it was difficult to determine the origins of the offending applications. The group’s research into SiriusXM, for example, found that some automakers’ applications called SiriusXM’s API directly, while others were rebranded as a service that was offered by the auto manufacturer. “We weren’t able to find any evidence that SiriusXM produced the apps directly or contracted them out,” Curry wrote in an email. “It was deployed differently in many places and there wasn’t a universal way to interface with it,” he wrote. After reporting the flaw to SiriusXM, Curry said the company responded quickly and had it fixed “within 24 hours.”
Wide avenues for cyber attack on connected cars
Curry said his research, which started out as a casual inquiry, suggests that other, similar issues exist in connected vehicles. “My gut feeling is that someone could find similar issues affecting these (applications) given enough time,” he said. The auto industry’s enthusiastic embrace of mobile apps and subscription services for vehicles mean that the problems he discovered aren’t going away. “Infrastructure wise, the car is always going to be calling out to these APIs and customers are always going to be able to access their accounts via the app, so these avenues of attack will always exist,” Curry wrote.
Even worse: the level of expertise needed to find the flaws is low. “In past…we’ve tried to focus on emerging security research and new techniques for breaking applications, but for this one we were a little disappointed,” Curry wrote in an email. “as “Instead of ‘here’s a new technique on how to hack a car,’ we discovered that it was more of ’these old techniques work to hack car companies.’”
Curry said the response from automakers was, generally, good.
“None of the automakers were surprised we were poking at their systems, they all hopped on calls with us within 1 or 2 days to discuss our findings and help understand how they could better fix them going forward.”
Still, other security researchers noted that the ease with which the flaws were found – and their prevalence – was a black eye for the industry.
“This is jaw dropping research,” said the researcher known as Sick Codes, who made news at the DEF CON hacking conference in August by running the DOOM first-person shooter on a John Deere monitor, and who has also pried into the security of automobiles. ” Spoke to both Sam and Specters and congratulated them both on putting on a clinic haha. “It makes ISO 21434 (the cybersecurity standard for vehicles) look like a joke. AutoISAC has some explaining to do if this level of attack is just sitting there,” Sick Codes said.
The cybersecurity space needs to respond accordingly. “This space should have more people paying attention. We need more hackers to look at these systems and organizations to push for thorough auditing of these technologies,” Curry wrote.