Major security flaws discovered in top luxury cars such as Ferrari, Mercedes, and many others. The said vulnerabilities found allowed threat actors to steal private data as well as start cars.
Major Security Flaws Discovered In Top Luxury Cars
According to reports, major security flaws have been discovered in Ferrari, Mercedes, and many other top luxury cars. The flaw reportedly could allow threat actors to steal the Personal Identifiable Information of car owners, track their vehicles, and in many cases unlock and start their cars.
Close to two-dozen car brands were affected by the reported flaw and this is including top brands such as Roll Royce, BMW, Porsche, Mercedes-Benz, Ferrari, Jaguar, Ford, KIA, Land Rover, Infiniti, Honda, Hyundai, Acura, Nissan, Genesis, and Toyota. And besides manufacturers of cars, car technology makers Spireon and Reviver also were impacted as well as SiriusXM, streaming service providers.
The Flaws Were Discovered By Sam Curry
The said flaws were discovered by Sam Curry, a cybersecurity researcher who has a history of discovering security flaws in connected cars. He discovered a flaw in SiriusXM back in early December 2022 that made threat actors get access to connected vehicles.
And in this case, different manufacturers had different vulnerabilities. Both BMW and Mercedes-Benz have had a flawed Single-Sign-On (SSO) feature that lets threat actors get access to internal systems, thus giving them the required access to GitHub instances, servers, private chats, AWS instances, and many more.
Potential attackers with BMW could have gotten access to internal dealer portals, VIN numbers of cars, as well as sales documents with sensitive owner details.
Other Major Brands to Have Their Personal Identifiable Information Leaked
And besides two major brands, owners of Honda, Infiniti, KIA, Acura, Mercedes-Benz, Genesis, BMW, Rolls Royce, Ferrari, Ford, Porsche, and Toyota cars, could have their personally identifiable information (PII) leaked.
Ferrari also was affected heavily, as the SSO flaw let threat actors get access to, modify or even delete and Ferrari customer account. The flaw also could set threat actors as car owners. And with Porsche, flaws in its telematics systems allowed threat actors to pinpoint the exact location of the cars and to even send commands to the vehicles.
Impacted Vendors Have Been Notified Of the Flaws and They Have Been Fixed
You should however know that all of the impacted vendors have been notified of the findings and the flaws also have since been fixed.
Spireon, a GPS vehicle tracking provider which is allegedly used in over 15 million vehicles, carried a flaw that among many other things, allowed threat actors to unlock the cars, start the engine or even disable the starter.