Software vulnerabilities installed by luxury car manufacturers including Ferrari, BMW, Rolls Royce and Porsche that could allow remote attackers to control vehicles and steal owners’ personal details have been fixed. Cybersecurity researchers uncovered the vulnerabilities while vacationing.
The vulnerabilities potentially allowed hackers to perform tasks such as starting and stopping vehicles, remote tracking and locking and unlocking.
The affected vehicles include Infiniti, Nissan, Acura, Mercedes-Benz, Genesis, BMW, Rolls Royce, Ferrari, Ford, Porsche, Toyota, Jaguar, Kia, Honda and Land Rover.
The research team also discovered flaws in the services provided by technology brands Reviver, Spireon and streaming service provider SiriusXM.
Sam Curry, a staff security engineer at blockchain technology company Yuga Labs, along with fellow cybersecurity researchers uncovered these flaws during a vacation, Curry says, “We brainstormed for a while and then realized that nearly every automobile manufactured in the last five years had nearly identical functionality.”
Curry says if an attacker can find vulnerabilities in the API endpoints that vehicle telematics systems used, they could perform various tasks remotely.
“I’d hope that car manufacturers continue to work with security researchers in fixing these types of issues and taking these types of attacks seriously,” Curry tells Information Security Media Group.