Automotive Security Vulnerabilities From Afar

Don’t confuse automotive security with automotive safety, things like functional safety (FuSa) and ISO 26262. You need security to have safety. But security is its own thing. In a modern connected car, there are two places for security vulnerabilities. One is in the car itself. And the other is back at base in the automotive manufacturer’s (OEM in the jargon) data centers, which the cars are connected to. Well, it turns out automotive manufacturers are not very good at security in either place. The title of this blog post by Sam Curry pretty much says it all: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More. I think they chose those brands to put in the title because it makes for a more dramatic title than using Kia and Acura. But lots of mainstream brands are on the list too.

He opens with an anecdote of why they decided to pentest automotive security:

While we were visiting the University of Maryland, we came across a fleet of electric scooters scattered across the campus and couldn’t resist poking at the scooter’s mobile app. To our surprise, our actions caused the horns and headlights on all of the scooters to turn on and stay on for 15 minutes straight.

That sort of thing is like a red rag to a security researcher bull:

[We] became super interested in trying to more ways to make more things honk. We brainstormed for a while, and then realized that nearly every automobile manufactured in the last 5 years had nearly identical functionality. If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely. At this point, we started a group chat and all began to work with the goal of finding vulnerabilities affecting the automotive industry. Over the next few months, we found as many car-related vulnerabilities as we could. The following writeup details our work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports it.

Most of the rest of the piece is a detailed description of the security vulnerabilities they found. The ones listed in the blog post title are not even the most severe, and lots of more mainstream manufacturers than Ferrari and Rolls Royce were vulnerable. To give you an idea of how serious these issues are, here’s just one of the entries in the post:

Kia, Honda, Infiniti, Nissan, Acura

• Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number
• Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address)
• Ability to lock users out of remotely managing their vehicle, change ownership
• For Kia specifically, we could remotely access the 360-view camera and view live images from the car

The VIN is the “vehicle identification number.” At least here in the US, it is usually (always?) on a little embossed plate just behind the windscreen, visible to anyone from outside the vehicle.

Also, the airline industry is just as bad. I won’t go into the details, but the title of this post says it all: how to completely own an airline in 3 easy steps and grab the TSA nofly list along the way. By the way, the mainstream press has been reporting that the nofly list was kept in an Excel .csv file. I think it is much more likely that the nofly list is kept in a database that was not breached, but for some reason, someone dumped the list into a csv file to do some analysis in Excel, and it was that file that was compromised.