Multiple bugs affecting millions of vehicles from 16 different manufacturers could be abused to unlock, start, and track cars, plus impact the privacy of car owners.
The security vulnerabilities were found in the automotive APIs powering Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, Toyota as well as in software from Reviver, SiriusXM, and Spireon.
The flaws run a wide gamut, ranging from those that give access to internal company systems and user information to weaknesses that would allow an attacker to remotely send commands to achieve code execution.
The research builds on earlier findings from late last year, when Yuga Labs researcher Sam Curry et al detailed security flaws in a connected vehicle service provided by SiriusXM that could potentially put cars at risk of remote attacks.
The most serious of the issues, which concern Spireon’s telematics solution, could have been exploited to gain full administrative access, enabling an adversary to issue arbitrary commands to about 15.5 million vehicles as well as update device firmware.
images from Hacker News