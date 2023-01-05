Major security flaws have been found in Mercedes, Ferrari and other luxury cars that have allowed attackers to steal the owners’ personally identifiable information, track their vehicles, and in some cases even unlock and start the cars.

Nearly two dozen car brands were affected by the flaws, including top brands such as BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis.

In addition to automakers, auto tech makers Spireon and Reviver were also affected, as well as streaming service providers, SiriusXM.

Access to private data

The flaws were discovered by cybersecurity researcher Sam Curry, who has a history of discovering security flaws in connected cars. In early December 2022, he discovered a flaw in SiriusXM that allowed attackers to access connected vehicles.

In this case, different manufacturers had different vulnerabilities. BMW and Mercedes-Benz have a flawed Single-Sign-On (SSO) feature that allowed threat actors to access internal systems, giving them access to GitHub instances, private chats, servers, AWS instances, and more.

With BMW, potential attackers could have accessed internal dealer portals, car VIN numbers, and sales documents containing sensitive owner data.

In addition to the two major brands, owners of cars from KIA, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Roll Royce, Ferrari, Ford, Porsche and Toyota may have had their personally identifiable information (PII) leaked.

Ferrari was also hit hard, as the SSO flaw allowed threat actors to access, modify or delete any Ferrari customer account. They could have even set themselves up as car owners. At Porsche, flaws in its telematics systems allowed threat actors to pinpoint the exact location of the cars and even send commands to the vehicles.

All affected suppliers have been notified of the findings and have since corrected the deficiencies.

Spireon, a GPS vehicle tracking provider believed to have been used in more than 15 million vehicles, contained a flaw that allowed attackers, among other things, to unlock the cars, start the engine, or disable the starter.

To protect against such mistakes in the future, researchers recommend that car owners store as little personal information as possible in vehicles and mobile companion apps.

