Security researchers have uncovered vulnerabilities in various networked cars. They were able to access internal data from Mercedes and Rolls-Royce, for example, or open and start cars from Hyundai, Nissan, Kia and Honda.
Cars can be opened and started
Modern vehicles are increasingly equipped with extensive asisstence programs and on-board computers that are connected to the Internet. For all these elements to function, a constant connection to servers of the company behind the respective vehicle is necessary. This digital communication represents a vulnerability that criminals could exploit to gain access to the vehicles.
Security researchers have now shown how easily locks in vehicles can be exploited thanks to digital vulnerabilities. For example, they reported being able to open and start vehicles from Hyundai, Nissan, Kia and Honda. All that was needed was the vehicle identification number, usually read from behind the windshield, which had to be sent in an HTTP request to the server of the respective car company. The vulnerabilities exploited in this process are in the SiriusXM platform, which many companies use for their vehicles.
Access to company servers possible
However, not only access to individual vehicles, but in some cases also to the servers of automotive companies was possible without major difficulties in the test. Insecurely configured single sign-on interfaces allowed access at Ferrari, Mercedes-Benz, Toyota and Porsche, for example. At BMW, employee accounts could be reset and taken over, while at Mercedes and Rolls-Royce it was even possible to execute custom code on the servers. It is not yet known whether the vulnerabilities have been closed. In any case, they cast a shadow over the rapid development in the area not only of general car networking, but also of autonomous driving, which is centrally dependent on precisely these technologies. Mercedes, for example, just unveiled a new autonomous feature a few days ago.