May 13 2023

WORST CAR COMPANY AWARD IN TERMS OF DATA SECURITY GOES TO TOYOTA AFTER LEAKING DATA OF MILLIONS OF CUSTOMERS FOR 10 YEARS

Category: cyber securitydisc7 @ 12:30 pm
Worst car company award in terms of data security goes to Toyota after leaking data of millions of customers for 10 years

The Toyota Motor Corporation confirmed on Friday that the car data of 2.15 million customers in Japan, including those of its premium brand Lexus, had been publicly accessible for almost a decade owing to “human error.” The statement was made in response to a report that the Toyota Motor Corporation had published on Friday. The disaster, which impacted virtually all of Toyota’s clientele who had registered for the company’s primary cloud service platforms after 2012, was brought on by a cloud system that had been inadvertently turned to the public rather than the private mode. Customers who had signed up for the T-Connect service, which offers a wide range of services such as AI voice-enabled driving assistance, automatic connection to call centers for vehicle management, and emergency support in the event of a situation such as a car accident or a sudden illness, were impacted as well. The G-Link services for Lexus vehicles were also impacted. According to the corporation, there have been no complaints of harmful usage; nonetheless, information such as car positions and identification numbers of vehicle devices may have been compromised. This is despite the fact that there have been no indications of malicious use.

This incidence comes to light at the same time that Toyota is ramping up its efforts in the areas of vehicle connection and cloud-based data management in order to provide autonomous driving and other functions supported by artificial intelligence. When asked why it took Toyota so long to realize the error, a spokeswoman for the firm said, “There was a lack of active detection mechanisms, and activities to detect the presence or absence of things that became public.” In other words, the corporation did not have any mechanisms or activities in place to detect the presence or absence of things that became public.  The problem first surfaced in November of last year and continued through the middle of April of this year.

How to hack any Hyundai, Toyota or Kia cars to steal them

The Personal Information Protection Commission in Japan was made aware of an occurrence, but in keeping with their standard procedure, the commission has chosen not to divulge any more information at this time. Toyota has implemented safeguards to prevent unauthorized third parties from gaining access to the company’s data and is in the process of conducting an examination into all cloud environments that are administered by Toyota Connected Corp. Following a string of previous large data breaches in Japan, including one in March when mobile provider NTT DoCoMo revealed the data of up to 5.29 million users may have been compromised due to a firm to whom it had outsourced work.

The corporation said that it will be contacting individual consumers about the breach and that it has established a hotline for queries.

The problem comes after Toyota disclosed in October a second data breach affecting T-Connect that affected a far lesser amount of customers.

In April, Toyota revealed that there had been security breaches at its headquarters in Italy, which might have resulted in the exposure of customer information.

 InfoSec tools | InfoSec services | InfoSec books

Tags: Car hackers, Car Security, Secure cars

Jan 17 2023

Car companies massively exposed to web vulnerabilities

Category: Security vulnerabilities,Web SecurityDISC @ 11:51 am

From a detailed report – compiled by security researcher Sam Curry – the findings are an alarming indication that in its haste to roll out digital and online features, the automotive industry is doing a sloppy job of securing its online ecosystem. https://lnkd.in/gdAXGjaN

The web applications and APIs of major car manufacturers, telematics (vehicle tracking and logging technology) vendors, and fleet operators were riddled with security holes, security researchers warn.

In a detailed report, security researcher Sam Curry laid out vulnerabilities that run the gamut from information theft to account takeover, remote code execution (RCE), and even hijacking physical commands such as starting and stopping the engines of cars. The findings are an alarming indication that in its haste to roll out digital and online features, the automotive industry is doing a sloppy job of securing its online ecosystem.

From web portals to car locks

Around six months ago, Curry and a few friends stumbled on a vulnerability in the mobile app of a scouter fleet at the University of Maryland, which caused the horns and headlights on all the scooters in the campus to turn on and stay on for 15 minutes. Curry subsequently became interested in doing further investigation along with researchers Neiko RiveraBrett BuerhausMaik RobertIan CarrollJustin Rhinehart, and Shubham Shah.

“We thought it’d be awesome to dump a ton of time into hacking different car companies to see how many ‘horns we could honk’, but it quickly turned into hacking telematics infrastructure and things outside of the telematics APIs,” Curry told The Daily Swig.

The researchers’ findings, detailed on Curry’s blog, highlight an alarming number of critical vulnerabilities across different systems. For example, a poorly configured API endpoint for generating one-time passwords for the web portals of BMW and Rolls Royce potentially enabled attackers to take over the accounts of any employee and contractor, thereby gaining access to sensitive customer and vehicle information.

A misconfiguration in the Mercedes-Benz single sign-on (SSO) system enabled the researchers to gain access to several internal company assets, including private GitHub repositories and internal communication tools. Attackers could pose as employees, allowing them to access sensitive information, send commands to customer vehicles, perform RCE attacks, and use social engineering to escalate their privileges across the Mercedes-Benz infrastructure.

Elsewhere a vulnerability in Kia’s web portal for dealers could have allowed attackers to create a fake session, register an account, associate it with any arbitrary vehicle VIN number, and gain access to lock, unlock, and remote start/stop mechanisms, as well as vehicle locations and vehicle camera feeds.

A poorly implemented SSO functionality in Ferrari’s web applications allowed the researchers to gain unrestricted access to the JavaScript code of several internal applications. The source code contained internal API keys and usage patterns, allowing potential attackers to create and modify users or (worse yet) give themselves super-user permissions. The vulnerabilities effectively allowed attackers to take ownership of Ferrari cars.

Other vulnerabilities granted full remote control over the locks, engine, horn, headlights, and trunk of Hyundai and Genesis vehicles made after 2012. The researchers were also able to obtain full remote access to Honda, Nissan, Infiniti, and Acura vehicles.

Dangerous bug in telematics portal

Curry and his colleagues found a SQL injection vulnerability in the admin portal of Spireon, the parent company of several car telematics and fleet management vendors that collectively service 15 million vehicles. Curry described this as their “most alarming finding” because the vulnerability allowed them to gain administrator access to the company’s platform.

“Using our access, we could access all user accounts, devices (vehicles), and fleets,” he said. “Some of the fleets on the website included ambulances, police cruisers, and large trucks. Using the Spireon access, we could send fully arbitrary commands and update device configurations.”

The researchers found they were able to lock starters, unlock vehicles, track vehicles, and send rogue dispatch addresses to vehicles like police cars and ambulances. The researchers further suspect the security shortcomings made it possible to install backdoors and run arbitrary commands on Spireon devices.

Half-baked

“There were some car companies where you’d own one, then copy the exact same methodology to another car company and get in with the same vulnerability,” Curry said.

The researchers found that some flaws existed across the platforms of several companies, including tons of exposed actuators (vehicle component control), debug endpoints, and administrative functionality for managing vehicles, purchase contracts, and telematic devices.

“From what it seems, car companies really rushed to install these devices,” Curry said. “Currently, these installations mostly have limited functionality so you can only do things like track, unlock, and start the vehicle, but with companies like Tesla and Rivian building more connected vehicles which can actually be controlled remotely, I’m worried that market pressure will force these companies to build half-baked solutions which are open to attack.”

Checkout our latest posts on API security…

Contact DISC InfoSec

InfoSec books | InfoSec tools | InfoSec services

Tags: Car Security

Jan 10 2023

Automotive Industry Exposed to Have Major API Vulnerabilities

Category: cyber securityDISC @ 4:42 pm
Automotive Industry Exposed to Have Major API Vulnerabilities

The impacted automotive giants include BMW, Toyota, Ford, Honda, Mercedes-Benz and many more…

These API vulnerabilities exposed vehicles to information theft, account takeover, remote code execution (RCE), and even hijacking of physical commands such as starting and stopping engines.

Millions of vehicles belonging to 16 different manufacturers had completely exposed API vulnerabilities which could be abused to unlock, start, and track cars while also impacting the privacy of the vehicle owners.

These vulnerabilities were found by security researcher Sam Curry who conducted in-depth research into the security loopholes of the automotive industry along with researchers Neiko RiveraBrett BuerhausMaik RobertIan CarrollJustin Rhinehart, and Shubham Shah

Automotive Industry Exposed to Have Major Vulnerabilities

In a detailed report, Curry laid out vulnerabilities found in the automotive APIs powering several automotive giants including the following:

  • Kia
  • BMW
  • Ford
  • Honda
  • Acura
  • Jaguar
  • Nissan
  • Porsche
  • Toyota
  • Ferrari
  • Spireon
  • Reviver
  • Genesis
  • Hyundai
  • Infiniti
  • SiriusXM
  • Land Rover
  • Rolls Royce
  • Mercedes-Benz

According to researchers, information theft to account takeover, remote code execution (RCE), and even hijacking physical commands such as starting and stopping engines of cars were all real possibilities that hackers could access before the security vulnerabilities were fixed by respective manufacturers following responsible disclosure. 

Spireon’s telematics solution faced the most serious of issues which could have been exploited to gain full administrator access to the company’s platform, enabling a threat actor to issue arbitrary commands to about 15.5 million vehicles as well as update device firmware. 

“Using our access, we could access all user accounts, devices (vehicles), and fleets,” Curry said. “Some of the fleets on the website included ambulances, police cruisers, and large trucks. Using the Spireon access, we could send fully arbitrary commands and update device configurations.”

Another vulnerability reported in the researchers’ findings showed that a poorly configured API endpoint for generating one-time passwords for the web portals of BMW and Rolls Royce could allow attackers to take over the accounts of any employee and contractor, thereby gaining access to sensitive customer and vehicle information. 

A poorly implemented SSO functionality in Ferrari’s web applications allowed the researchers to gain unrestricted access to the JavaScript code of several internal applications. The source code contained internal API keys and usage patterns, allowing potential attackers to create and modify users’ or (worse yet) give themselves superuser permissions. The vulnerabilities effectively allowed attackers to take ownership of Ferrari cars.

A misconfiguration in the Mercedes-Benz single sign-on (SSO) system enabled the researchers to gain access to several internal company assets, including private GitHub repositories and internal communication tools.

Attackers could pose as employees, allowing them to access sensitive information, send commands to customer vehicles, perform RCE attacks, and use social engineering to escalate their privileges across the Mercedes-Benz infrastructure.

“There were some car companies where you’d own one, then copy the exact same methodology to another car company and get in with the same vulnerability,” Curry wrote in a blog post.

The researchers found that some flaws existed across the platforms of several companies, including tons of exposed actuators (vehicle component control), debug endpoints, and administrative functions for managing vehicles, purchase contracts, and telematic devices.

This only goes to show that as much of a hurry as these car companies were to install these devices, they completely overlooked the task of securing their online ecosystem. 

Infosec books | InfoSec tools | InfoSec services

Tags: Car Hacker, Car Security, Connected cars

Dec 06 2022

Bug in Toyota, Honda, and Nissan Car App Let Hackers Unlock & Start The Car Remotely

Category: API security,App Security,cyber security,Mobile Security,Remote codeDISC @ 10:31 am

Bug in Toyota, Honda, and Nissan Car App Let Hackers Unlock & Start The Car Remotely

The majority of major automobile manufacturers have addressed vulnerability issues that would have given hackers access to their vehicles to perform the following activities remotely:-

  • Lock the car
  • Unlock the car
  • Start the engine
  • Press the horn
  • Flas the headlights
  • Open the trunk of certain cars made after 2012
  • Locate the car

Flaw in SiriusXM

SiriusXM, one of the most widely used connected vehicle platforms available on the market, has a critical bug in its platform that affects all major vehicle brands.

There is a particular interest among security researchers in the area of connected cars, like Yuga Labs’ Sam Curry. In fact, he’s the one who was responsible for discovering a security hole in the connected cars of major car manufacturers during his routine research.

There are a number of car manufacturers who use Sirius XM telematics and infotainment systems as a part of their vehicle technology.

Affected Car Brands

Here below we have mentioned the brands’ names that are affected due to this critical bug in SiriusXM:-

  • Acura
  • BMW
  • Honda
  • Hyundai
  • Infiniti
  • Jaguar
  • Land Rover
  • Lexus
  • Nissan
  • Subaru
  • Toyota

Vulnerability Analysis

During the process of analyzing the data, it was found that there is a domain (http://telematics(.)net) that is used during the vehicle enrollment process for the remote management of Sirius XM.

The flaw is associated with the enrollment process for SiriusXM’s remote management functionality which results in the vehicle being tampered with.

There is not yet any technical information available about the findings of the researchers at the present time, since they haven’t shared anything in detail.

Upon further analysis of the domain, it becomes apparent that the Nissan Car Connected App is one of the most plentiful and frequently referenced apps in this domain.

In order for the data exchanged through the telematics platform to be authorized, the vehicle identification number (VIN) only needs to be used. The VIN of the vehicle can therefore be used to carry out a variety of commands by anyone who knows the number.

The next step would be to log in to the application later on, and then the experts examined the HTTPS traffic that came from a Nissan car owner.

Researchers discovered one HTTP request during the scan in which they conducted a deep analysis. 

It is possible to obtain a bearer token return and a “200 OK” response by passing a VPN prefixed ID through as a customerID in the following way:-

Car App

Using the Authorization bearer in an HTTP request, researchers attempted to obtain information about the user profile of the victim and, as a result, they successfully retrieved the following information:-

  • Name
  • Phone number
  • Address
  • Car details

In addition to this, the API calls used by SiriusXM for its telematics services worked even if the user did not have an active subscription with SiriusXM.

As long as the developers or owners are not involved in the process of securing a vulnerable app, it is impossible to guarantee the security of that app. This is why they should be the only ones who can issue security updates and patches.

Recommendations

Here below we have mentioned the recommendations made by the security analysts:-

  • Ensure that you do not share the VIN number of your car with unreliable third parties.
  • In order to protect your vehicle from thieves, it is imperative to use unique passwords for each app connected to the vehicle.
  • Keep your passwords up-to-date by changing them on a regular basis.
  • Keeping your system up-to-date should be a priority for users.

The Car Hacker’s Handbook: A Guide for the Penetration Tester

Tags: Car Security

Jul 20 2022

Million of vehicles can be attacked via MiCODUS MV720 GPS Trackers

Category: Cyber Attack,Hardware Security,Threat detectionDISC @ 8:28 am
Million of vehicles can be attacked via MiCODUS MV720 GPS Trackers

Multiple flaws in MiCODUS MV720 Global Positioning System (GPS) trackers shipped with over 1.5 million vehicles can allow hackers to remotely hack them.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of multiple security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers which are used by over 1.5 million vehicles.

MiCODUS flaws

An attacker can exploit the flaws to remote disruption of critical functions of the impacted vehicles.

“CISA has released an Industrial Controls Systems Advisory (ICSA) detailing six vulnerabilities that were discovered in MiCODUS MV720 Global Positioning System Tracker. Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control the global positioning system tracker.” reads the advisory published by CISA. “These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.”

The MiCODUS MV720 GPS Tracker is a popular vehicle GPS tracker manufactured in China, which is used by consumers for theft protection and location management, and by organizations for vehicle fleet management.

The flaws were discovered by BitSight researchers, they have been tracked as CVE-2022-2107; CVE-2022-2141; CVE-2022-2199; CVE-2022-34150; and CVE-2022-33944.

Researchers from BitSight who discovered the issues reported that threat actors could hack into the tracker to potentially cut off fuel, physically stop vehicles, or track the movement of vehicles using the device.

MiCODUS is used today by 420,000 customers in multiple industries, including government, military, law enforcement agencies, and Fortune 1000 companies.

The list of the vulnerabilities discovered by the researchers in September 2021 is reported below:

  • CVE-2022-2107 (CVSS score: 9.8) – The use of hard-coded credentials may allow an attacker to log into the web server, impersonate the user, and send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number.
  • CVE-2022-2141 (CVSS score: 9.8) – Improper authentication allows a user to send some SMS commands to the GPS tracker without a password.
  • CVE-2022-2199 (CVSS score: 7.5) – A cross-site scripting vulnerability could allow an attacker to gain control by deceiving a user into making a request.
  • CVE-2022-34150 (CVSS score: 7.1) – The main web server has an authenticated Insecure Direct Object References (IDOR) vulnerability on parameter “Device ID,” which accepts arbitrary Device IDs without further verification.
  • CVE-2022-33944 (CVSS score: 6.5) – The main web server has an authenticated IDOR vulnerability on POST parameter “Device ID,” which accepts arbitrary Device IDs.
  • Experts found a sixth issued that has yet to receive a CVE (CVSS score: 8.1) – all devices ship preconfigured with the default password 123456, as does the mobile interface. There is no mandatory rule to change the password nor is there any claiming process. The setup itself does not require a password change to use the device. We observed that many users have never changed their passwords.

The analysis of the sector usage on a global scale revealed significant differences by continent in the typical user profile. Most North American organizations using flawed MiCODUS devices are in the manufacturing sector, while those in South America are government entities. MiCODUS users in Europe belong to diverse sectors, ranging from finance to energy.

BitSight recommends users immediately cease using or disable any MiCODUS MV720 GPS trackers due to the severity of the flaw, at least until the vendor will address the issues.

“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, internationally renowned national security expert and former presidential advisor on cybersecurity. “With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind. BitSight’s research findings highlight how having secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security, and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.”

Researchers highlighted the risks that a nation-state actor could potentially exploit the above vulnerabilities to gather intelligence on entities operating in the military or one of its supplies. Data such as supply routes, troop movements, and recurring patrols could be revealed by exploiting these flaws-

“Although GPS trackers have existed for many years, streamlined manufacturing of these devices has made them accessible to anyone. Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features is useful to many individuals and organizations. However, such functionality can introduce serious security risks. Unfortunately, the MiCODUS MV720 lacks basic security protections needed to protect users from serious security issues. With limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem.” concludes the report. “BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable these devices until a fix is made available. Organizations using any MiCODUS GPS tracker, regardless of the model, should be alerted to insecurity regarding its system architecture, which may place any device at risk.”

Unpatched flaws in popular GPS devices could let hackers disrupt and track vehicles

Unpatched flaws in popular GPS devices could let hackers disrupt and track vehicles

These days security of car is very essential. Thieves are finding more ways of stealing cars and other four wheeler vehicles. In this book we have given details about the anti-theft system which will help to car owners to secure their cars. This system is efficient and affordable. This system gives more advantages than other anti-theft system. Main feature of this system is that owner will gate information if the car is being stolen and the location of car (longitude and altitude).

Anti-theft Locking and Tracking system using GSM and GPS Technology

Tags: Car Security, GPS Trackers