A vulnerability that allows ``remote unlocking'', ``remote engine start'', and ``personal information acquisition'' is discovered in automobiles such as Toyota, Honda, and Nissan
Automobiles sold in recent years are equipped with many semiconductors, and are electronically controlled to start the engine, turn on the headlights, unlock the lock, etc. A research team led by security researcher Sam Curry analyzed automobiles from manufacturers such as Toyota, Honda, Nissan, BMW, and Mercedes-Benz, and derived a method of operating the vehicle from the outside. In addition, as a result of analyzing the websites of each automobile manufacturer, vulnerabilities that can extract users' personal information have also been discovered.
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More | Sam Curry
The research team analyzed vehicles and websites of multiple manufacturers and found vulnerabilities that lead to remote control and user information theft. Some of the vulnerabilities reported by the research team are as follows.
◆Toyota
・Discovered a vulnerability that allowed access to customer names, telephone numbers, e-mail addresses, and loan status managed by Toyota-affiliated companies.
◆ Honda, Nissan, Kia Motors
・It is possible to remotely access the vehicle system and perform operations such as 'lock', 'unlock', 'engine start', 'engine stop', 'headlights on' and 'honk horn'.
・Ownership can be changed by excluding the original user from the vehicle system. In the case of Kia Motors, it was possible to access the 360-degree view system to obtain information about the vehicle's surroundings.
◆BMW
・Succeeded in accessing an employee-only application by impersonating an employee.
・Customer personal information, including car sales information, can be accessed from employee-only applications.
◆Mercedes-Benz
・It is possible to access the internal GitHub repository by impersonating an employee. The internal GitHub repository contained the source code of the vehicle management application '
・I pretended to be an employee and accessed the internal chat system and asked questions such as 'how to obtain vehicle management authority.'
◆ Ferrari
- Ownership can be overridden by accessing the vehicle management system.
・You can access the internal system and check the detailed information of the customer.
The above vulnerabilities are part of what the research team has released, and the report reports that other manufacturers such as Porsche and Hyundai were able to access information. In addition, the report article also explains the specific method of discovering the vulnerability.
Related Posts: