Ethical hackers have shown that it is possible to take control of Ferrari, BMW, Rolls Royce, Mercedes-Benz, or Porsche vehicles from a distance. The relationship with the customers of these brands has been privileged to the detriment of cybersecurity.
Futura had explained how to hack a car in two lessons and it appears that, among car manufacturers, cybersecurity is still not a priority. The most common vehicles are even more secure than the most prestigious cars. Brands such as Ferrari, BMW, Rolls Royce, Mercedes-Benz, Porsche and Ford are far more vulnerable than others to cyberattacks according to Sam Curry, a cybersecurity expert. The hacker thus has discovered large breaches on these vehicles at the level of the geolocation service.
Thus, the company Spireon, which provides GPS positioning to more than 15 million vehicles and in particular to those of the emergency services, is one of the weak links. With it, brands are able to launch routines remotely to block the start of a vehicle, for example. However, the hackers managed to access the company’s administration dashboard and therefore the vehicle identification numbers and their geolocation. In all, 1.2 million user accounts of this system have escaped Spireon’s control.
With this data, the hackers were able to go further and target, for example, the Mercedes-Benz brand. They then realized that they could take it even further by breaking into a vehicle maintenance website. From this site, they were able to reach the heart of the computer system connected to the brand’s vehicles. They could then execute code remotely, but also take control of the administration of the brand’s Amazon Web Services (AWS) subscription.
Ethical hackers to strengthen security
The case of Mercedes is not unique, hackers have also attacked prestigious manufacturers like Ferrari. They found that, despite authentication measures, subdomains like “api.ferrari.com”, “cms-dealer.ferrari.com”, “cms-new.ferrari.com” and “cms-dealer. test.ferrari.com” could be hacked. Thanks to the site’s APIs, they were able to access sensitive information about the brand’s customers. They could have modified, created or deleted user accounts and even listed themselves as the owner of Ferrari.
According to Sam Curry, these prestigious brands are all affected by these vulnerabilities which are supposed to streamline their relationships with customers. This hacker is what is called a hunter, that is to say an ethical hacker who seeks a reward for detecting flaws. This bounty hunter therefore informed the brands of his discoveries. They would have since corrected all the flaws that he revealed.