Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Luxury car brands such as Mercedes-Benz and BMW have been hit, and security experts have released multiple loopholes affecting millions of vehicles

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > IT Information >

Share

Shulou(Shulou.com)11/24 Report--

CTOnews.com, January 8 (Xinhua)-- Safety experts have discovered a security loophole affecting millions of cars, affecting almost all major car brands around the world. Hackers can take advantage of vulnerabilities in car telematics systems, car API and supporting infrastructure to perform various operations, and even take over your car remotely.

CTOnews.com learned that brands such as Mercedes-Benz, BMW, Rolls-Royce, Ferrari, Ford, Porsche, Toyota, Jaguar and Land Rover, as well as fleet management company Spireon and digital license plate company Reviver, were affected.

Sam Curry of Yuga Labs discovered vulnerabilities in a number of Hyundai and Genesis models in the process of cracking cars, and found that Sirius XM's Connected Vehicle Services vulnerabilities affected Honda, Nissan, Infiniti and Acuras.

"all the affected companies fixed these problems within a day or two after the report," Curry said. "We work with all of these companies to verify them and ensure that these loopholes are not bypassed."

Based on the vulnerability research of Curry, security experts have found a number of security vulnerabilities affecting a wide range of areas. From a public safety perspective, the most serious vulnerability was found in Spireon, which owns several GPS vehicle tracking and fleet management brands, including OnStar, GoldStar, LoJack, FleetLocate and NSpire, covering 15 million connected vehicles.

Curry and the team found multiple vulnerabilities in SQL injection and authorization bypass to execute remote code on all Spireon and completely take over any fleet vehicle.

"this will enable us to track and turn off the starters of police, ambulances and law enforcement vehicles in different cities and issue instructions to these vehicles," the researchers wrote.

"these vulnerabilities also give them full administrator access to Spireon and a company-wide management panel from which attackers can send arbitrary commands to all 15 million cars to remotely unlock doors, honk, start engines and disable starters," the researchers wrote.

In addition, the researchers also found excessive license access control vulnerabilities for Ferrari cars, allowing them to access the JavaScript code of several internal applications. This code contains API keys and credentials that may allow an attacker to access customer records and take over (or delete) customer accounts.

The researchers say attackers can POST to the "/ core/ api / v1 / Users/:id / Roles" endpoint, edit their user roles, set themselves to have superuser privileges or become Ferrari owners.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 241

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

IT Information

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report