Major security flaws found in Mercedes, Ferrari and other top luxury cars

Smart Car
(Image credit: 123RF)

Major security flaws have been found in Mercedes, Ferrari, and other top luxury cars which could have allowed threat actors to steal the owners’ personally identifiable information, track their vehicles, and in some cases - even unlock and start the cars.

Almost two-dozen car brands were affected by the flaws, including top brands such as BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis. 

Besides car manufacturers, car technology makers Spireon and Reviver were also impacted, as well as SiriusXM Connected Vehicle Services.

Access to private data

The flaws were discovered by cybersecurity researcher Sam Curry who has a history of discovering security flaws in connected cars. In early December 2022, he discovered a flaw in SiriusXM Connected Vehicle Services that enabled threat actors to access connected vehicles.

In this case, different manufacturers had different vulnerabilities. BMW and Mercedes-Benz have had a flawed Single-Sign-On (SSO) feature that allowed threat actors to access internal systems, giving them access to GitHub instances, private chats, servers, AWS instances, and more. 

With BMW, potential attackers could have gotten access to internal dealer portals, car VIN numbers, as well as sales documents with sensitive owner details.

Besides the two major brands, owners of KIA, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Roll Royce, Ferrari, Ford, Porsche, and Toyota cars, could have had their personally identifiable information (PII) leaked. 

Ferrari was also heavily affected, as the SSO flaw allowed threat actors to access, modify, or delete, any Ferrari customer account. They could have even set themselves as car owners. With Porsche, flaws in its telematic systems allowed threat actors to pinpoint the exact location of the cars, and even send commands to the vehicles.

All of the impacted vendors were notified of the findings, and have since fixed the flaws.

GPS vehicle tracking provider Spireon, allegedly used in more than 15 million vehicles, carried a flaw which, among other things, allowed for threat actors to unlock the cars, start the engine, or disable the starter. 

To protect against such flaws in the future, researchers suggest vehicle owners store as little personal information in vehicles and mobile companion apps as possible.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.