A new report suggests that security bugs were found in 16 vehicle brands including Acura, BMW, Ferrari, Ford, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Nissan, Porsche, Rolls Royce, and Toyota. The vulnerabilities, researchers said, could allow a hacker to start, unlock, and track those cars from point to point.
The vulnerabilities can run even deeper, Sam Curry, a web application security researcher, writes. This includes giving a hacker the ability to dig into a vehicle’s API (Application Programming Interface), and create all sorts of havoc. With the right amount of technical savvy, a hacker could completely take over a vehicle owner’s account, allowing them to modify or delete all sorts of personal information.
Consumers who own those cars and also have SiriusXM installed run an additional risk of having their personal information accessed.
What vehicles are affected and to what extent
The vehicles impacted and some of the problems that Curry said were possible include:
Acura, Honda, Genesis, Hyundai, Infiniti, Kia, Honda, Nissan,
Remotely lock and unlock the vehicle, start and stop the engine, precisely locate the vehicle, flash the headlights, honk the horn, and open the trunk.
Fully take over the owner’s account and access personally identifiable information (PII) including name, phone number, email address, physical address.
Locks users out of remotely managing their vehicle and changing the ownership of the vehicle.
For Kias specifically, Curry said his team could remotely access the 360-view camera and view live images from the car.
As for Acuras and Hondas, any associated problems have been fixed according to the company.
“Honda is aware of a reported vulnerability involving SiriusXM connected vehicle services provided to multiple automotive brands, which, according to SiriusXM, was resolved quickly after they learned of it," a spokesperson for the company told ConsumerAffairs.
"Honda has seen no indications of any malicious use of this now-resolved vulnerability to access connected vehicle services in Honda or Acura vehicles.”
Ferrari
Fully take over a Ferrari customer’s account, including access to all customer records
Ford
Allows access to a customer’s PII as well as the potential to track and execute commands on vehicles
Porsche
Ability to send and retrieve the geo-location of the vehicle, send vehicle commands, and retrieve customer information via vulnerabilities affecting the vehicle Telematics service
Toyota
Access to Toyota Financial data that could contain the name, phone number, email address, and loan status of any Toyota financial customer
Jaguar, Land Rover
Possible access to user account information including name, phone number, physical address, and geo-location of the vehicle.
All vulnerabilities appear to have been fixed
Curry told SecurityWeek that all of the automakers whose vehicles were affected had patched the vulnerabilities. However, owners of those vehicles should double-check with their dealer to make sure their systems have been updated to prevent threats like these.
“Software updates for your car are typically free. This applies if they correct an issue covered by warranty, fix problems with emissions systems or safety recalls,” CarVoice’s Christopher said.
“If your vehicle lacks [automatic “over-the-air”] update capabilities, you will need to take it to your local dealership. The process of installing software updates on your car is simple and straightforward. It’s included in the warranty, so you shouldn’t have to pay anything extra for it.”