A new vulnerability that could have exposed customer vehicles to control certain vehicle functions, track vehicles and view the personal and financial data of said vehicles’ owners was just detailed by a security researcher at the DEF CON hacking conference in Las Vegas.
This story, initially reported by TechCrunch, summarized the research done by Eaton Zveare, a researcher at software company Harness. What car company does this specifically affect? Zveare didn’t reveal the automaker, only saying that it’s a widely-known car maker with popular sub-brands. Theoretically, that means a lot of vehicles would have been vulnerable to this attack had it come from a malicious actor. Thankfully, Zveare reported the vulnerability, and has since heard from the company that it’s been addressed.
But how was this possible in the first place? Zveare says he found his access point in the automaker’s online dealership portal. Security flaws in the portal’s login system allowed him to bypass the login entirely and create a “national admin” account that effectively gave him administrator access.
With this access, Zveare was able to use the portal’s user look-up tool to pair any vehicle with a mobile app account. Many vehicle apps these days allow you to remotely unlock or lock a car, remotely start it, look up its location, and more; all Zveare needed was a person’s first and last name to find a potential target, then it was open season. And even if he didn’t know a name off-hand, knowing the VIN was perfectly effective at looking up names in the portal.
He tested his theory using a friend’s car, transferring ownership of the app’s account to himself, allowing him all the privileges his friend had previously via his app. Zveare said he did not test whether he could drive the vehicle away, but the access granted could’ve put personal belongings and data in the hands of bad actors.
As we said, this vulnerability is no longer present within the automaker’s dealer portal, and said automaker confirmed to Zveare that it hasn’t detected any suspicious access to its portal outside of Zveare’s own hacking. That should mean that customers are safe today, but it’s just another reminder of the potential pitfalls present with today’s connected cars.
You Might Also Like
Comments