We got to know Sam Curry from publishing his results about a vulnerability in the SiriusXM Connected Vehicles Services suite and an API vulnerability affecting Genesis and Hyundai cars on Twitter (our summary from last year). This year, Curry published a summary and some details about the vulnerabilities they found in 2022 in his blog. The list not only contains hacks allowing them to perform certain actions remotely, e.g., remote lock/unlock, engine start, and honk, it also contains vulnerabilities of the manufacturers’ backend, thus access to customer data.

Full account takeover on BMW and Rolls Royce via misconfigured SSO
The Single Sign-On (SSO) portal for car dealers is essential for getting access to various services, internal tools, and infrastructure. Therefore, it was also targeted by the group around Sam Curry. They found early, through fuzzing, a Web Application Description Language (WADL) file which exposed API endpoints. Further querying the endpoints led them to a rest endpoint exposing the usernames when sending a query with a wildcard (*). By knowing the username, they could also access the totp endpoint which returned the corresponding one-time password of the user. With this information they looked for an example account in the database and then used the “forgot password” functionality on the dealership portal. As they knew the one-time password (OTP), they could successfully change the password and ultimately access the BMW dealership portal that, apparently, wasn’t just filled with demo data, it was linked to an actual dealership allowing them to query specific VINs and to retrieve sales documents.

Remote code execution and access to internal tools via misconfigured SSO
They followed a similar approach as for the BMW portal but couldn’t find any vulnerabilities. By fuzzing random sites, they found a website for vehicle repair shops with public registration enabled and further analysis made them believe that it uses the same LDAP database as for the employee system. Once they created a user, they tried Mercedes’ git subdomain and voila, they could successfully log in and even had access to internal documentation and source code, such as the Me Connect app.
At this point they reported the vulnerability, but the team at Mercedes-Benz may have misunderstood the impact of this vulnerability, so they got going again. In the end they were able to do a remote code execution via exposed applications and even got access to any channel of Mercedes-Benz’ internal communication tool (Mercedes-Benz Mattermost).

Full account take-over and arbitrary account creation on Ferrari
The SSO functionality was poorly implemented and allowed Curry and his team to extract more information about the services behind the subdomains. Through one API call they were (i) able to get a list of all users registered to the Ferrari Dealers application and (ii) able to register a new account with admin permissions. By investigating the available API calls in more detail, they ultimately figured out how to access the production API that gives access to the personal information of any of the company’s customers. This allowed them to access and manage any user’s vehicle profile.

Full takeover of fleet management systems by Spireon
Spireon is a vehicle tracking and management company that is deployed on over 15 million vehicles, with customers like police departments, ambulance services and truck companies. The admin page seemed to be the first step for them and “since the website was so old, we tried the trusted manual SQL injection payloads …”. Yet, they got redirected to the login page. After a few more tries, they found some SQL injection vulnerabilities and finally got access to the admin user which can access all Spireon devices and change their configuration.
The team didn’t stop there and continued exploring ways to bypass the authorization – and they found another way. They were able to browse through all customer and fleet accounts,  “we had access to everything”.

Remotely track and overwrite virtual license plates from Reviver
Reviver is a company providing digital license plates, allowing you to customize the background, slogan and report it as stolen. This sounds quite fun, yet they are only legal in California. The license plate also allows you to track your vehicle via a built-in SIM card.
The group first started to create an account and analyse the communication from the mobile app via a proxy. This gave them some more information, yet they were not able to continue. Not giving up, they looked for a web interface, which would be easier to test as no proxy is needed. Luckily, the password reset webpage provided much more functionality, including managing the associated license plates. Looking at the JavaScript code they found out that there were several roles, they were consumer, but were able to upgrade their “role” successfully to corporate.  Though their role changed, they still received authorization errors, but if they invited a new user, this user gets the same role and permissions, and they didn’t get any errors anymore. This way, they were able to create a user with the role “REVIVER” – the administrator role. The frontend was broken as it was designed for customers and not the administrator, however, they could still manipulate the API calls. Thus, they had administrator privileges and were able to perform any API call such as querying a user account, viewing the vehicle’s location, updating the license plate, and adding new users to accounts.

Even more vulnerabilities
Other vulnerabilities they have found included remote vehicle access and account takeover of Hyundai, Genesis, Honda, Nissan, Infinity, and Acura vehicles

Written by Thomas Rosenstatter