If You Have A Car Or Truck Made Since 2015 Which Is Connected To The Internet, Read This...
That connectivity may be a real risk, read below and definitely check out the video...
Really stunning stuff here, Chinese or Russian hackers could really screw things up. The moral to this story is simple - DON’T HAVE YOUR CAR OR TRUCK CONNECTED TO THE WEB… Here’s the web log posting:
“We brainstormed for a while, and then realized that nearly every automobile manufactured in the last 5 years had nearly identical functionality. If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.
At this point, we started a group chat and all began to work with the goal of finding vulnerabilities affecting the automotive industry. Over the next few months, we found as many car-related vulnerabilities as we could. The following writeup details our work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports it.
Findings Summary
During our engagement, we found the following vulnerabilities in the companies listed below: …” https://samcurry.net/web-hackers-vs-the-auto-industry/
Here are just a few examples in a long, long list:
“Spireon
Multiple vulnerabilities, including:
Full administrator access to a company-wide administration panel with ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start engine, disable starter, etc.), read any device location, and flash/update device firmware
Remote code execution on core systems for managing user accounts, devices, and fleets. Ability to access and manage all data across all of Spireon
Ability to fully takeover any fleet (this would’ve allowed us to track & shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles, e.g. “navigate to this location”)
Full administrative access to all Spireon products, including the following…
GoldStar - https://www.spireon.com/products/goldstar/
LoJack - https://www.spireon.com/products/goldstar/lojackgo/
FleetLocate - https://www.spireon.com/products/fleetlocate-for-fleet-managers/
Trailer & Asset - https://www.spireon.com/solutions/trailer-asset-managers/
In total, there were…
15.5 million devices (mostly vehicles)
1.2 million user accounts (end user accounts, fleet managers, etc.)
Ford
Full memory disclosure on production vehicle Telematics API discloses
Discloses customer PII and access tokens for tracking and executing commands on vehicles
Discloses configuration credentials used for internal services related to Telematics
Ability to authenticate into customer account and access all PII and perform actions against vehicles
Customer account takeover via improper URL parsing, allows an attacker to completely access victim account including vehicle portal
Reviver
Full super administrative access to manage all user accounts and vehicles for all Reviver connected vehicles. An attacker could perform the following:
Track the physical GPS location and manage the license plate for all Reviver customers (e.g. changing the slogan at the bottom of the license plate to arbitrary text)
Update any vehicle status to “STOLEN” which updates the license plate and informs authorities
Access all user records, including what vehicles people owned, their physical address, phone number, and email address
Access the fleet management functionality for any company, locate and manage all vehicles in a fleet”
See https://samcurry.net/web-hackers-vs-the-auto-industry/
Here’s the video:
I'm wondering about the ship which crashed the bridge in Baltimore. We know the Russians are fucking with flights in Europe, messing with GPS, and I understand that other ships may have been affected as well.
It's one thing to make sure your car is not hacked, but what about the others all around you?
Don't forget that the Govment can also control your car, especially the EVs. They are now going to require a kill switch, so they can shut down everybody in one go. Let's say that they wanted to crush dissent and rebellion, before it happened, then the kills switch is the right tool. They can also listen in on everything, so a car is no longer a car, it's a surveillance device, just like a phone is no longer a phone. It's a tracking device. The Govment is furiously collecting every bit of information that they can on all of us. I guess they think we're the enemy within.