How these hackers accessed information at 7 automakers


Curry said Ferrari’s encroachment on the back end was also notable.

“One of the fun things was Ferrari’s vulnerability,” said Curry. “Everyone who bought a Ferrari was there and I was able to get their name, address, phone number, address and information about the vehicle.

“I was able to hijack someone’s Ferrari account, pretend to be it, and get the sales documents,” he added.

The group also compromised Spireon’s backend. Spireon provides device-independent telematics for fleets and vehicles operating on the OnStar and GoldStar platforms.

“I think people should be concerned about Spireon’s vulnerability,” Curry said. “They have 15 million different vehicles. Spireon has a large fleet and end-user vehicles with GoldStar or OnStar and many other vehicle solutions.

“I was able to send commands to the car to disable the starter, remotely unlock it, remotely start it, etc. Also, full administrative access to basically do whatever you want with these devices there was,” he said.

Curry said many car owners are concerned about the Spireon vulnerability, even if they don’t have OnStar.

“Spireon is deeply embedded in the automotive ecosystem. We offer so many different capabilities to so many different customers, millions of users and millions of vehicles,” said Curry. said. “If we wanted to turn ourselves in to the Cincinnati State Police, this breach could have remotely disabled police cars, ambulance starters, and more.”

Spireon said its cybersecurity experts “assessed the alleged system vulnerabilities and took immediate corrective action to the extent necessary. We also appreciate our continued commitment to our customers as a leading aftermarket provider.” As part of this, we have taken proactive steps to further enhance security across our product portfolio.” A telematics solution. ”

Curry also hacked Reviver, a company that sells digital license plates to consumers and fleets. He was able to get full “super admin access” to manage all his Reviver user accounts and vehicles.

Functions he could perform remotely included tracking the physical GPS location of all Reviver customers. He was able to update the vehicle’s status to “stolen”, update the license plate, notify law enforcement, and access his records for all users. Hackers can identify vehicles owned by people, addresses, phone numbers, emails and his addresses.

A Reviver spokesperson said company executives met with Curry and data security and privacy experts to fix the company’s vulnerabilities.

“Our investigation has confirmed that this potential vulnerability has not been exploited. No customer information was affected and there is no evidence of ongoing risk associated with this report.” Reviver says. “As part of our commitment to data security and privacy, we have taken this opportunity to identify and implement additional safeguards that complement our existing critical protections.”


Leave a Reply

Your email address will not be published. Required fields are marked *