As new vehicles continue to come equipped with more and more technology, there’s one major problem that owners face – security threats. We’ve already seen this happen numerous times in recent years, with certain vehicles being exposed for security flaws, while even Ford’s Phone As A Key function (as well as similar features from other automakers) was found to be susceptible to hackers, who can remotely gain access to those systems via Bluetooth. This is precisely that sort of thing that both automakers and the National Highway Traffic Safety Administration (NHTSA) are trying to prevent, but a recent test discovered some new vulnerabilities in terms of Ford security measures, as well as those employed by other automakers, according to Security Affairs.
These Ford security flaws were discovered by a team of cybersecurity researchers, who note that they can be exploited by hackers to gain access to vehicles and perform activities such as tracking them or unlocking doors remotely. These problems don’t just pertain to vehicle software, either – the team also found flaws in services provided by companies such as Reviver, SiriusXM, and Spireon.
Many of these problems stem from improperly configured SSOs (Single Sign-On), which gave researchers access to hundreds of mission-critical internal applications in the case of Mercedes-Benz, giving hackers the ability to access sensitive data. The same was true of BMW and Rolls Royce, as researchers were able to exploit SSO issues to access employee applications, internal dealer portals, and sales documents, owner’s addresses, and even mark vehicles as stolen. These flaws were brought to the attention of affected automakers, however, who have since fixed the security threats.
“While testing BMW assets, we identified a custom SSO portal for employees and contractors of BMW,” the research team said. “This was super interesting to us, as any vulnerabilities identified here could potentially allow an attacker to compromise any account connected to all of BMWs assets. For instance, if a dealer wanted to access the dealer portal at a physical BMW dealership, they would have to authenticate through this portal. Additionally, this SSO portal was used to access internal tools and related devops infrastructure. To demonstrate the impact of the vulnerability, we simply Googled ‘BMW dealer portal’ and used our account to access the dealer portal used by sales associates working at physical BMW and Rolls Royce dealerships.”
We’ll have more on new vehicle cybersecurity soon, so be sure and subscribe to Ford Authority for ongoing Ford news coverage.
Comments
Article is a bit light on the vulnerabilities as they pertain to ford.
Unfortunately there were no specific details provided that pertain to Ford, it was only listed as one of the affected automakers.
Seems almost like Ford copied and pasted this article from BMW. I’m sure ALL autos have certain electronic vulnerabilities built in to systems today, and builders will be very careful about how much the public in general knows about them. After all, if they are able to reprogram my ECU from who knows where while my truck sits in my garage, other hackers will figure out how the system works pretty quickly.
Hacking the Phone As A Key would involve so many just right scenarios it is effectively improbable. Can it be done in a lab with all the time in the world and million dollar equipment? Sure. In the real world? I’m not worried.