Security researchers were able to break into the back end operations of Ford, Mercedes, BMW, Ferrari, Porsche, Rolls-Royce, GM, and Jaguar Land Rover, following their successful intrusion last year into Toyota, Honda, Hyundai, and Nissan cars.
UConnect systems appear to be relatively secure
A different group had found vulnerabilities in Fiat Chrysler’s SiriusXM systems years ago, which may have led FCA, now Stellantis, to take a closer look at the satellite-radio-and-information-services provider’s security.
The “white hat” hackers broke into the cars’ systems to find flaws before malefactors did; they immediately informed the companies involved and waited 90 days to release information to the public, to give the companies a chance to fix the issues first. In the past, those who discovered security issues but who did not provide a deadline for public release found that companies tended to ignore their warnings.
The vulnerability disclosed the full contact information of all owners for most companies, and allowed the hackers to take control of any customer account on some, also allowing them to configure Ford telematics and track Porsche vehicles.
GM was only vulnerable through Spireon, which provides services to fleet vehicles and OnStar and GoldStar-equipped vehicles—around 15 million vehicles. This provided remote lock/unlock and remote start, even for customers not subscribing to OnStar.
A small number of regions allow digital license plates; the hackers were able to get into digital plate seller Reviver to manage all vehicles, report vehicles as stolen, find all owner records, and locate all vehicles. Reviver noted that their records show this vulnerability had not been tapped.