Danger: Researchers exploit gaps in connected vehicle software supply chain

A group of researchers probing the security of applications and infrastructure that supports connected vehicles discovered they could access the development environments and raw application source code of German automaker Mercedes Benz and SiriusXM Connected Vehicle Services, which supplies telematics software and applications to a wide range of vehicle makers.

The researchers wrote last week that they were able to use an account created on a Mercedes website for repair professionals to access internal documentation and source code for projects including the Mercedes Me Connect app, which is used by customers to remotely connect to their vehicles.

The forays onto Mercedes Benz infrastructure resulted in researchers gaining access to “hundreds of mission-critical internal applications;” multiple development systems, as well as internal cloud deployment services for managing AWS instances and internal vehicle related APIs.

Report highlights widespread software security flaws

The findings were covered in a report, Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More which was compiled by researcher Sam Curry (@samwcyo), a Staff Security Engineer at Yuba Labs. Curry collaborated with researchers Neiko Rivera (@_specters_); Brett Buerhaus (@bbuerhaus); Maik Robert (@xEHLE_); Ian Carroll (@iangcarroll); Justin Rhinehart (@sshell_) and Shubham Shah (@infosec_au).

The group got the idea to probe mobile applications and other infrastructure supporting connected cars after a foray into the software used to manage a fleet of electric scooters used in a ride sharing program in Maryland.

The infrastructure for both the scooter and car companies are actually super similar.

Sam Curry

Like the scooter software, connected vehicle telematics systems center on a user account and mobile app which takes authenticated vehicle commands, with a SIM card powering the underlying telematics system, he said. APIs provide integration with other systems and services operated by telecommunications companies.

Mercedes tool site opens doors to dev, data, employees

That infrastructure proved very vulnerable to tampering, Curry and his colleagues showed. In the case of Mercedes Benz, for example, the researchers used the account of a colleague who was a Mercedes owner to probe the company’s infrastructure, eventually concluding that Mercedes used a central LDAP (Lightweight Directory Access Protocol) system to authenticate both employees and non-employees to its various internal and cloud-based systems.

Their exploration led to a public registration page for Mercedes vehicle repair shops to request access to specific tools from the company. The website appeared to write to the same database as the core employee LDAP system, Curry wrote. After successfully registering on the site and creating a user account, Curry and his fellow researchers used reconnaissance data from the registration process to look for other sites that redirected to the Mercedes-Benz SSO, which led them to git.mercedes-benz.com, Mercedes-Benz Github instance, and found that their newly created user credentials gave them access to Mercedes Github repository, also.

After reporting their discovery to Mercedes, Curry and his team were asked to demonstrate the “impact” of their finding by a dubious staff at the car maker. They used their access to log in to numerous applications containing sensitive information and achieve “remote code execution via exposed actuators, spring boot consoles, and dozens of sensitive internal applications used by Mercedes-Benz employees.” That included an internal Slack-like communications tool that gave them access to internal security channels, where they could pose as a Mercedes-Benz employee and potentially elevate their privileges across the Mercedes Benz infrastructure, Curry wrote.

Access to Mercedes internal environment also gave them access to the company's Jenkins instances; AWS and cloud-computing control panels. That enabled them to “request, manage, and access various internal systems;” XENTRY systems used to communicate with customer vehicles; Mercedes internal OAuth and application-management related functionality and “hundreds of miscellaneous internal services.”

In a statement released to reporters, Mercedes said that the company was aware of the research and fixed the vulnerability Curry reported. The spokesperson said the flaw “did not affect the security of our vehicles," but offered no explanation.

Software supply chain flaws widespread

Mercedes is not the only company that has exposed sensitive development environments and code to prying eyes. Curry and his collaborators also discovered leaked keys for Amazon Web Services (AWS) instances that gave them ”full organizational read/write access” to SiriusXM’s Amazon S3 cloud storage. From there, they were able to retrieve “all files including (what appeared to be) user databases, source code, and config files for Sirius.”

Attacks on software supply chains and development infrastructure weren’t the most common avenue for Curry and his collaborators. In all, the group targeted infrastructure used by 16 different automakers, as well as suppliers like Spireon (a provider of GPS and fleet management services), SiriusXM and Reviver. Many of the successful attacks proceeded from direct attacks on flaws in web applications using tried and true web hacking methods, like fuzzing web sites and mobile applications looking for common flaws like SQL injections and other input validation flaws or improperly implemented authentication and single sign-on functionality.

The usual suspects: Input validation, authentication

Among other things, Curry and team discovered that poorly implemented single sign-on functionality that failed to restrict access to the underlying application was common for automakers. Curry and his team were frequently able to extract the JavaScript present for those applications, allowing them to understand the backend API routes in use and even retrieve sensitive credentials.

When reverse engineering JavaScript bundles, it is important to check what constants have been defined for the application. Often these constants contain sensitive credentials or at the very least, tell you where the backend API is, that the application talks to.

Sam Curry

The jumbled provenance of the code used by automakers was also a source of confusion and possible risk. For example, the group’s research into SiriusXM found that some of the vehicle makers’ applications called SiriusXM’s API directly, while other automakers essentially white-labeled SiriusXM as a service that they offered. That made root cause analysis more challenging.

We weren’t able to find any evidence that SiriusXM produced the apps directly or contracted them out. It was deployed differently in many places and there wasn’t a universal way to interface with it.

Sam Curry

Newer cars, vintage hacks

Curry said that he and other researchers were sobered by the ease of the exercise, noting that in the past, they tried to focus on emerging security research and new techniques for breaking applications, "but for this one we were a little disappointed.” The security of the connected vehicle apps, he concluded, was “a few years behind.” And the risk was not limited to the group’s discoveries.

My gut feeling is that someone could find similar issues affecting these (applications) given enough time.

Sam Curry

The auto industry’s enthusiastic embrace of mobile apps and subscription services for vehicles mean that the problems aren’t going away.

Infrastructure wise, the car is always going to be calling out to these APIs and customers are always going to be able to access their accounts via the app, so these avenues of attack will always exist.

Sam Curry

The news about the attacks on automakers, including Mercedes Benz and SiriusXM, further cements the argument that all companies are software companies, said Matt Rose, a Field CISO at ReversingLabs. "Yes Mercedes Benz may be perceived as just a car manufacturer but that is just not the case anymore. Today's cars have tens of millions lines of code embedded in their onboard computers for things like autonomous driving, navigation, and smart cruise control."

That raises the stakes for vehicle manufacturers to not only identify the supply chain risks for the cars the build, but also for the software they develop internally or outsource that is connected to that vehicle, Rose said.