Curry said the breach into Ferrari’s back-end is also notable.
“One thing that was kind of fun was the Ferrari vulnerability,” Curry said. “We had everybody who bought a Ferrari, and we could get their full name, address, phone number, physical address and information about their vehicle.
“We could just take over anybody’s Ferrari account and pretend to be them and retrieve their sales documents,” he added.
The group also breached Spireon’s back-end. Spireon provides device-independent telematics to fleet vehicles and vehicles operating on its OnStar and GoldStar platforms.
“I think people should be worried about Spireon’s vulnerabilities,” Curry said. “They have 15 million different vehicles. Spireon has lots of fleet and end-user vehicles with GoldStar or OnStar and tons of other vehicle solutions.
“We could send commands to cars to disable the starter, to remotely unlock it, remotely start it, and we had full administrative access where we could basically do whatever we wanted with those devices,” he said.
Curry said the Spireon vulnerabilities are concerning because many vehicle owners, even if they do not subscribe to OnStar, have the service on their cars.
“Spireon is so deeply embedded in the car ecosystem — they have so many different functionalities they provide to so many different customers, millions of users and millions of vehicles,” Curry said. “If we wanted to invite ourselves to the Cincinnati State police, we could have remotely disabled police cars and ambulance starters and stuff like that with this breach.”
Spireon said its cybersecurity professionals evaluated “the purported system vulnerabilities and immediately implemented remedial measures to the extent required. We also took proactive steps to further strengthen the security across our product portfolio as part of our continuing commitment to our customers as a leading provider of aftermarket telematics solutions.”
Curry also hacked Reviver, a company that sells digital license plates to consumers and fleets. He was able to gain full “super administrative access” to manage all Reviver user accounts and vehicles.
The functions he could perform remotely included tracking the physical GPS location of all Reviver customers. He could update any vehicle status to “stolen,” which updates the license plate and informs law enforcement, and access all user records. The hackers could determine what vehicles people owned, their physical address, phone number and email addresses.
A Reviver spokesperson said company executives met with Curry and data security and privacy professionals to fix the company’s vulnerabilities.
“Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report,” Reviver said. “As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections.”
