{"id":362784,"date":"2025-10-29T20:16:33","date_gmt":"2025-10-29T14:46:33","guid":{"rendered":"https:\/\/www.technologyforyou.org\/?p=362784"},"modified":"2025-10-29T20:16:33","modified_gmt":"2025-10-29T14:46:33","slug":"grand-theft-telematics-kaspersky-finds-security-flaws-that-threaten-vehicle-safety","status":"publish","type":"post","link":"https:\/\/www.technologyforyou.org\/grand-theft-telematics-kaspersky-finds-security-flaws-that-threaten-vehicle-safety\/","title":{"rendered":"Grand theft telematics: Kaspersky finds security flaws that threaten vehicle safety"},"content":{"rendered":"<p class=\"ArticleBody_date__rpGhG\"><strong>At the Security Analyst Summit 2025, Kaspersky presented the results of a security audit that has exposed a significant security flaw enabling unauthorized access to all connected vehicles of one automotive manufacturer.<\/strong><\/p>\n<div class=\"ArticleBody_articleContainer__Sz0LX\">\n<div class=\"ArticleBody_articleBody__gN8bN\">\n<div class=\"ArticleBody_content__tiVdv ArticleBody_withContentAbove__RyYxL\">\n<p>By exploiting a zero-day vulnerability in a contractor\u2019s publicly accessible application, it was possible to gain control over the vehicle telematics system, compromising the physical safety of drivers and passengers. For instance, attackers could force gear shifts or turn off the engine when the vehicle is driving. The findings highlight potential cybersecurity weaknesses in the automotive industry, prompting calls for enhanced security measures.<\/p>\n<p><strong>Car manufacturer\u2019s side<\/strong><\/p>\n<p>The security audit was conducted remotely and targeted the manufacturer\u2019s publicly accessible services and the contractor\u2019s infrastructure. Kaspersky identified several exposed web services. First, through a zero-day SQL injection vulnerability in the wiki application (a web-based platform that allows users to collaboratively create, edit, and manage content), the researchers were able to extract a list of users on the contractor\u2019s side with password hashes, some of which were guessed due to a weak password policy. This breach provided access to the contractor\u2019s issue tracking system (a software tool used to manage and track tasks, bugs, or issues within a project), which contained sensitive configuration details about the manufacturer\u2019s telematics infrastructure, including a file with hashed passwords of users of one of the manufacturer\u2019s vehicle telematics servers. In a modern car, telematics enables the collection, transmission, analysis, and utilization of various data (e.g., speed, geolocation, etc.) from connected vehicles.<\/p>\n<p><strong>Connected vehicle side<\/strong><\/p>\n<p>On the connected vehicle side, Kaspersky discovered a misconfigured firewall exposing internal servers. Using a previously acquired service account password, the researchers accessed the server\u2019s file system and uncovered credentials for another contractor, granting full control over the telematics infrastructure. Most alarmingly, the researchers discovered a firmware update command that allowed them to upload modified firmware to the Telematics Control Unit (TCU). This provided access to the vehicle\u2019s CAN (Controller Area Network) bus \u2013 a system that connects different parts of the vehicle, like the engine and sensors. Afterwards, various other systems were accessed, including the engine, transmission, etc. This enabled potential manipulation of a range of critical vehicle functions, which could endanger driver and passenger safety.<\/p>\n<p><em>\u201cThe\u00a0<\/em><em>security flaws\u00a0<\/em><em>stem from issues<\/em><em>\u00a0that are quite common in the automotive industry<\/em><em>: publicly accessible web services, weak passwords, lack of two-factor authentication (2FA), and unencrypted sensitive data storage. This breach demonstrates how a single weak link in a contractor\u2019s infrastructure can cascade into a full compromise of all of the connected vehicles. The automotive industry must prioritize robust cybersecurity practices, especially for third-party systems, to protect drivers and maintain trust in connected vehicle technologies<\/em><em>,<\/em><em>\u201d<\/em>\u00a0comments <strong>Artem Zinenko, Head of Kaspersky ICS CERT Vulnerability Research and Assessment.<\/strong><\/p>\n<p>Kaspersky recommends that contractors restrict internet access to web services via VPN, isolate services from corporate networks, enforce strict password policies, implement 2FA, encrypt sensitive data, and integrate logging with a SIEM system for real-time monitoring.<\/p>\n<p>For the automotive manufacturer, Kaspersky advises restricting telematics platform access from the vehicle network segment, using allowlists for network interactions, disabling SSH password authentication, running services with minimal privileges, and ensuring command authenticity in TCUs, alongside SIEM integration.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>At the Security Analyst Summit 2025, Kaspersky presented the results of a security audit that has exposed a significant security flaw enabling unauthorized access to all connected vehicles of one automotive manufacturer. By exploiting a zero-day vulnerability in a contractor\u2019s publicly accessible application, it was possible to gain control over the vehicle telematics system, compromising [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14083],"tags":[37592],"class_list":{"0":"post-362784","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-technology-industry-news","7":"tag-grand-theft-telematics"},"_links":{"self":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/362784","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/comments?post=362784"}],"version-history":[{"count":1,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/362784\/revisions"}],"predecessor-version":[{"id":362785,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/362784\/revisions\/362785"}],"wp:attachment":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/media?parent=362784"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/categories?post=362784"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/tags?post=362784"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}