Curry mentioned the breach into Ferrari’s back-end can also be notable.
“One thing that was kind of fun was the Ferrari vulnerability,” Curry mentioned. “We had all people who purchased a Ferrari, and we might get their full identify, deal with, telephone quantity, bodily deal with and details about their car.
“We could just take over anybody’s Ferrari account and pretend to be them and retrieve their sales documents,” he added.
The group additionally breached Spireon’s back-end. Spireon supplies device-independent telematics to fleet automobiles and automobiles working on its OnStar and GoldStar platforms.
“I think people should be worried about Spireon’s vulnerabilities,” Curry mentioned. “They have 15 million totally different automobiles. Spireon has numerous fleet and end-user automobiles with GoldStar or OnStar and tons of different car options.
“We could send commands to cars to disable the starter, to remotely unlock it, remotely start it, and we had full administrative access where we could basically do whatever we wanted with those devices,” he mentioned.
Curry mentioned the Spireon vulnerabilities are regarding as a result of many car house owners, even when they don’t subscribe to OnStar, have the service on their vehicles.
“Spireon is so deeply embedded in the car ecosystem — they have so many different functionalities they provide to so many different customers, millions of users and millions of vehicles,” Curry mentioned. “If we wanted to invite ourselves to the Cincinnati State police, we could have remotely disabled police cars and ambulance starters and stuff like that with this breach.”
Spireon mentioned its cybersecurity professionals evaluated “the purported system vulnerabilities and immediately implemented remedial measures to the extent required. We also took proactive steps to further strengthen the security across our product portfolio as part of our continuing commitment to our customers as a leading provider of aftermarket telematics solutions.”
Curry additionally hacked Reviver, an organization that sells digital license plates to customers and fleets. He was capable of acquire full “super administrative access” to handle all Reviver consumer accounts and automobiles.
The features he might carry out remotely included monitoring the bodily GPS location of all Reviver clients. He might replace any car standing to “stolen,” which updates the license plate and informs legislation enforcement, and entry all consumer information. The hackers might decide what automobiles individuals owned, their bodily deal with, telephone quantity and e-mail addresses.
A Reviver spokesperson mentioned firm executives met with Curry and knowledge safety and privateness professionals to repair the corporate’s vulnerabilities.
“Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report,” Reviver mentioned. “As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections.”