There are many ways that data collection, and data availability, make less sense as the years pass by. This is frequently accompanied by a resistance to change, to improve these processes, because “that’s how we’ve always done it”. Sadly this is often the case even when those data collectors have been shown how real world harm can be done with this information.
We now see another example of this in motor vehicle land, with customer info potentially retrievable via a VIN number on a windshield.
A short history of the Vehicle Identification Number (VIN)
The VIN (or chassis number) is a unique marker on all vehicles put to use after 1981, originally designed to present you with an easy way to browse a vehicle’s history. This number is crucial for everything from insurance and accidents to modification work done and even crime.
The individual sections of the 17 digit number detail all manner of information about the car, ranging from manufacturer to attributes. If there was no way to pull this data together, you’d potentially have no real way of knowing what you may be getting yourself into as a buyer which could have major ramifications down the line.
For a long time, the VIN served its purpose and the data provided didn’t cause any issues.
With vehicles becoming increasingly digital as far as many crucial operations go, there is a need to try and safeguard that digital information whenever possible. If something goes wrong, if somebody creates an exploit or finds a vulnerability, it could have ramifications for the vehicle owner.
The times have moved on. It makes little sense that various quantities of owner specific information is posted to several locations on a car including the door frame, or the engine block.
Which leads us neatly back to a car windshield…
Just VIN and bear it
More car hacking!— Sam Curry (@samwcyo) November 30, 2022
Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.
Here's how we found it, and how it works: pic.twitter.com/ul3A4sT47k
As with so many interesting system exploits, the weak spot is a service being made use of by many. In this case, the telematics service. Telematics vehicle gateways offer several services in one which are integrated into your car. GPS, assistance, collision notification, and much more flows between the server and motor vehicle.
The researchers noticed that multiple car brands were serviced by SiriusXM:
While exploring this avenue, we kept seeing SiriusXM referenced in source code and documentation relating to vehicle telematics.— Sam Curry (@samwcyo) November 30, 2022
This was super interesting to us, because we didn't know SiriusXM offered any remote vehicle management functionality, but it turns out, they do! pic.twitter.com/Thxkdkdhn4
They quickly realised the car’s VIN was all that was needed to give the green light to commands. Worse, using the VIN in this way was enough to pull up the customer’s name, phone number, address, and car details.
We took the authorization bearer and used it in an HTTP request to fetch the user profile. It worked!— Sam Curry (@samwcyo) November 30, 2022
The response contained the victim's name, phone number, address, and car details.
At this point, we made a simple python script to fetch the customer details of any VIN number. pic.twitter.com/J2eK5Y3qAB
Honking the horn and blinking the lights remotely? Also doable:
We continued to escalate this and found the HTTP request to run vehicle commands.— Sam Curry (@samwcyo) November 30, 2022
This also worked!
We could execute commands on vehicles and fetch user information from the accounts by only knowing the victim's VIN number, something that was on the windshield. pic.twitter.com/TrEqbIrSEU
Thankfully, the discoverers of this flaw reported it and SiriusXM fixed it prior to notification of the issue going public. Unfortunately, there is a concern that Government agencies may be misusing this data in ways they shouldn’t be with patrol agents claiming to be able to access IP address, phone number, and email address from a car’s infotainment system. There’s even mention of recovering data from phones which had connected to a car without the phone itself being present.
“Weaponising car data” is not a phrase you may have ever expected to see, but here we are.
Data availability playing catch up with data privacy
Car VIN numbers are just one recent addition to an ever-growing list of “We used to do it like this, and use the data for that, but there must surely be a better way to do it now”.
Remember when people would set up a website with their home address and phone number for the WHOIS contact details? Can you imagine anyone doing this now, as opposed to using business addresses, PO boxes, or domain privacy services in the age of trolling, doxxing, and swatting?
Unfortunately, many people still do this as they are unaware of the risk such a public database can pose.
Elsewhere, the UK has something called an electoral roll. Everyone who is eligible to vote must be on this list. There’s an “Open” version of this list, which is available to anyone to purchase. This is an obvious privacy and security risk for certain folks.
If you opt out, you must confirm every 12 months that you want to stay off the list. Wouldn’t it be easier to just assume you never want to go back on unless you specifically tell them otherwise? As the ICO article notes, inclusion on the full and open register is the default. You can be registered anonymously, but it is a convoluted process. Why don’t we just change how this works and be done with it?
A driving concern
Perhaps this is the question we should be asking with regard to the VIN number on your car. If something as easily accessible as this can fetch up digitally connected personal details of an owner in ways we can’t predict, then there’s a strong case for changing the system. We should not be able to pull up information the way it was done above via a number on your car door.
I would be surprised if other telematics services use the VIN the way it was done here, but given how many popular brands were potentially vulnerable to this, it certainly gives me pause for thought. If you have digital concerns with regard to Internet of Things in your home, security devices, and even cars, this is another one to keep in mind when weighing up a purchase.
As more vehicles wirelessly connect to networks and servers, this isn’t a concern which will be going away anytime soon. Unlike WHOIS registration and opting to stay off public registers, it's a technical aspect of your life with potential privacy issues which as consumers we have comparatively less control of. What say you, car manufacturers?
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.