Kaspersky Finds Security Flaws that Threaten Vehicle Safety

Kaspersky recently revealed the findings of a comprehensive security audit that uncovered a critical vulnerability enabling unauthorised access to all connected vehicles of a leading automotive manufacturer. The investigation found that attackers could potentially compromise both the manufacturer’s internal infrastructure and the connected vehicles themselves.

On the manufacturer’s side, Kaspersky discovered a zero-day SQL injection vulnerability in the company’s wiki application, which allows users to collaboratively create, edit and manage content. This flaw provided access to internal systems, including files containing hashed passwords and sensitive configuration data related to connected vehicles. Such access could potentially expose vital information such as vehicle speed, geolocation and data transmission details.

Vehicle Safety

On the vehicle side, researchers uncovered a misconfigured firewall that exposed internal servers. Using a previously acquired service account password, they accessed the server’s file system and discovered credentials for another contractor, granting full control over the vehicle’s telematics system.

As Malaysia targets 20 per cent of annual new vehicle sales from xEVs by 2030, this discovery highlights the urgent need for automotive manufacturers to strengthen cybersecurity measures and ensure robust protection across all connected and electric vehicle systems.

*SQL Injection: A common attack vector that uses malicious Structured Query Language (SQL) code for backend database manipulation to access information that was not intended to be displayed. 

*Hashed Password: A one-way, scrambled version of a user’s actual password, created by a cryptographic algorithm

Business News