At the Security Analyst Summit 2025, Kaspersky presented the results of a security audit that has exposed a significant security flaw enabling unauthorized access to all connected vehicles of one automotive manufacturer.
By exploiting a zero-day vulnerability in a contractor’s publicly accessible application, it was possible to gain control over the vehicle telematics system, compromising the physical safety of drivers and passengers. For instance, attackers could force gear shifts or turn off the engine when the vehicle is driving. The findings highlight potential cybersecurity weaknesses in the automotive industry, prompting calls for enhanced security measures.
Car manufacturer’s side
The security audit was
conducted remotely and targeted the manufacturer’s publicly accessible services
and the contractor’s infrastructure. Kaspersky identified several exposed web
services. First,
through a zero-day SQL injection
vulnerability in the wiki application (a web-based platform that allows users
to collaboratively create, edit, and manage content), the researchers
were able to extract a list of users on the contractor’s side with password
hashes, some of which were guessed due to a weak password
policy. This breach provided access to the contractor’s issue tracking system
(a software tool used to manage and track tasks, bugs, or issues within a
project), which contained sensitive configuration details about the
manufacturer’s telematics infrastructure, including a file with hashed
passwords of users of one of the manufacturer’s vehicle telematics servers. In
a modern car, telematics enables the collection, transmission, analysis, and
utilization of various data (e.g., speed, geolocation, etc.) from
connected vehicles.
Connected vehicle side
On the connected vehicle side,
Kaspersky discovered a misconfigured firewall exposing internal servers. Using
a previously acquired service account password, the researchers accessed the
server’s file system and uncovered credentials for another contractor, granting
full control over the telematics infrastructure. Most alarmingly, the
researchers discovered a firmware update command that allowed them to upload
modified firmware to the Telematics Control Unit (TCU). This provided access to
the vehicle’s CAN (Controller Area Network) bus – a system that connects
different parts of the vehicle, like the engine and sensors. Afterwards,
various other systems were accessed, including the engine, transmission, etc.
This enabled potential manipulation of a range of critical vehicle functions,
which could endanger driver and passenger safety.
“The security flaws stem from issues that are quite common in the automotive industry: publicly accessible web services, weak passwords, lack of two-factor authentication (2FA), and unencrypted sensitive data storage. This breach demonstrates how a single weak link in a contractor’s infrastructure can cascade into a full compromise of all of the connected vehicles. The automotive industry must prioritize robust cybersecurity practices, especially for third-party systems, to protect drivers and maintain trust in connected vehicle technologies,” comments Artem Zinenko, Head of Kaspersky ICS CERT Vulnerability Research and Assessment.
Kaspersky recommends that contractors restrict internet access to web services via VPN, isolate services from corporate networks, enforce strict password policies, implement 2FA, encrypt sensitive data, and integrate logging with a SIEM system for real-time monitoring.
For the automotive manufacturer, Kaspersky advises restricting telematics platform access from the vehicle network segment, using allowlists for network interactions, disabling SSH password authentication, running services with minimal privileges, and ensuring command authenticity in TCUs, alongside SIEM integration.
About Kaspersky ICS CERT
Kaspersky ICS
CERT is primarily focused on identifying and addressing potential and existing
threats to industrial automation systems and the Industrial Internet of Things
(IloT). The team has successfully identified and helped eliminate hundreds of
vulnerabilities in widely used ICS products and components, enhancing the
security and resilience of these critical systems against sophisticated
cyberattacks.
