Curry mentioned the breach into Ferrari’s back-end can also be notable.
“One factor that was form of enjoyable was the Ferrari vulnerability,” Curry mentioned. “We had everyone who purchased a Ferrari, and we may get their full title, tackle, cellphone quantity, bodily tackle and details about their car.
“We may simply take over anyone’s Ferrari account and fake to be them and retrieve their gross sales paperwork,” he added.
The group additionally breached Spireon’s back-end. Spireon gives device-independent telematics to fleet autos and autos working on its OnStar and GoldStar platforms.
“I feel individuals ought to be fearful about Spireon’s vulnerabilities,” Curry mentioned. “They’ve 15 million completely different autos. Spireon has numerous fleet and end-user autos with GoldStar or OnStar and tons of different car options.
“We may ship instructions to vehicles to disable the starter, to remotely unlock it, remotely begin it, and we had full administrative entry the place we may principally do no matter we needed with these gadgets,” he mentioned.
Curry mentioned the Spireon vulnerabilities are regarding as a result of many car homeowners, even when they don’t subscribe to OnStar, have the service on their vehicles.
“Spireon is so deeply embedded within the automotive ecosystem — they’ve so many alternative functionalities they supply to so many alternative clients, thousands and thousands of customers and thousands and thousands of autos,” Curry mentioned. “If we needed to ask ourselves to the Cincinnati State police, we may have remotely disabled police vehicles and ambulance starters and stuff like that with this breach.”
Spireon mentioned its cybersecurity professionals evaluated “the purported system vulnerabilities and instantly carried out remedial measures to the extent required. We additionally took proactive steps to additional strengthen the safety throughout our product portfolio as a part of our persevering with dedication to our clients as a number one supplier of aftermarket telematics options.”
Curry additionally hacked Reviver, an organization that sells digital license plates to shoppers and fleets. He was in a position to achieve full “tremendous administrative entry” to handle all Reviver consumer accounts and autos.
The features he may carry out remotely included monitoring the bodily GPS location of all Reviver clients. He may replace any car standing to “stolen,” which updates the license plate and informs regulation enforcement, and entry all consumer information. The hackers may decide what autos individuals owned, their bodily tackle, cellphone quantity and e mail addresses.
A Reviver spokesperson mentioned firm executives met with Curry and knowledge safety and privateness professionals to repair the corporate’s vulnerabilities.
“Our investigation confirmed that this potential vulnerability has not been misused. Buyer info has not been affected, and there’s no proof of ongoing threat associated to this report,” Reviver mentioned. “As a part of our dedication to knowledge safety and privateness, we additionally used this chance to determine and implement further safeguards to complement our current, vital protections.”