IT Security Horror Story #3: Ghost in the Machine

October 29, 2013, Andrew Barratt, Managing Director, Europe

A supernatural sequence of automotive portals and applications yield a ghostly in-car phenomenon.

Today more and more vehicle manufacturers are integrating Internet connectivity into the dashboards of cars to achieve mysterious ‘bells and whistles’ for discerning drivers. One manufacturer had a bizarre combination of a web portal and mobile application that allowed consumers to control various vehicle settings, including door locks and GPS-coordinate views among others.  

To ensure there were no chilling and unexpected vulnerabilities in this web portal/mobile app combo, the penetration testing team from Coalfire was on the case.  In a horrifying turn of events, they were able to exploit weaknesses in the mobile API that allowed an unauthorized person to locate and unlock any vehicle attached to this frightening application/portal mix.  

The cutting-edge vehicle manufacturer was relieved that they dodged a bullet in this bloodcurdling close call when our team discovered the shocking dilemma just prior to production deployment and saved the day.  Moral of the story? Make sure to properly authorize all tokens to their appropriate objects, or else.

Learn more about Coalfire Labs:
Penetration Testing
Vulnerability Scanning & Assessments
Social Engineering
Application Security

Read our other IT Security Horror Stories:
The 100 Million Dollar Getaway
The Ghosts Inside
Breaching a bank in 20 minutes

Past Horror Stories
Truth is SCARIER than Fiction Redux
Is your Network an Unsegmented Haunted House?
Digging your own grave with Default Credentials
Slow Network, Big Phish
The Case of the Phantom Blood Red Team
A Tale of Spooky Hosted Images
Ghost in the Machine
Tale of the Fake IT Rep
Truth is Scarier Than Fiction
The Case of the Phantom Technician

Andrew Barratt


Andrew Barratt — Managing Director, Europe

Recent Posts

Post Topics