Kaspersky SAS 2025 – Critical cybersecurity flaws expose drivers to danger

At the Kaspersky SAS 2025 conference in Phuket, Thailand, cybersecurity experts unveiled the results of a security audit that revealed a series of security flaws in an automotive manufacturer which went unnamed and which enable unauthorised access to connected vehicles in their line-up.

Based on research, Kaspersky discovered that the yet-unnamed car manufacturer had a zero-day vulnerability in their publicly accessible application, allowing malicious actors to take control of the vehicle’s telematics system to manipulate critical systems from changing gears or even turning off the engine when the vehicle is in motion. The prospect of this happening is terrifying.

Kaspersky SAS 2025 – How was the security vulnerability discovered?

The chilling fact is that an attacker doesn’t even need physical access to tamper with a vehicle from the unnamed car maker. Kaspersky researchers conducted a security audit on the car maker’s publicly accessible services and the contractor’s infrastructure and immediately identified multiple exposed web services.

To gain access, security researchers exploited a zero-day SQL injection vulnerability in the wiki application of the site which then enabled them to extract a list of users affiliated with the contractor that works with the car maker, complete with their password hashes. From there,  it was relatively easy to infer what some passwords were on account of a weak organisational password policy. 

This small breach enabled security researchers to gain access to the car maker’s issue tracking system that manages and tracks bugs, tasks and issues in a project. A proverbial gold mine, the tracking system also contained sensitive configuration details for the car maker’s telematics infrastructure as well as a file with hashed user passwords for one of the manufacturer’s vehicle telematics servers. 

For the uninitiated, telematics in a car enables access to the collection, transmission, analysis of data from connected vehicles such as speed, location, engine settings and a wealth of other information

In addition, Kaspersky security analysts discovered a misconfigured firewall that exposed internal servers – effectively giving potential malicious actors a roadmap of how the car maker’s infrastructure is laid out. 

Using a previously acquired service account password, security researchers were able to access the server’s file system and discovered stored credentials for another contractor which then enabled the researchers to gain full access over the telematics infrastructure.

Within the telematics infrastructure, researchers were able to gain access to a firmware update command to push modified firmware to the Telematics Control Unit (TCU) which then in turn enables access to a vehicle’s Controller Area Network (CAN) bus which allows for manipulation of critical vehicle functions and systems with dangerous consequences for the driver and passengers. Needless to say, this is a huge security risk with severe risks to driver safety.

Kaspersky SAS 2025 – Plugging vulnerabilities and solutions

“The security flaws stem from issues that are quite common in the automotive industry publicly accessible web services, weak passwords, lack of two-factor authentication (2FA), and unencrypted sensitive data storage. This breach demonstrates how a single weak link in a contractor’s infrastructure can cascade into a full compromise of all of the connected vehicles. The automotive industry must prioritise robust cybersecurity practices, especially for third-party systems, to protect drivers and maintain trust in connected vehicle technologies,” comments Artem Zinenko, Head of Kaspersky ICS CERT Vulnerability Research and Assessment at his presentation at Kaspersky SAS 2025.

Artem Zinenko, Head of Kaspersky ICS CERT Vulnerability Research and Assessment

While these potential vulnerabilities may potentially prove to be catastrophic, there are solutions to plug these security loopholes. According to Kaspersky, contractors should restrict internet access to web services via VPN, isolate services from corporate networks, enforce strict password policies, implement 2FA, encrypt sensitive data and integrate logging with a SIEM system for real time monitoring. 

For the car maker, Kaspersky advises to restrict telematics platform access from the vehicle network segment, use allowlists for network interactions, disable SSH password authentication, run services with minimal privileges and ensure command authenticity in TCUs as well as SIEM integration.

You can also check out previous Kaspersky SAS 2025 news highlights on the BlueNoroff aPT group here  and the latest details on Dante spyware here. For additional in-depth insight on other cybersecurity issues and on Kaspersky SAS 2025’s salient topics, users can sign up to the Kaspersky Threat Intelligence Portal here.