On the heels of the Kromtech VIN database discovery, I was reminded of a method through which VIN information can also be obtained – a method I’ve personally used for many years for a host of research purposes.
VINs really need to be more carefully guarded as we enter this “next generation” (like right now generation) of the automobile. Cars are going to do all kinds of sloppy things with VINs used as logical keys, whether to gain physical access through cloning an entry mechanism, or access to some vehicle subsystem via a software vector. It is a unique identifier ripe for exploitation.
Carfax offers a service named myCARFAX which is a free offering aimed at providing legitimate owners of vehicles with a basic maintenance tracking system. It’s in essence a “watered down Carfax”, where after inputting your VIN or license plate number, you are given a very basic service history as reported by various service providers. As you can see, you may add a few cars to your virtual “garage”.
As previously mentioned there are two methods through which you can add a vehicle to myCARFAX – by typing in a VIN, or entering a license plate number. Theoretically you own the car and have the VIN anyway. This makes sense.
But what if you didn’t own the car, and didn’t have the VIN? Inexplicably, all you need is the license plate. Which you could obtain for any car in the country by casually walking down a street with your eyes open.
On the surface, you would never know that by adding a stranger’s license plate, you are also gaining access to their VIN. You’ll simply see basic service data, as I do for this BMW, which I do not own.
This is definitely a privacy issue on its own that will be leveraged by evil doers, but let’s continue.
One thing that is never disclosed in this web application is the VIN, despite the presumption of ownership. There is a weird business decision happening here. Presumably you own these cars, but presumably you might not, so here’s…only some information about your property.
Upon inspection of the “Garage” page, there is some junk in the trunk – the VIN for every car in the Garage.
This means you could obtain a VIN off a car on the highway just by remembering the license plate. It’s a gateway to all kinds of chaos that is better discussed elsewhere.
I reached out to Carfax, citing my concerns. A representative would not give me a direct method of communication with a department that could take this issue under advisement, which was (well, not) my preference. The CSR would only repeat to me that they “can only pass the feedback on to our web team and they may choose to contact you. But we do appreciate your feedback.” To which I was clear that I would publish findings on my own timetable. To which the CSR replied “Great, thank you, have a nice day.”
This is a very, very old issue, likely dating back to the inception of the application – at least a decade, as I’ve been exploiting it for at least that long. Someone at Carfax knows it’s not the right way to do this – to index these vehicles by VIN (if that’s even what’s happening; the use of VIN here is really not clear) – and may they now be compelled to address it. The future is now. The connected car is now. There’s no more road down which to kick this can. VIN exploitation is only heating up, and unless we start protecting these things like SSNs – which is what they are! – it’s never going away.
-cp
603security 