Stealer logs and their danger for the automotive industry: How hackers can gain access to vehicle functions through stolen login data

Stealer logs pose a significant threat to the automotive industry. Stolen login credentials allow attackers to unlock, start vehicles, and track their location. The article highlights affected manufacturers, vulnerabilities in vehicle apps, and measures to prevent unauthorized access. German ZDF WISO reported on this on TV on 09.12.24.

Reading time:
7 min
Stealer logs and their danger for the automotive industry: How hackers can gain access to vehicle functions through stolen login data

Over the past few weeks, we at Identeco have made a concerning discovery. In the stealer logs we have collected from various sources, we have noticed unusual patterns that particularly affect the automotive industry. But what exactly is a stealer log and why should it worry us all?

The ZDF consumer magazine WISO reported on this in its program and described how modern vehicles can be opened, the location tracked and sometimes even driven away with a user name and password. Together with our experts Matthias Wübbeling and René Neff, several examples were used to illustrate how previously unaware car owners are actually affected. The ZDF WISO program from 09.12.2024 is available in the ZDF Mediathek (German): ZDF WISO in the ZDF Mediathek.

Stealing a vehicle with minimal effort?

Imagine you are an attacker with access to a collection of stolen credentials. You don’t need to be a tech expert to do anything with the data - most of the information is easily accessible and doesn’t require in-depth technical knowledge. You will find an e-mail address and a password. But the interesting thing about this particular collection is not just the combination of these credentials, but also the website or app on which they can be used. You notice the names of the car manufacturers.

With this little information, you can take targeted action. You now know that the stolen login data belongs to a vehicle app - from Tesla, BMW or Ford, for example. A quick look at the apps in the App Store and you have access to the car. First, you can find out where the vehicle is by clicking on the location query. You can wait until it is close to you or drive to it. If it is too far away, send an accomplice to the vehicle. Once there, you can open the vehicle, get in or take the laptop bag out of the trunk. In some cases, thanks to the modern and convenient “keyless” function, you can even start the vehicle without a physical key and drive away.

Steal a vehicle with minimal effort!

It really is that frighteningly simple: using the email address and password you took from the stealer log, you simply log into the vehicle owner’s app. No special skills required - just a little patience and knowledge of what the domain means. The login works smoothly and the vehicle or the contents of the vehicle are in your possession.

The vehicle owner knows nothing

The vehicle owner is unaware of any of this, except that his car or valuables such as the laptop bag have simply disappeared at some point. The attacker has left no traces. There were no notifications about a login with a new device, no warning - the vehicle or valuables are simply gone. For the owner, it feels as if the vehicle or the contents they thought were safe have simply disappeared.

What is a stealer log and why is it dangerous?

A stealer log is a collection of login data that goes far beyond the classic account leak data. In a typical leaks, you often only find a combination of email address and password. With stealer logs, however, the website or app of the respective platforms for which this combination is used is also listed. This means that hackers not only have a user’s login data, but also know exactly which services this data is used for - such as an email account, a social network or, in our case, a vehicle app.

How can stolen login data enable access to vehicle functions?

What makes these stealer logs particularly dangerous is the discovery of stolen login data belonging to various apps from car manufacturers. These apps now offer not only an easy way to monitor the vehicle, but also functions such as opening, starting and even driving cars through so-called “keyless” systems.

With a combination of valid login data and the domain found in the context, attackers can deduce the specific app of the vehicle and thus potentially gain access to vehicle functions. What does this mean in detail? In a study we conducted, we took a closer look at several apps from major car manufacturers. Our aim was to find out how much access an attacker can gain with just a valid login and an app.

How does keyless or app-based driving work?

The majority of modern vehicles are now controlled via apps. So-called “keyless” or “app-based” driving allows users to unlock and start their vehicle without the need for a physical key. Instead, the connection is established via an app that communicates with the vehicle.

Unfortunately, during our investigation, we found that such apps often grant more access to vehicle functions than one would initially expect - and with a single combination of email address and password. This poses a significant security risk, as attackers are able to use simple methods to steal vehicles or manipulate vehicle functions without the need for a physical key to the car.

Which car manufacturers are affected?

To better understand the scope of this threat, we focused on the apps of leading car manufacturers. Our investigation includes the following manufacturers and their vehicle apps:

What did we find out?

When analyzing these accounts, we found that the car manufacturers’ apps - with a valid combination of login data - in many cases provide access to far more functions than expected. In particular, access to vehicle functions such as opening the car, starting the engine or even tracking the location of the vehicle. In some cases, attackers could have used this data to take control of the vehicle itself.

We also observed differences between car manufacturers’ apps, particularly in relation to the use of PINs and notifications:

PIN protection

Notifications in the event of unauthorized access

Why is this a problem?

Account takeover attacks are not new, but they have been on the rise recently, especially in connection with stealer logs. Attackers can use stolen login credentials not only to access online services, websites and apps, but also to penetrate some unexpected areas of everyday life - in this case, vehicles. The increasing connectivity of cars and the growing use of apps to control these vehicles create new attack opportunities for criminals.

How can users protect themselves?

Online account security is of paramount importance, especially at a time when more and more personal devices and services are accessible via apps. Vehicle manufacturers need to pay increased attention to the security of their app and vehicle integrations to minimize the exploitation of such stealer logs and the resulting threats. Users should also ensure that they regularly check their exposure to data leaks (e.g. with Identeco’s Leak Inspector or the Leak Checker from the University of Bonn), activate two-factor authentication (2FA) and act quickly in the event of security incidents.

With Identeco, we protect consumers and providers of online services, websites and apps by identifying such threats and developing solutions for them. Stay vigilant and protect your data - not only to secure your accounts, but also to protect your vehicles and personal devices from unauthorized access.

Contact an Expert

Do you have any further questions or need specific help? Write us a message or arrange a meeting directly.

Contact Book a meeting

Show more

  1. Stealer logs and their danger for the automotive industry: How hackers can gain access to vehicle functions through stolen login data

Get to the blog