Posted on December 3, 2022 at 11:24 AM
Bug on Hyundai app allows hackers to unlock and start cars remotely
Hyundai and Genesis car models after 2012 were exposed to hackers. Hackers compromised these vehicles by exploiting mobile app vulnerabilities, allowing attackers to unlock and even start the vehicles remotely.
Vulnerability on the Hyundai app exploited
Security researchers detected the issues affecting these mobile apps. The researchers also explored similar attack mechanisms on the SiriusXM “smart vehicle” platform. This platform is used in other car models such as Acura, FCA, Honda, Infinity, Nissan, and Toyota.
The vulnerability allowed the threat actors to “remotely unlock, start, locate, flash, and honk” the cars. The researchers are yet to publish a detailed report about their findings. However, some of the information about the bugs was posted on Twitter through two separate threats for Hyundai and SiriusXM.
The mobile apps Hyundai and Genesis support are MyHyundai and MyGenesis. These apps allow authenticated users to control certain vehicle functions such as starting, stopping, locking, and unlocking.
After the researchers intercepted the traffic generated from the two apps, they analyzed the data, extracting API calls to conduct further investigations. They discovered that the validation of a car’s owner depended on the user’s email address. This email address was also included within the JSON body of the POST requests.
The analysts later found out that MyHyundai never required the confirmation of an email after the registration was done. Instead, they created a new account using the email address of the targeted vehicle while integrating another control character at the end.
Afterward, the attackers sent a HTTP request to the Hyundai endpoint that contained the spoofed address. They did this using the JSON token and the victim’s address within the JSON body. This allowed them to bypass the validity requirement.
To verify the possibility of using this access to launch an attack against the car, the researchers attempted to unlock a car for research purposes. They managed to unlock the car after just a few seconds.
The attack was conducted multi-step before being supported by a custom Python script. This allowed the attackers to launch the attack using only the target’s email address.
“Since exploiting this involved many steps, we took all of the requests necessary to exploit this and put it into a python script which only needed the victim’s email address. After inputing this, you could then execute all commands on the vehicle and takeover the actual account,” Sam Curry, one of the researchers said.
Issues with SiriusXM
SiriusXM is a telematics service provider that is popular with many car brands. Over 15 car manufacturers use this service. According to the vendor, he operates 12 million connected cars that can support more than 50 services using a single platform.
Analysts from Yuga Labs have detected that some of the largest car manufacturers have adopted SiriusXM technology to bring remote vehicle management features into their vehicles. These brands include Acura, Lexus, BMW, Land Rover, Honda, Subaru, Hyundai, Toyota, Nissan, Infinity, and Jaguar.
The analysts analyzed the network traffic that was coming from Nissan’s app. They detected that it was now possible for a malicious actor to send a forged HTTP request to the endpoint by simply using the vehicle identification number of the targeted vehicle.
The response to the unauthorized request also contained the target’s name, address, phone number, and vehicle details. It is easy for an attacker to access these vehicles by simply locating the identification number.
The vehicle identification number is quite easy to locate when parked. These numbers are usually displayed on the plate where the dashboard and the windshield meet. Therefore, it is easy for the attacker to get the details they need to make an illegal request. The identification numbers can also be visible on specialized car-selling websites where buyers research the vehicle’s history.
Besides disclosing information about the target vehicle, the attackers can also lodge requests to run commands that will take specific actions on the cars.
Barry further noted that for every car brand made past 2015 and using the SiriusXM model, they could be unlocked, locked, tracked, started, stopped, honked, or flashed remotely. An attacker could execute all these functions by accessing the car’s VIN.