Security researchers have discovered a vulnerability affecting Hyundai and Genesis cars, which would have allowed hackers to remotely control functions such as the door locks and engine.
The exploit impacts cars by Hyundai and Genesis released since 2012 and targets a weakness in the use of insecure vehicle data in mobile apps intended for use by the owners of the vehicles.
The Forrester Wave API management solutions, Q3 2022
The 15 providers that matter most and how they stack up
The API calls used to control the locks, horn, engine, headlights, and boot controls of cars were easily exploitable, and could be backwards engineered to give hackers full remote access to the car's functions, the researchers said.
In a thread on Twitter, bug bounty hunter Sam Curry explained the process in full. Within the affected apps, functionality like locking and unlocking the user’s car was secured behind an access token, a JSON web token generated from an authenticated email account, checked against the HTTP request made in the app and the car’s vehicle identification number (VIN).
However, the regular expression (regex) used to accept email strings as valid allowed for the inclusion of special characters. Curry and fellow researchers quickly discovered that by appending a carriage return line feed (CRLF) character at the end of an email address that already existed on the system, they could send an HTTP request to a secure endpoint. This contained a list of vehicles registered to the given address, allowing for the VINs of any chosen customer to be harvested.
Using the faked JWT, the researchers sent an unlock vehicle request to a car owned by a collaborator, and received “200 OK” back at the same time as the car's locks responded to the request.
Once the manual process had been figured out, the researchers were able to massively reduce the steps a threat actor would have to take, using a simple script written in Python. Using this, all that was required was the victim’s email address to gain access to their car, and commands could be run entirely within the program.
"Hyundai worked diligently with third-party consultants to investigate the purported vulnerability as soon as the researchers brought it to our attention," a Hyundai spokesperson told IT Pro.
"Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised by the researchers.
"We also note that in order to employ the purported vulnerability, the e-mail address associated with the specific Hyundai account and vehicle as well as the specific web-script employed by the researchers were required to be known. Nevertheless, Hyundai implemented countermeasures within days of notification to further enhance the safety and security of our systems. We value our collaboration with security researchers and appreciate this team’s assistance."
Earlier in the year, Curry and other researchers stress-tested a number of similar telematics apps, with the common link of developer SiriusXM Connected Vehicle Services (SiriusXM), as outlined in a subsequent Twitter thread.
“We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms," a Sirius XM Connected Vehicle Services spokesperson told IT Pro.
"As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorised account modified using this method.”
SiriusXM provides connected vehicles systems for cars from a number of household automotive brands. Researchers discovered that through the use of only the VIN of a customer’s car, it was possible to not only remotely activate vehicle features, but to also fetch a customer’s user profile within the NissanConnect app. This contained details including the victim’s name, phone number, and address. Similar vulnerabilities were replicated in the apps of Honda, Infiniti, FCA, and Acura.
Derek Abdine, CEO at artificial intelligence (AI) company furl, responded to Curry with the claim that VINs are widely available on dealership websites.
All vulnerabilities were reported to the relevant companies, which have patched the vulnerabilities.
Concerns around the vulnerability of cars that connect to apps have been around for years. In 2016, the FBI warned connected cars can be hacked, and particularly stressed the risk posed by cars that connect to mobile devices. The same year, Chinese hackers remote targeted a Tesla, with security researchers as Tencent’s Keen Labs passing the details of the successful attack onto the EV firm to patch.
This article originally stated that Hyundai cars could be accessed without the need for a victim's email address. This was inaccurate, and the article has now been updated to reflect this.
