Security researchers have discovered a vulnerability affecting Hyundai and Genesis cars, which would have allowed hackers to remotely control functions such as the door locks and engine.
The exploit impacts cars by Hyundai and Genesis released since 2012 and targets a weakness in the use of insecure vehicle data in mobile apps intended for use by the owners of the vehicles.
RELATED RESOURCE
The Forrester Wave API management solutions, Q3 2022
The 15 providers that matter most and how they stack up
The API calls used to control the locks, horn, engine, headlights, and boot controls of cars were easily exploitable, and could be backwards engineered to give hackers full remote access to the car's functions, the researchers said.
In a thread on Twitter, bug bounty hunter Sam Curry explained the process in full. Within the affected apps, functionality like locking and unlocking the user’s car was secured behind an access token, a JSON web token generated from an authenticated email account, checked against the HTTP request made in the app and the car’s vehicle identification number (VIN).
However, the regular expression (regex) used to accept email strings as valid allowed for the inclusion of special characters. Curry and fellow researchers quickly discovered that by appending a carriage return line feed (CRLF) character at the end of an email address that already existed on the system, they could send an HTTP request to a secure endpoint. This contained a list of vehicles registered to the given address, allowing for the VINs of any chosen customer to be harvested.
Using the faked JWT, the researchers sent an unlock vehicle request to a car owned by a collaborator, and received “200 OK” back at the same time as the car's locks responded to the request.
Once the manual process had been figured out, the researchers were able to massively reduce the steps a threat actor would have to take, using a simple script written in Python. Using this, all that was required was the victim’s email address to gain access to their car, and commands could be run entirely within the program.
"Hyundai worked diligently with third-party consultants to investigate the purported vulnerability as soon as the researchers brought it to our attention," a Hyundai spokesperson told IT Pro.
"Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised by the researchers.
"We also note that in order to employ the purported vulnerability, the e-mail address associated with the specific Hyundai account and vehicle as well as the specific web-script employed by the researchers were required to be known. Nevertheless, Hyundai implemented countermeasures within days of notification to further enhance the safety and security of our systems. We value our collaboration with security researchers and appreciate this team’s assistance."
Earlier in the year, Curry and other researchers stress-tested a number of similar telematics apps, with the common link of developer SiriusXM Connected Vehicle Services (SiriusXM), as outlined in a subsequent Twitter thread.
“We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms," a Sirius XM Connected Vehicle Services spokesperson told IT Pro.
"As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorised account modified using this method.”
SiriusXM provides connected vehicles systems for cars from a number of household automotive brands. Researchers discovered that through the use of only the VIN of a customer’s car, it was possible to not only remotely activate vehicle features, but to also fetch a customer’s user profile within the NissanConnect app. This contained details including the victim’s name, phone number, and address. Similar vulnerabilities were replicated in the apps of Honda, Infiniti, FCA, and Acura.
Derek Abdine, CEO at artificial intelligence (AI) company furl, responded to Curry with the claim that VINs are widely available on dealership websites.
All vulnerabilities were reported to the relevant companies, which have patched the vulnerabilities.
Concerns around the vulnerability of cars that connect to apps have been around for years. In 2016, the FBI warned connected cars can be hacked, and particularly stressed the risk posed by cars that connect to mobile devices. The same year, Chinese hackers remote targeted a Tesla, with security researchers as Tencent’s Keen Labs passing the details of the successful attack onto the EV firm to patch.
This article originally stated that Hyundai cars could be accessed without the need for a victim's email address. This was inaccurate, and the article has now been updated to reflect this.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
Making sense of a quickly evolving ZTNA marketWhitepaper New insights from the Enterprise Strategy Group
