Critical vulnerability allowed attackers to remotely unlock, control Hyundai, Genesis vehicles
Vehicles made after 2012 were vulnerable to the exploitation of web apps
Researchers have revealed a critical issue in Hyundai and Genesis vehicles that can be exploited to remotely control a car.
Yuga Labs staff security engineer Sam Curry reported the findings a Twitter thread this week (November 29), noting that the bug allowed the team to “remotely control the locks, engine, horn, headlights and trunk of vehicles made after 2012”.
A bug bounty hunter under the moniker _spectra_ served as a fake car thief (with his own Hyundai vehicle) for the project led by Curry and other Yuga Labs researchers.
Read more about the latest news about cybersecurity vulnerabilities
Curry noted that recent vehicle cybersecurity research tends to focus on cryptographic attacks on physical keys, but that, aside from new exploits, the websites and apps that support modern communication protocols and controls may have been overlooked.
For example, Hyundai and Genesis mobile device apps allow authenticated users to manage functions including starting or stopping and locking or unlocking their vehicles, which could be a serious problem if compromised.
Using the Burp Suite, the researchers proxied app traffic and monitored API calls, looking for an entry point.
Curry explained that there appeared to be a “pre-flight” check when JSON Web Tokens (JWTs) were generated during an app’s email/password check.
However, since the server did not require email address verification, it was possible to add a CRLF character to the end of an existing email address for a victim during registration and create an account that bypassed the JWT and email parameter check.
The app’s HTTP response returned the victim’s vehicle identification number (VIN) during testing. Curry then sent an HTTP request with the crafted account details, and after a few seconds, Specters confirmed that his car was remotely unlocked.
In the driver’s seat
By itself, the attack chain required many requests. The researchers therefore created a Python proof-of-concept (PoC) script that compiled these steps – and according to a video of the script in actionan email address is all it takes to launch an attack.
Actions that the team performed include:
● Remotely flashing the lights of the victim’s vehicle.
● Honk the horn.
● Start or stop the engine.
● Locking or unlocking the car.
● Change a PIN code.
● Unlocking the trunk.
Talking to The Daily SwigCurry said the vulnerability was disclosed to Hyundai about two months ago as part of a package of telematics issues affecting various automakers related to SiriusXM remote management software.
As part of a coordinated vulnerability disclosure program, a patch was issued before the vulnerability was made public.
Fuel for thought
While Curry said the project was “mainly for fun”, commenting on the research, Specters said:
“I want to emphasize that we started this research because we all recognized that embedded security for vehicles was getting better and better, but application security was lagging behind by a wide margin. We wanted to push for that change and hope we did.”
YOU MAY ALSO LIKE Million-dollar bug bounties: The rise of record-breaking payouts