Flaws in Honda, Nissan, Toyota Cars App Let Hackers Start Car Remotely

by James · December 10, 2022

A critical vulnerability uncovered in Honda, Nissan, Infiniti and Acura vehicle apps allows hackers and law enforcement agencies to remotely unlock and start the vehicle with a laptop from anywhere in the world.

The critical flaw is found in SiriusXM, a connected vehicle platform that provides services to Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota.

During routine investigations, Sam Curry, a web application security researcher, and his team found a critical vulnerability in the connected vehicle remote management service that has registered for SiriusXM mobile apps.

The research has not only highlighted how a vulnerability can have a physical effect on a large number of cars, but also how much personal data can be obtained from a vehicle.

EHA

More car hacking!

Earlier this year, we were able to remotely unlock, start, locate, flash and honk any remotely connected Honda, Nissan, Infiniti and Acura vehicle, completely without authorization, knowing only the vehicle’s VIN number.

Here’s how we found it, and how it works: pic.twitter.com/ul3A4sT47k

— Sam Curry (@samwcyo) 30 November 2022

Investigation to find the fault

A domain was found in this research and is associated with vehicle registration in SiriusXM remote management functionality.

Further analysis of this domain shows that a large number of references point to the Nissan Car Connected App.

Go later to log into the app and inspect the HTTPS traffic from one of the Nissan car owners.

During the scan, the researchers found that there was one HTTP request in particular that was interesting: the “exchangeToken” endpoint would return an authorization bearer depending on the provided “customerId”.

In the HTTPS request above, a VIN parameter was removed and still works, on the other hand, the request fails if the other things “nissancust” prefix and “Cv-Tsp” header will be changed.

Extract the customer data

“Further analysis by one of the HTTP response researchers saw the following format for a VIN number: vin:5FNRL6H82NB044273, This VIN format looked eerily similar to the “nissancust” prefix from the previous HTTP request. What if we tried sending the VIN prefix ID as customer ID?” The researcher said in his chirping.

By sending the VPN prefix ID as the client ID, researchers receive a bearer Toke return along with a “200 OK” response of the following:

“This was exciting, we generated some token and it indexed the arbitrary VIN number as the identifier. To make sure this was not related to our session JWT, we completely dropped the authorization parameter and it still worked!”

To retrieve the user profile, researchers attempt to use the authorization bearer in an HTTP request, and in response have retrieved the victim’s name, phone number, address and car details.

Retrieves the customer details using the VIN number

By having only the VIN number, any attacker can retrieve the customer details using a python script and a continuous escalation that leads researchers to find the HTTP request to run vehicle commands.

Finally, at this point, attackers will gain access to customer information and run vehicle commands to unlock the vehicle and start the car remotely.

Researchers have tested this defect on Honda, Infiniti and Acura vehicles as well as Nissan vehicles and reported the problem to SiriusXM who promptly fixed it.

Penetration Testing as a Service – Download Red Team & Blue Team Workspace