Hyundai app bug allows anyone to unlock car remotely
The flaw affects Hyundai and Genesis vehicles made within the last decade. Exploitation of the flaw will allow control of the locks, engine and other critical functions.
The newly discovered vulnerability affects the mobile apps that Hyundai and its luxury brand Genesis owners use to monitor their vehicles. Alongside vehicle diagnostics and service scheduling, the apps also allow users to remotely start, stop, lock and unlock the vehicle.
According to hacker and bounty hunter Sam Curry, mobile apps for Hyundai and Genesis vehicles grant vehicle control privileges only to authorized users. However, researchers noted irregularities in how the app communicates with the authorization server, leading them to investigate the registration of the Hyundai user account.
“Immediately we noticed that the server did not require users to verify their email address. Additionally, there appeared to be a very loose regex that allowed control characters in your email,” Curry said in a tweet detailing the bug.
Curry and his team delved into possible ways to bypass the authentication and found that appending CRLF characters to the end of an existing email to the victim during registration. In this way, a threat actor can register a new account with an already existing email.
The new account will be issued a JSON Web Token (JWT) that matches the legitimate email on the server, giving the attacker access to the targeted vehicle.
“Our final check was to see if we could perform actual actions like unlocking or starting the car using our tampered JWT. If we could do this, it would be full account and full vehicle takeover for all remotely activated Hyundai vehicles (and later we learned Genesis),” Curry said.
Researchers used one of their cars to test the exploit. They found that using a victim’s email address with additional CRLF characters allowed them to remotely lock the vehicle linked to the victim’s email address.
The team behind the hack even developed a python script that would only need the victim’s email address to execute all commands on the vehicle and even take over the owner’s account.
The vulnerability was reported to Hyundai and, according to Curry, fixed.
Over the years, an increasing number of security experts have focused their studies on car hacking, successfully demonstrating how attackers can compromise the various components of vehicles.
Recently, Europol arrested 31 suspects dismantling an alleged car theft that used hacking software to steal French-made cars.
More from Cybernews:
Sony and Lexar’s encryption provider leaked sensitive data for over a year
Scientists are bringing Star Wars-like holograms closer to reality
Twitter is quietly dropping its COVID misinformation policy
Putin embraces digital currency as sanctions cripple Russia’s economy
Hackers are exploiting trending TikTok challenges to deliver malware
Subscribe to our newsletter