Hyundai vulnerability allowed remote hacking of locks, engine

Security researchers have discovered a vulnerability affecting Hyundai and Genesis cars that would have allowed hackers to remotely control functions such as door locks and engine.

The exploit affects Hyundai and Genesis vehicles released since 2012 and targets a weakness in the use of insecure vehicle data in mobile apps intended for use by the owners of the vehicles.

The API calls used to control the locks, horn, engine, headlights and trunk controls of cars were easy to exploit, and could be reverse-engineered to give hackers full remote access to the car’s functions, the researchers said.

In a thread on Twitter, bug bounty hunter Sam Curry explained the process in full. Within the affected apps, functionality such as locking and unlocking the user’s car was secured behind an access token, a JSON web token generated from an authenticated email account, checked against the in-app HTTP request and the car’s Vehicle Identification Number (VIN).

However, the regular expression (regex) used to accept email strings as valid allowed the inclusion of special characters. Curry and other researchers quickly discovered that by adding a CRLF character to the end of an email address that already existed on the system, they could send an HTTP request to a secure endpoint. This contained a list of vehicles registered to the given address so that the VINs of any selected customer could be harvested.

Using the fake JWT, the researchers sent a vehicle unlock request to a car owned by a collaborator, and received “200 OK” back at the same time as the car’s locks responded to the request.

Once the manual process was figured out, the researchers were able to massively reduce the steps a threat actor would have to take by using a simple script written in Python. Using this, all that was required was the victim’s email address to gain access to their car, and commands could be run entirely within the program.

Derek Abdine, CEO of artificial intelligence (AI) company furl, black to Curry alleging that VINs are widely available on dealer websites, and therefore threat actors could exploit the vulnerability without even needing a victim’s email address.

Curry himself later noted that VIN numbers are often displayed in the lower corner of a car’s windshield. This means that a threat actor with physical access to a car could have used the identified exploit to gain access to vital systems.

Earlier this year, Curry and other researchers stress-tested a number of similar telematics apps, with the usual link to developer SiriusXM, as outlined in a subsequent Twitter thread.

SiriusXM provides connected vehicle systems for cars from a variety of household car brands. Researchers discovered that using only the VIN of a customer’s car, it was possible to not only remotely activate vehicle functions as with Hyundai, but also to retrieve a customer’s user profile in the NissanConnect app. This contained details, including the victim’s name, telephone number and address. Similar vulnerabilities were replicated in the apps of Honda, Infiniti, FCA and Acura.

All vulnerabilities were reported to the relevant companies, and Curry explicitly named Hyundai and SiriusXM as having immediately fixed the security issues.

Concerns about the vulnerability of cars that connect to apps have existed for years. In 2016, the FBI warned that connected cars could be hacked, and particularly emphasized the risks posed by cars that connect to mobile devices. That same year, Chinese hackers targeted a Tesla, with security researchers such as Tencent’s Keen Labs sending the details of the successful attack to the EV firm to patch.

IT Pro has reached out to Hyundai for comment.