Researchers catch flaws in Hyundai and Genesis cars, allowing complete vehicle takeover
Two security researchers at Yuga Labs, Sam Curry and Brett Buerhaus, has discovered a security vulnerability affecting the vehicle telematics service used by Hyundai and Genesis cars that allows complete takeover using the vehicles’ remote control app. The researchers disclosed the flaw on Twitter after working with Hyundai to develop a solution.
While most security research in the automotive industry generally revolves around cryptographic attacks that try to break into physical keys, with cars becoming more frequently connected to the internet, the attack vectors are increasing, and this bug is just another example.
Further investigation revealed that the attack was also valid for Honda, Infinity, Acura and Nissan vehicles. All of these manufacturers get these remote control infrastructures from SiriusXM, which fixed the issue immediately after disclosure and validated their update.
In the news: Eufy cameras found uploading unencrypted thumbnails to AWS
Both the Hyundai and Genesis apps allow authenticated users to start/stop or lock/unlock their vehicles remotely. Since the researchers had access to a Hyundai, they started by monitoring the app traffic generated by the app and observing the API calls.
After finding a simplified HTTP request that unlocks the car, the researchers discovered that the user’s email was resubmitted in the JSON body of the POST request. This usually does not happen since the server should be able to identify the user using the JSON Web Token (JWT) stored in the current authenticated session. This JWT is generated when the user logs in with the correct credentials and thus authenticates himself.
Further investigation revealed that the server was comparing the email sent in the JSON body of the request with the parsed email stored in the JWT. Additionally, since this was done on the actual request to unlock the car, bypassing this process could potentially unlock the car and allow an attacker to control other operations as well.
Since Hyundai’s servers did not require users to verify their email address during account registration and included a regex that allowed control characters in the email address, the attackers were able to register a new account by adding a CRLF character to the end of an already existing email address to the victim during registration. This allowed them to create an account that bypassed the JWT and email parameter comparison check.
At this point, the researcher had a similar account to the victim’s, the only difference being as follows:
The researchers tested this by sending an HTTP request to an API endpoint that listed all vehicles connected to an account using the attacker’s email address as the JWT email and the victim’s ID as the JSON parameter. The endpoint returned the victim’s VIN, indicating that the attack was successful.
From there, the attackers could unlock the car and essentially take over all the actions that the app allowed using this manipulated JWT. Sending an HTTP request with the CRLF-added victim account returned a “200 OK” status, indicating that the car was unlocked.
In the news: BlockFi filing for bankruptcy sends another lawsuit SBF’s way
Someone who writes/edits/films/hosts all things tech, and when he’s not, he streams virtual car racing himself. You can reach Yadullah at [email protected]or follow him on Instagram or Twitter.
