Serious security bugs allowed hackers to remotely unlock and start millions of cars

3 years ago 1

ARTICLE AD BOX

Yuga Labs security researchers discovered severe vulnerabilities in Hyundai’s mobile apps and a smart vehicle platform used by multiple carmakers, both of which allowed hackers to remotely control several features.

The researchers detailed their exploits in two recent Twitter threads

The first issue was related to the MyHyundai and MyGenesis apps, which allow authenticated users to start, stop, lock, or unlock their vehicles.

By intercepting traffic generated by the two apps, Yuga Labs could extract API calls for analysis.

They discovered that the apps’ user validation was performed using the email address, included in the JSON body of POST requests.

They also found the MyHyundai app did not require email confirmation upon registration.

The researchers created a new account using their target’s email address with a control character added at the end.

They then sent an HTTP request to Hyundai’s endpoint with the spoofed address in the JSON token and the victim’s address in the JSON body, circumventing validation.

After gaining access to an existing legitimate user’s account this way, they could use the app to unlock a Hyundai car that formed part of their experiment.

To illustrate how simple such an attack would be, they wrote a Python script that only required entering the victim’s email address.

Yuga Labs reported the bug to Hyundai and worked with the company to roll out a fix.

Second bug impacts millions of cars

The second major vulnerability was picked up in the SiriusXM vehicle telematics software used by over 15 car manufacturers — including BMW, Honda, Hyundai, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota.

The software allows for remote vehicle management through the manufacturers’ mobile apps.

After analysing the network traffic generated by Nissan’s app, the researchers discovered they could send forged HTTP requests to the endpoint with only the target’s vehicle identification number (VIN).

The VIN can be easily found on a parked car and is typically located on a small plate on the vehicle’s dashboard, close to where it meets the windshield. In South Africa, the VIN is also displayed on the vehicle licence disc.

Using this information, the researchers extracted the target’s name, phone number, address, and vehicle details.

They could also control various car functions remotely — including location tracking, locking and unlocking, starting and stopping, activating the horn, or flashing headlights.

Yuga Labs reported the issue to SiriusXM, who fixed it “immediately” and validated their patch.