Cybersecurity researcher found accessing Hyundai vehicles possible using bug in application.
A vulnerability in the Hyundai mobile application exposed Hyundai and Genesis car models made after 2012 to remote attacks, allowing hackers to unlock and start the vehicle. This vulnerability has been identified and found to have similar attack surface as used in other vehicle platform used in different cars that allowed users to remotely unlock and start the vehicle.
Hyundai and Genesis use their respective application MyHyundai and MyGenesis. Security researchers intercepted the traffic begin generated from the mobile application, which upon analyzing, found were able to extract API. Validation of the owner is done based on the user's email address, which was included in the JSON body of POST requests.
The analysts discovered that MyHyundai did not require email confirmation upon registration. They created a new account using the target's email address with an additional control character at the end. Finally, they sent an HTTP request to Hyundai's endpoint containing the spoofed address in the JSON token and the victim's address in the JSON body, bypassing the validity check.
To verify that they could use this access for an attack on the car, they tried to unlock a Hyundai car used for the research. A few seconds later, the car unlocked. The multi-step attack was eventually baked into a custom Python script, which only needed the target's email address for the attack.
Yuga Labs analysts found that the mobile apps for Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, use SiriusXM technology to implement remote vehicle management features. Vehicle information can be forged and sent through the endpoints only by by knowing the target's vehicle identification number (VIN). Considering that VINs are easy to locate on parked cars, typically visible on a plate where the dashboard meets the windshield, an attacker could easily access it. These identification numbers are also available on specialized car selling websites, for potential buyers to check the vehicle's history.
For every one of the car brands (using SiriusXM) made past 2015, it could be remotely tracked, locked/unlocked, started/stopped, honked, or have their headlights flashed just by knowing their VIN number. For cars built before that, most of them are still plugged into SiriusXM and it would be possible to scan their VIN number through their windshield and takeover their SiriusXM account, revealing their name, phone number, address, and billing information hooked up to their SiriusXM account.
UPDATE (12/08/2022): A Hyundai spokesperson shared the following comment
Hyundai worked diligently with third-party consultants to investigate the purported vulnerability as soon as the researchers brought it to our attention. Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts – for either Hyundai or Genesis – were accessed by others as a result of the issues raised by the researchers.
We also note that in order to employ the purported vulnerability, the e-mail address associated with the specific Hyundai/Genesis account and vehicle as well as the specific web-script employed by the researchers were required to be known. Nevertheless, Hyundai and Genesis implemented countermeasures within days of notification to further enhance the safety and security of our systems. Separately, Hyundai and Genesis were not affected by a Sirius XM authorization flaw that was recently disclosed.
We value our collaboration with security researchers and appreciate this team’s assistance.
About the Author
Ruben George