Vehicles made after 2012 were vulnerable to web app exploit
Researchers have disclosed a critical issue in Hyundai and Genesis vehicles that could be exploited to remotely control a car.
Yuga Labs staff security engineer Sam Curry reported the findings on a Twitter thread this week (November 29), noting that the bug allowed the team to “remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012”.
A bug bounty hunter under the moniker _specters_ acted as a mock car thief (with his own Hyundai vehicle) for the project led by Curry and other Yuga Labs researchers.
Read more of the latest web security vulnerability news
Curry noted that recent cybersecurity research on vehicles tends to focus on cryptographic assaults on physical keys but that, novel exploits aside, the websites and apps supporting modern communication protocols and controls may have been overlooked.
For example, the Hyundai and Genesis mobile device apps allow authenticated users to manage functions, including starting or stopping and locking or unlocking their vehicles, which could be a serious problem if compromised.
Using Burp Suite, the researchers proxied app traffic and monitored API calls, seeking an entry point.
Curry explained that there appeared to be a ‘pre-flight’ check when JSON Web Tokens (JWTs) were generated during an app’s email/password credential check.
However, as the server did not require email address confirmation, it was possible to add a CRLF character to the end of an existing victim email address during registration and create an account that bypassed the JWT and email parameter check.
The app’s HTTP response returned the victim’s vehicle identification number (VIN) during testing. Curry then sent an HTTP request with the crafted account details, and after a few seconds, Specters confirmed his car had been remotely unlocked.
In the driver’s seat
In itself, the attack chain required many requests. The researchers, therefore, created a Python proof-of-concept (PoC) script compiling these steps – and according to a video of the script in action, an email address is all that is required to launch an attack.
Actions that the team carried out included:
● Remotely flashing the victim’s vehicle’s headlights.
● Honking the horn.
● Starting or stopping the engine.
● Locking or unlocking the car.
● Changing a PIN.
● Unlocking the boot.
Speaking to The Daily Swig, Curry said the vulnerability was disclosed to Hyundai roughly two months ago as part of a package of telematics issues impacting different car manufacturers related to SiriusXM remote management software.
As part of a coordinated vulnerability disclosure program, a fix was issued before the vulnerability was made public.
Fuel for thought
While Curry said the project was “mainly for fun”, commenting on the research, Specters said:
“I do want to highlight we started this research because we all recognized that embedded security for vehicles was getting increasingly better but application security was lagging behind by a large margin. We wanted to push that change and hope we did.”
YOU MAY ALSO LIKE Million-dollar bug bounties: The rise of record-breaking payouts