Vulnerabilities in mobile apps exposed Hyundai and Genesis car models after 2012 to remote attacks that allowed unlocking and even starting the vehicles.
Security researchers at Yuga Labs found the issues and explored similar attack surfaces in the SiriusXM “smart vehicle” platform used in cars from other makers (Toyota, Honda, FCA, Nissan, Acura, and Infinity) that allowed them to “remotely unlock, start, locate, flash, and honk” them.
The mobile apps of Hyundai and Genesis, named MyHyundai and MyGenesis, allow authenticated users to start, stop, lock, and unlock their vehicles.
After intercepting the traffic generated from the two apps, the researchers analyzed it and were able to extract API calls for further investigation.
They found that validation of the owner is done based on the user’s email address, which was included in the JSON body of POST requests.
Next, the analysts discovered that MyHyundai did not require email confirmation upon registration. They created a new account using the target’s email address with an additional control character at the end.
Finally, they sent an HTTP request to Hyundai’s endpoint containing the spoofed address in the JSON token and the victim’s address in the JSON body, bypassing the validity check.
To verify that they could use this access for an attack on the car, they tried to unlock a Hyundai car used for the research. A few seconds later, the car unlocked.
The multi-step attack was eventually baked into a custom Python script, which only needed the target’s email address for the attack.
Since exploiting this involved many steps, we took all of the requests necessary to exploit this and put it into a python script which only needed the victim’s email address. After inputting this, you could then execute all commands on the vehicle and takeover the actual account. pic.twitter.com/Bz5G5ZvHro
— Sam Curry (@samwcyo) November 29, 2022
SiriusXM is, among other things, a vehicle telematics service provider used by more than 15 car manufacturers The vendor claims to operate 12 million connected cars that run over 50 services under a unified platform.
Yuga Labs analysts found that the mobile apps for Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, use SiriusXM technology to implement remote vehicle management features.
They inspected the network traffic from Nissan’s app and found that it was possible to send forged HTTP requests to the endpoint only by knowing the target’s vehicle identification number (VIN).
The response to the unauthorized request contained the target’s name, phone number, address, and vehicle details.
Considering that VINs are easy to locate on parked cars, typically visible on a plate where the dashboard meets the windshield, an attacker could easily access it. These identification numbers are also available on specialized car selling websites, for potential buyers to check the vehicle’s history.
In addition to information disclosure, the requests can also carry commands to execute actions on the cars.
BleepingComputer has contacted Hyundai and SiriusXM to ask if the above issues have been exploited against real customers but has not received a reply by publishing time.
Before posting the details, Yuga Labs informed both Hyundai and SiriusXM of the flaws and associated risks. The two vendors have fixed the vulnerabilities.