IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hyundai vulnerability allowed remote hacking of locks, engine

Researchers discovered flaws in a number of apps linked to car brands that allowed for personal details and remote control of vehicles using easily-obtained IDs

Security researchers have discovered a vulnerability affecting Hyundai and Genesis cars, which would have allowed hackers to remotely control functions such as the door locks and engine. 

The exploit impacts cars by Hyundai and Genesis released since 2012 and targets a weakness in the use of insecure vehicle data in mobile apps intended for use by the owners of the vehicles.

Related Resource

The Forrester Wave API management solutions, Q3 2022

The 15 providers that matter most and how they stack up

Whitepaper cover with title, image of contributor, and textView Now

The API calls used to control the locks, horn, engine, headlights, and boot controls of cars were easily exploitable, and could be backwards engineered to give hackers full remote access to the car's functions, the researchers said.

In a thread on Twitter, bug bounty hunter Sam Curry explained the process in full. Within the affected apps, functionality like locking and unlocking the user’s car was secured behind an access token, a JSON web token generated from an authenticated email account, checked against the HTTP request made in the app and the car’s vehicle identification number (VIN). 

However, the regular expression (regex) used to accept email strings as valid allowed for the inclusion of special characters. Curry and fellow researchers quickly discovered that by appending a carriage return line feed (CRLF) character at the end of an email address that already existed on the system, they could send an HTTP request to a secure endpoint. This contained a list of vehicles registered to the given address, allowing for the VINs of any chosen customer to be harvested.

Using the faked JWT, the researchers sent an unlock vehicle request to a car owned by a collaborator, and received “200 OK” back at the same time as the car's locks responded to the request.

Once the manual process had been figured out, the researchers were able to massively reduce the steps a threat actor would have to take, using a simple script written in Python. Using this, all that was required was the victim’s email address to gain access to their car, and commands could be run entirely within the program.

"Hyundai worked diligently with third-party consultants to investigate the purported vulnerability as soon as the researchers brought it to our attention," a Hyundai spokesperson told IT Pro

"Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised by the researchers. 

"We also note that in order to employ the purported vulnerability, the e-mail address associated with the specific Hyundai account and vehicle as well as the specific web-script employed by the researchers were required to be known. Nevertheless, Hyundai implemented countermeasures within days of notification to further enhance the safety and security of our systems. We value our collaboration with security researchers and appreciate this team’s assistance."

Earlier in the year, Curry and other researchers stress-tested a number of similar telematics apps, with the common link of developer SiriusXM Connected Vehicle Services (SiriusXM), as outlined in a subsequent Twitter thread.

“We take the security of our customers’ accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms," a Sirius XM Connected Vehicle Services spokesperson told IT Pro.

"As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted.  At no point was any subscriber or other data compromised nor was any unauthorised account modified using this method.”

SiriusXM provides connected vehicles systems for cars from a number of household automotive brands. Researchers discovered that through the use of only the VIN of a customer’s car, it was possible to not only remotely activate vehicle features, but to also fetch a customer’s user profile within the NissanConnect app. This contained details including the victim’s name, phone number, and address. Similar vulnerabilities were replicated in the apps of Honda, Infiniti, FCA, and Acura.

Derek Abdine, CEO at artificial intelligence (AI) company furl, responded to Curry with the claim that VINs are widely available on dealership websites.

All vulnerabilities were reported to the relevant companies, which have patched the vulnerabilities.

Concerns around the vulnerability of cars that connect to apps have been around for years. In 2016, the FBI warned connected cars can be hacked, and particularly stressed the risk posed by cars that connect to mobile devices. The same year, Chinese hackers remote targeted a Tesla, with security researchers as Tencent’s Keen Labs passing the details of the successful attack onto the EV firm to patch.

This article originally stated that Hyundai cars could be accessed without the need for a victim's email address. This was inaccurate, and the article has now been updated to reflect this.

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Recommended

GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
MSI to release securer BIOS settings after critical flaw discovered
vulnerability

MSI to release securer BIOS settings after critical flaw discovered

20 Jan 2023
China-backed hackers take down Amnesty International Canada for three weeks
Security

China-backed hackers take down Amnesty International Canada for three weeks

7 Dec 2022
'CryWiper' trojan disguises as ransomware, says Kaspersky
malware

'CryWiper' trojan disguises as ransomware, says Kaspersky

2 Dec 2022

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023