Vulnerabilities were found in applications for remote control of Hyundai and Genesis brands and applications on the SiriusXM platform (applications for Hyundai, Genesis, and Acura run on it). With their help, attackers could gain access to several essential functions of the car, including remote door opening, engine start, and climate control. This is reported Dark Reading concerning researchers from Yuga Labs, who published their discovery in a series of tweets.
Examples include the MyHyundai and MyGenesis apps. They work with cars manufactured after 2012. These applications run APIs that match the owner’s email and various user credentials. It turned out that this mapping is relatively easy to bypass:
If you add a CRLF character to the end of the victim’s pre-existing email address during registration, you can create an account that bypasses the email parameter comparison check.
Sam Curry
Yuga Labs Specialist
As a result, as soon as the engineers added a couple of characters to the registered mail address in the format [email protected]%0d, the app gave them access to the car without data matching. The engineers could open the car, start its engine, play around with climate control, open the trunk, and much more.
Then the engineers automated all manual actions using a Python bot. With only the victims’ email addresses, they could access their cars.
However, this is not all. Further, Yuga Labs specialists spoke about hacking cars using the SiriusXM platform. It has applications from brands such as Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota. And here, everything turned out to be quite simple, too – for hacking. You need to know the VIN of the victim’s car.
Researchers use vehicle VINs as the primary key for customer ID. With it, researchers send POST requests to create a bearer token. This allows administrative control over the issuance of other vehicle requests.
Connor Ivens
Competitive Intelligence Security Manager at Tanium
Both vulnerabilities were reported to application developers. Together with them, Yuga Labs specialists worked on a fix, after which data on these vulnerabilities were published.