Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Transportation

Hyundai App Bugs Allowed Hackers To Remotely Unlock, Start Cars (bleepingcomputer.com) 29

Vulnerabilities in mobile apps exposed Hyundai and Genesis car models after 2012 to remote attacks that allowed unlocking and even starting the vehicles. BleepingComputer reports: Security researchers at Yuga Labs found the issues and explored similar attack surfaces in the SiriusXM "smart vehicle" platform used in cars from other makers (Toyota, Honda, FCA, Nissan, Acura, and Infinity) that allowed them to "remotely unlock, start, locate, flash, and honk" them. At this time, the researchers have not published detailed technical write-ups for their findings but shared some information on Twitter, in two separate threads.

The mobile apps of Hyundai and Genesis, named MyHyundai and MyGenesis, allow authenticated users to start, stop, lock, and unlock their vehicles. After intercepting the traffic generated from the two apps, the researchers analyzed it and were able to extract API calls for further investigation. They found that validation of the owner is done based on the user's email address, which was included in the JSON body of POST requests. Next, the analysts discovered that MyHyundai did not require email confirmation upon registration. They created a new account using the target's email address with an additional control character at the end. Finally, they sent an HTTP request to Hyundai's endpoint containing the spoofed address in the JSON token and the victim's address in the JSON body, bypassing the validity check. To verify that they could use this access for an attack on the car, they tried to unlock a Hyundai car used for the research. A few seconds later, the car unlocked. The multi-step attack was eventually baked into a custom Python script, which only needed the target's email address for the attack.

Yuga Labs analysts found that the mobile apps for Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, use SiriusXM technology to implement remote vehicle management features. They inspected the network traffic from Nissan's app and found that it was possible to send forged HTTP requests to the endpoint only by knowing the target's vehicle identification number (VIN). The response to the unauthorized request contained the target's name, phone number, address, and vehicle details. Considering that VINs are easy to locate on parked cars, typically visible on a plate where the dashboard meets the windshield, an attacker could easily access it. These identification numbers are also available on specialized car selling websites, for potential buyers to check the vehicle's history. In addition to information disclosure, the requests can also carry commands to execute actions on the cars. [...] Before posting the details, Yuga Labs informed both Hyundai and SiriusXM of the flaws and associated risks. The two vendors have fixed the vulnerabilities.

This discussion has been archived. No new comments can be posted.

Hyundai App Bugs Allowed Hackers To Remotely Unlock, Start Cars

Comments Filter:
  • by caseih ( 160668 ) on Thursday December 01, 2022 @07:11PM (#63095496)

    Tying everything on the car together to the internet is a horrible idea, even if the app brings convenience. The attack surface is enormous. When we point out what a bad idea all this is and insecure, the companies double down on encryption and DRM on everything including sensors, ECUs and actuators. Which just inconveniences the owners, specially those that want to tweak their cars a bit. All without really increasing security for the car owners.

    Surely there's a way to have a well-defined and secure interface (that can be turned off physically) to enable just enough access to do what the user wants to do, without exposing the entire car and without resorting to DRM from top to bottom? A way to protect the car's owner from bad guys but still let him own the car? But that's way too much to ask for.

    • On my older car, the app can open the car. I am not sure how the app is secure or can prevent others from opening the car. Only the very newer cars have remote start due to the incredible security exposure. I am told by people I know who repossess cars that my marquee is known for being very hard to start without a key

      That said this seems to be a very basic design defect that has little to do with DRM. There is no validation that the person registering the account is the owner. It would be simple to associate a telephone number and email with a car and have those required to validate the account and app. In the same way I need title and ID to get another key to my car.

    • by sjames ( 1099 )

      None of the DRM or encryption on the car's local bus is worth a damn for security. That's just a go-to excuse manufacturers use when they want to deploy their next consumer hostile change.

      Competent implementation and checking of cryptographic signatures combined with a little physical security and sensible CANbus design absolutely would help.

    • Surely there's a way to have a well-defined and secure interface (that can be turned off physically) to enable just enough access to do what the user wants to do, without exposing the entire car and without resorting to DRM from top to bottom?

      Or just make cars to be cars and not smart devices on wheels? There's absolutely no reason I need to unlock my car unless I'm already physically standing next to it, nor do I need to honk the horn or flash the lights when I'm not operating the vehicle. I'm glad my current vehicle is free from that unnecessary cruft.

      I get that people who live in climates where it gets cold this time of year like having a remote start option so they can enter a warm car, but we've had remote starters for decades without eve

      • Just because you don't find value in some features doesn't mean others wont. There are other people that might find uses for things like honking and flashing the lights (forgotten parking location), remote start outside line-of-sight proximity, unlocking the doors from home because your daughter locked the keys inside, remote tire pressure check so you can plan a stop at the tire store to get them filled, or turning on the inside lights in a dark parking lot before unlocking the doors.

        The issue here is the

        • Just because you don't find value in some features doesn't mean others wont.

          True as this may be, I submit that the bigger issue is that it's getting harder to get a vehicle *without* these features, and that there doesn't seem to be a means by which buyers can opt into having a 'dumb car' by physically removing the cellular modem. Availability is one thing, but mandate is something else. I'm not even sure it's possible to get an EV without this crap, as much as I'd love to.

          There are other people that might find uses for things like honking and flashing the lights (forgotten parking location)

          A solved problem for decades. Extremely large shopping malls or universities might be prohibitively large, but

    • missed that oil change at the dealer = car locked into limp mode
      that is what encryption and DRM will get you in the cars.
      And what maps updates that will be $299 year.

  • by quonset ( 4839537 ) on Thursday December 01, 2022 @07:18PM (#63095512)

    the more complicated you make something, the easier it is to break.

    I'm guessing the days of either using a physical key or a remote are long gone. After all, why go through one step to unlock your car when you can take five or seven steps with an intermediary.

    • This is more akin to building a house and not putting a lock on the front door.
      And this isn't even the first time a car brand got attacked similarly.

      Nissan had the same issues years ago. It took months between the discovery of the vulnerability and for Nissan to fix it.

    • The people who figured this out could defeat the key in about a minute flat.

      Although I do hate keyless entry and ignition, mainly since it makes the keyfob very expensive and subject to water damage, and more importantly - what is the point anyways.

    • by EvilSS ( 557649 )
      Considering you can steal Hyundai/Kia vehicles with traditional keys with nothing more than the end of a USB cable maybe it is not the complexity but just a shitty engineering culture at the company.
    • by sinij ( 911942 )

      the more complicated you make something, the easier it is to break.

      This is not even the case in this situation, by today's IT standards authenticated remote requests are old and well understood technology. REST API is how old? Early 2000s.

      This is a clear case of incompetence.

  • by Osgeld ( 1900440 ) on Thursday December 01, 2022 @07:44PM (#63095558)

    I think I am done with products from Korean based companies for a little while, in the last 10 years I have owned a brand new Kia, various electronics and appliances from Samsung and LG, and even worked failure analysis for a Korean based music corporation (in the digital music group)

    The design of the products have been good to great, as well as the materials, and fit and finish. My god, the quality control though its just death from a thousand dumbshit problems, especially the appliances and the car. So no I am not surprised that Hyundai has some dumb shit little oopsie issues that can be easily corrected, but never should have been there in the first place, its the same company who sold me a brand new car and before 40,000 miles the entire ignition system and gas tank were replaced by the dealer due to complete failure.

    Meanwhile the washing machine is on the fritz again, waiting on a board ... and my 20 year old store branded Electrolux is at my sister in laws washing clothes and has never had maintenance, let alone repair.

    • In contrast, my first Hyundai Elantra had 235k miles or more - it was a few years ago and I can't recall the exact number - before I hit a deer and totaled it. Before the deer, maintenance was just the typical tires and oil changes. Our second Elantra now has 135K miles, and the brake lines did rust out - bad drainage from the underbody shielding - but I'm gonna hang on to it as long as I can. My Maytag dryer - bought in 2000 - needed a new set of roller wheels a few years ago, and recently had a thermos
    • Literally everything I have ever bought that had a LG logo on it has died prematurely. It is just garbage, and has always been garbage, and I'm completely at a loss as to how it became popular in the first place. Even my Nexus 4 (LG E960) suffered digitizer failure and was too expensive to be worth repairing.

      Meanwhile practically every Hyundai ever made has had to be recalled for something seriously life-threatening, mostly fuel system fire risks.

      A friend of mine had a Ford Aspire, which was a rebadged Kia.

      • Yep, LG is the worst. I purchased 4 LG monitors about 10 years ago. 2 years later 3 of them died within days of each other and the 4th a month later. Never again LG, never again. Samsung is on my list too. I made the mistake of purchasing a few major appliances from them. Absolute crap. They are literally falling apart after just a few years. I purchased them because the Samsung electronics I own were pretty good. The brand is now dead to me.
  • My girlfriend drove a Hyundai Pony.

    There were only 10 different key cuts

    for all the OMG Ponies!!

    I once watched her help

    an anonymous stranger

    by turning off the car's headlights.

    • by imidan ( 559239 )
      When I was a kid, I was out one day with a relative who drove a Toyota Tercel. We came out of some shop and walked to what we thought was her car -- same color, make, model. She unlocked it with her key and we got in, and it took us both a moment to realize we were in someone else's car. Point being, I guess, car locks have never been all that secure. At the time, you could've picked, say, the most popular model of car and gotten a few keys, then just wandered around stealing them if one of your keys happen
      • Here's the all-weather railroad version of the Sargent & Greenleaf padlock [youtu.be] with only 27 potential keys possible, and only about 10-12 of those keys are actually used in the field.

      • by Teun ( 17872 )
        It can be so easy.
        My 1943 Dodge WC52 doesn't have a key so when you leave it in public you just take out the distributor cap.
    • Most cars have had few cuts until recently. For example Ford used to use a key with 10 lands, but only 5 were used for ignition and 5 for the door, and and middle two lands were all the same. However, that still leaves 4^5 possible combinations for each of the door and ignition locks (since there are 5 pin lengths) so the conclusion is that some automakers are just pathetically lax on security. These days most keys seem to be moving away from teeth on the outside, to the kind with the channel cut in the sid

  • And in that time I've encountered only two companies that actually cared about security, one was a point of sale terminal manufacturer and the other was a stuffed toy maker. All the rest just cared about not being blamed for security problems. The point of sale terminal maker's devices were more expensive and slightly harder to service and I think this is one reason they are less successful than their competitors. Good security is hard to demonstrate and doesn't sell. An easy way to know if a company ha
  • When completing the paperwork, the sales guy was nutzo about me signing up for the FordPass app and all the remote shit they try to pile on the car. I couldn't stop laughing when I asked exactly what remote feature would be of any use to me. His answer was remote door unlock and starting, plus "helpful reminders about service needed on the car". First of all, when you are selling a new car, telling the customer that they will NEED reminders about ALL the service the car requires, that is not a good look!
    • by Teun ( 17872 )
      Hmm, the EU regulations demand a car can automatically call the emergency services (112) after a major crash.
      So there's always some connection to the (phone) net.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...