Hyundai App Bugs Allowed Hackers To Remotely Unlock, Start Cars (bleepingcomputer.com) 29
Vulnerabilities in mobile apps exposed Hyundai and Genesis car models after 2012 to remote attacks that allowed unlocking and even starting the vehicles. BleepingComputer reports: Security researchers at Yuga Labs found the issues and explored similar attack surfaces in the SiriusXM "smart vehicle" platform used in cars from other makers (Toyota, Honda, FCA, Nissan, Acura, and Infinity) that allowed them to "remotely unlock, start, locate, flash, and honk" them. At this time, the researchers have not published detailed technical write-ups for their findings but shared some information on Twitter, in two separate threads.
The mobile apps of Hyundai and Genesis, named MyHyundai and MyGenesis, allow authenticated users to start, stop, lock, and unlock their vehicles. After intercepting the traffic generated from the two apps, the researchers analyzed it and were able to extract API calls for further investigation. They found that validation of the owner is done based on the user's email address, which was included in the JSON body of POST requests. Next, the analysts discovered that MyHyundai did not require email confirmation upon registration. They created a new account using the target's email address with an additional control character at the end. Finally, they sent an HTTP request to Hyundai's endpoint containing the spoofed address in the JSON token and the victim's address in the JSON body, bypassing the validity check. To verify that they could use this access for an attack on the car, they tried to unlock a Hyundai car used for the research. A few seconds later, the car unlocked. The multi-step attack was eventually baked into a custom Python script, which only needed the target's email address for the attack.
Yuga Labs analysts found that the mobile apps for Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, use SiriusXM technology to implement remote vehicle management features. They inspected the network traffic from Nissan's app and found that it was possible to send forged HTTP requests to the endpoint only by knowing the target's vehicle identification number (VIN). The response to the unauthorized request contained the target's name, phone number, address, and vehicle details. Considering that VINs are easy to locate on parked cars, typically visible on a plate where the dashboard meets the windshield, an attacker could easily access it. These identification numbers are also available on specialized car selling websites, for potential buyers to check the vehicle's history. In addition to information disclosure, the requests can also carry commands to execute actions on the cars. [...] Before posting the details, Yuga Labs informed both Hyundai and SiriusXM of the flaws and associated risks. The two vendors have fixed the vulnerabilities.
The mobile apps of Hyundai and Genesis, named MyHyundai and MyGenesis, allow authenticated users to start, stop, lock, and unlock their vehicles. After intercepting the traffic generated from the two apps, the researchers analyzed it and were able to extract API calls for further investigation. They found that validation of the owner is done based on the user's email address, which was included in the JSON body of POST requests. Next, the analysts discovered that MyHyundai did not require email confirmation upon registration. They created a new account using the target's email address with an additional control character at the end. Finally, they sent an HTTP request to Hyundai's endpoint containing the spoofed address in the JSON token and the victim's address in the JSON body, bypassing the validity check. To verify that they could use this access for an attack on the car, they tried to unlock a Hyundai car used for the research. A few seconds later, the car unlocked. The multi-step attack was eventually baked into a custom Python script, which only needed the target's email address for the attack.
Yuga Labs analysts found that the mobile apps for Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, use SiriusXM technology to implement remote vehicle management features. They inspected the network traffic from Nissan's app and found that it was possible to send forged HTTP requests to the endpoint only by knowing the target's vehicle identification number (VIN). The response to the unauthorized request contained the target's name, phone number, address, and vehicle details. Considering that VINs are easy to locate on parked cars, typically visible on a plate where the dashboard meets the windshield, an attacker could easily access it. These identification numbers are also available on specialized car selling websites, for potential buyers to check the vehicle's history. In addition to information disclosure, the requests can also carry commands to execute actions on the cars. [...] Before posting the details, Yuga Labs informed both Hyundai and SiriusXM of the flaws and associated risks. The two vendors have fixed the vulnerabilities.
Clearly the solution is more encryption and DRM (Score:5, Interesting)
Tying everything on the car together to the internet is a horrible idea, even if the app brings convenience. The attack surface is enormous. When we point out what a bad idea all this is and insecure, the companies double down on encryption and DRM on everything including sensors, ECUs and actuators. Which just inconveniences the owners, specially those that want to tweak their cars a bit. All without really increasing security for the car owners.
Surely there's a way to have a well-defined and secure interface (that can be turned off physically) to enable just enough access to do what the user wants to do, without exposing the entire car and without resorting to DRM from top to bottom? A way to protect the car's owner from bad guys but still let him own the car? But that's way too much to ask for.
Re:Clearly the solution is more encryption and DRM (Score:4)
That said this seems to be a very basic design defect that has little to do with DRM. There is no validation that the person registering the account is the owner. It would be simple to associate a telephone number and email with a car and have those required to validate the account and app. In the same way I need title and ID to get another key to my car.
Re: (Score:2)
None of the DRM or encryption on the car's local bus is worth a damn for security. That's just a go-to excuse manufacturers use when they want to deploy their next consumer hostile change.
Competent implementation and checking of cryptographic signatures combined with a little physical security and sensible CANbus design absolutely would help.
Re: (Score:3, Interesting)
> None of the DRM or encryption on the car's local bus is worth a damn for security
Well considering it's possible to hack some cars through the tire pressure sensors while they're driving [arstechnica.com] I'd say maybe some internal network encryption might not be entirely useless.
=Smidge=
Re: (Score:2)
No need for encryption. Just a filter on the tire pressure sensors so they can't inject arbitrary commands and read arbitrary data.
At most, signature based authentication.
Re: (Score:2)
Surely there's a way to have a well-defined and secure interface (that can be turned off physically) to enable just enough access to do what the user wants to do, without exposing the entire car and without resorting to DRM from top to bottom?
Or just make cars to be cars and not smart devices on wheels? There's absolutely no reason I need to unlock my car unless I'm already physically standing next to it, nor do I need to honk the horn or flash the lights when I'm not operating the vehicle. I'm glad my current vehicle is free from that unnecessary cruft.
I get that people who live in climates where it gets cold this time of year like having a remote start option so they can enter a warm car, but we've had remote starters for decades without eve
Re: (Score:2)
Just because you don't find value in some features doesn't mean others wont. There are other people that might find uses for things like honking and flashing the lights (forgotten parking location), remote start outside line-of-sight proximity, unlocking the doors from home because your daughter locked the keys inside, remote tire pressure check so you can plan a stop at the tire store to get them filled, or turning on the inside lights in a dark parking lot before unlocking the doors.
The issue here is the
Re: (Score:2)
Just because you don't find value in some features doesn't mean others wont.
True as this may be, I submit that the bigger issue is that it's getting harder to get a vehicle *without* these features, and that there doesn't seem to be a means by which buyers can opt into having a 'dumb car' by physically removing the cellular modem. Availability is one thing, but mandate is something else. I'm not even sure it's possible to get an EV without this crap, as much as I'd love to.
There are other people that might find uses for things like honking and flashing the lights (forgotten parking location)
A solved problem for decades. Extremely large shopping malls or universities might be prohibitively large, but
missed that oil change at the dealer = limp mode (Score:2)
missed that oil change at the dealer = car locked into limp mode
that is what encryption and DRM will get you in the cars.
And what maps updates that will be $299 year.
So what you're saying is . . . (Score:5, Informative)
the more complicated you make something, the easier it is to break.
I'm guessing the days of either using a physical key or a remote are long gone. After all, why go through one step to unlock your car when you can take five or seven steps with an intermediary.
Re: (Score:2)
This is more akin to building a house and not putting a lock on the front door.
And this isn't even the first time a car brand got attacked similarly.
Nissan had the same issues years ago. It took months between the discovery of the vulnerability and for Nissan to fix it.
Re: (Score:2)
Although I do hate keyless entry and ignition, mainly since it makes the keyfob very expensive and subject to water damage, and more importantly - what is the point anyways.
Re: (Score:2)
Re: (Score:2)
the more complicated you make something, the easier it is to break.
This is not even the case in this situation, by today's IT standards authenticated remote requests are old and well understood technology. REST API is how old? Early 2000s.
This is a clear case of incompetence.
shocker (Score:3)
I think I am done with products from Korean based companies for a little while, in the last 10 years I have owned a brand new Kia, various electronics and appliances from Samsung and LG, and even worked failure analysis for a Korean based music corporation (in the digital music group)
The design of the products have been good to great, as well as the materials, and fit and finish. My god, the quality control though its just death from a thousand dumbshit problems, especially the appliances and the car. So no I am not surprised that Hyundai has some dumb shit little oopsie issues that can be easily corrected, but never should have been there in the first place, its the same company who sold me a brand new car and before 40,000 miles the entire ignition system and gas tank were replaced by the dealer due to complete failure.
Meanwhile the washing machine is on the fritz again, waiting on a board ... and my 20 year old store branded Electrolux is at my sister in laws washing clothes and has never had maintenance, let alone repair.
Re: (Score:2)
Re: (Score:2)
Literally everything I have ever bought that had a LG logo on it has died prematurely. It is just garbage, and has always been garbage, and I'm completely at a loss as to how it became popular in the first place. Even my Nexus 4 (LG E960) suffered digitizer failure and was too expensive to be worth repairing.
Meanwhile practically every Hyundai ever made has had to be recalled for something seriously life-threatening, mostly fuel system fire risks.
A friend of mine had a Ford Aspire, which was a rebadged Kia.
Re: (Score:2)
Back in the day... (Score:2)
My girlfriend drove a Hyundai Pony.
There were only 10 different key cuts
for all the OMG Ponies!!
I once watched her help
an anonymous stranger
by turning off the car's headlights.
Re: (Score:3)
Re: (Score:3)
Here's the all-weather railroad version of the Sargent & Greenleaf padlock [youtu.be] with only 27 potential keys possible, and only about 10-12 of those keys are actually used in the field.
Re: (Score:2)
My 1943 Dodge WC52 doesn't have a key so when you leave it in public you just take out the distributor cap.
Re: (Score:2)
Most cars have had few cuts until recently. For example Ford used to use a key with 10 lands, but only 5 were used for ignition and 5 for the door, and and middle two lands were all the same. However, that still leaves 4^5 possible combinations for each of the door and ignition locks (since there are 5 pin lengths) so the conclusion is that some automakers are just pathetically lax on security. These days most keys seem to be moving away from teeth on the outside, to the kind with the channel cut in the sid
I've worked in security for over 20 years (Score:2)
Bought a 2022 Ford (Score:2)
Re: (Score:2)
So there's always some connection to the (phone) net.