Connect with us

Hi, what are you looking for?

Cyber Security

Critical vulnerability allowed attackers to remotely unlock, control Hyundai, Genesis vehicles

Researchers have disclosed a critical issue in Hyundai and Genesis vehicles that could be exploited to remotely control a car.

Yuga Labs staff security engineer Sam Curry reported the findings on a Twitter thread this week (November 29), noting that the bug allowed the team to “remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012”.

A bug bounty hunter under the moniker specters acted as a mock car thief (with his own Hyundai vehicle) for the project led by Curry and other Yuga Labs researchers.

Curry noted that recent cybersecurity research on vehicles tends to focus on cryptographic assaults on physical keys but that, novel exploits aside, the websites and apps supporting modern communication protocols and controls may have been overlooked.

For example, the Hyundai and Genesis mobile device apps allow authenticated users to manage functions, including starting or stopping and locking or unlocking their vehicles, which could be a serious problem if compromised.

Using Burp Suite, the researchers proxied app traffic and monitored API calls, seeking an entry point.

Curry explained that there appeared to be a ‘pre-flight’ check when JSON Web Tokens (JWTs) were generated during an app’s email/password credential check.

However, as the server did not require email address confirmation, it was possible to add a CRLF character to the end of an existing victim email address during registration and create an account that bypassed the JWT and email parameter check.

The app’s HTTP response returned the victim’s vehicle identification number (VIN) during testing. Curry then sent an HTTP request with the crafted account details, and after a few seconds, Specters confirmed his car had been remotely unlocked.

In the driver’s seat

In itself, the attack chain required many requests. The researchers, therefore, created a Python proof-of-concept (PoC) script compiling these steps – and according to a video of the script in action, an email address is all that is required to launch an attack.

Actions that the team carried out included:

● Remotely flashing the victim’s vehicle’s headlights.

● Honking the horn.

● Starting or stopping the engine.

● Locking or unlocking the car.

Advertisement. Scroll to continue reading.

● Changing a PIN.

● Unlocking the boot.

Speaking to The Daily Swig, Curry said the vulnerability was disclosed to Hyundai roughly two months ago as part of a package of telematics issues impacting different car manufacturers related to SiriusXM remote management software.

As part of a coordinated vulnerability disclosure program, a fix was issued before the vulnerability was made public.

Fuel for thought

While Curry said the project was “mainly for fun”, commenting on the research, Specters said:

“I do want to highlight we started this research because we all recognized that embedded security for vehicles was getting increasingly better but application security was lagging behind by a large margin. We wanted to push that change and hope we did.”

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/critical-vulnerability-allowed-attackers-to-remotely-unlock-control-hyundai-genesis-vehicles

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO