Researchers from Yuga labs have disclosed a critical issue in Hyundai and Genesis vehicles that could be exploited to remotely control a car.
A bug bounty hunter under the moniker _specters_ acted as a mock car thief for the project by researchers.
Hyundai and Genesis mobile device apps allow authenticated users to manage functions, including starting or stopping and locking or unlocking their vehicles, which could be a serious problem if compromised.
Researchers proxied app traffic and monitored API calls, seeking an entry point using Burp suite. They explained that there appeared to be a ‘pre-flight’ check when JSON Web Tokens were generated during an app’s email/password credential check.
As the server did not require email address confirmation, it was possible to add a CRLF character to the end of an existing victim email address during registration and create an account that bypassed the JWT and email parameter check.
The app’s HTTP response returned the victim’s vehicle identification number (VIN) during testing. Curry then sent an HTTP request with the crafted account details, and after a few seconds, Specters confirmed his car had been remotely unlocked.
Actions that the team carried out included:
● Remotely flashing the victim’s vehicle’s headlights.
● Honking the horn.
● Starting or stopping the engine.
● Locking or unlocking the car.
● Changing a PIN.
● Unlocking the boot.
Researcher said the vulnerability was disclosed to Hyundai roughly two months ago as part of a package of telematics issues impacting different car manufacturers related to SiriusXM remote management software. As part of a coordinated vulnerability disclosure program, a fix was issued before the vulnerability was made public.