Two security researchers at Yuga Labs, Sam Curry and Brett Buerhaus, have discovered a security vulnerability affecting the vehicle telematics service used by Hyundai and Genesis cars which allows complete takeover using the vehicles’ remote control app. The researchers disclosed the bug on Twitter after working with Hyundai to develop a fix.
While most security research in the automotive industry generally revolves around cryptographic attacks trying to break into physical keys, with cars being connected to the internet more often, the attack vectors are increasing, and this bug is another example.
Further research revealed that the attack was also valid for Honda, Infinity, Acura and Nissan vehicles. All these manufacturers get these remote control infrastructures from SiriusXM, who fixed the issue immediately upon disclosure and validated their patch.
HTTP requests turn into car keys
Hyundai and Genesis apps allow authenticated users to start/stop or lock/unlock their vehicles remotely. Since the researchers had access to a Hyundai, they started by monitoring the app traffic generated by the app and observing the API calls.
After finding a simplified HTTP request that unlocks the car, the researchers discovered that the user’s email was being re-sent within the JSON body of the POST request. This doesn’t usually happen, as the server should be able to identify the user using the JSON Web Token (JWT) stored in the current authenticated session. This JWT is generated when the user logs in with the correct credentials hence authenticating themselves.
Further research revealed that the server was comparing the email sent in the JSON body of the request to the parsed email stored in the JWT. Additionally, since this was done on the actual request to unlock the car, bypassing this process can potentially unlock the vehicle and allow an attacker to control other operations.
Since Hyundai’s servers didn’t require users to verify their email address during account registration and included a regex that allowed for control characters in the email address, the attackers were able to register a new account by adding a CRLF character at the end of an already existing victim email address during registration. This allowed them to create an account that bypassed the JWT and email parameter comparison check.
At this point, the researcher had a similar account as the victim’s, the only difference being as follows:
The researchers tested this by sending an HTTP request to an API endpoint that listed all vehicles connected to an account using the attacker’s email address as the JWT email and the victim’s ID as the JSON parameter. The endpoint returned the victim’s VIN, indicating the attack was successful.
From there on, the attackers could unlock the car and essentially take over all the actions that the app allowed using this tampered JWT. Sending an HTTP request with the CRLF-appended victim account returned the “200 OK” status, indicating that the car had been unlocked.
Hyundai says no customer vehicles or accounts were accessed
Hyundai claims that other than the researchers own vehicles no other Hyundai cars or accounts were hacked. Nonetheless, the company has “implemented countermeasures” to enhance the security of vehicles and associated accounts.
“Hyundai worked diligently with third-party consultants to investigate the purported vulnerability as soon as the researchers brought it to our attention. Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised by the researchers,” Hyundai told Candid.Technology.
“We also note that in order to employ the purported vulnerability, the email address associated with the specific Hyundai account and vehicle, as well as the specific web script employed by the researchers, were required to be known. Nevertheless, Hyundai implemented countermeasures within days of notification to further enhance the safety and security of our systems. We value our collaboration with security researchers and appreciate this team’s assistance”