Curry and his team discovered they could also access the profile data of owners of cars that depend on SiriusXM’s remote vehicle management system. This data includes their names, phone numbers, addresses, and other details. Curry said they reported the bugs to Hyundai and SiriusXM. Both companies have released patches to fix the respective bugs. These vulnerabilities affect all connected Hyundai and Genesis cars made after 2012 and cars that use SiriusXM’s connected car services. All a threat actor would have needed to take control of these cars are the owner’s email address or the vehicle identification number (VIN), respectively.
Hyundai and Genesis Bug
While scanning Hyundai’s mobile app and capturing traffic data, Curry and his team found an irregularity in the way the app handles access tokens and user email authentication. “By adding a CRLF character at the end of an already existing victim email address during registration, we could create an account which bypassed the JWT and email parameter comparison check!” Curry explained on Twitter on Tuesday. Conducting tests on a Hyundai app, they modified the email parameter and found that they could pull data on vehicles connected to the account and even access the target’s VIN. With this access, they could also unlock a vehicle linked to the account. “Since exploiting this involved many steps, we took all the requests necessary to exploit this and put it into a python script which only needed the victim’s email address. After inputting this, you could then execute all commands on the vehicle and takeover the actual account,” Curry wrote. This allowed them to control the car’s engine, locks, headlight, horn, and trunk remotely.
Bug in SiriusXM’s Remote Vehicle Management System
On Wednesday, Curry revealed that earlier this year, his team also discovered another vulnerability affecting more cars. This bug affects all cars that depend on SiriusXM’s connected vehicle services, including Honda, Fiat, Chrysler, Nissan, Infinity, and Acura. Conducting tests on a Nissan app, the researchers found that by using a VIN to replace one of the parameters in an HTTP request, they could access a user’s profile. Curry and his team created a python script to test this exploit and found they could execute commands to control the vehicle. This includes remotely unlocking, locating, and starting it. They could also flash the lights and honk. “We could execute commands on vehicles and fetch user information from the accounts by only knowing the victim’s VIN number, something that was on the windshield,” Curry stated. “SiriusXM owned the asset the request was going through and fixed the vuln immediately. It also looks like the Nissan app is going through some iterative changes and is continuously evolving adding on additional layers of security which I am very happy with,” Twitter user @specters, who is part of the team that discovered the bugs, tweeted on Wednesday.
The Threat to Connected Vehicles
Along with their immense benefits, connected vehicles also come with cybersecurity risks. Their dependence on Bluetooth technology and the internet leaves them open to potential exploits. In May, an Austria-based researcher revealed a vulnerability in Tesla’s Near Field Communications (NFC) technology that could allow hackers to steal a Tesla vehicle using a Bluetooth Low Energy (LE) device. Last year, researchers demonstrated how Tesla cars could be hacked using a drone due to a vulnerability in its internet connection manager. Also, last year, security researchers found that hackers could hijack electric vehicle charging stations due to Application Programming Interface (API) authorization issues.