Home Latest Insights | News Yugalabs Security Engineer Discovers Bugs in Hyundai and Genesis Automobiles

Yugalabs Security Engineer Discovers Bugs in Hyundai and Genesis Automobiles

Yugalabs Security Engineer Discovers Bugs in Hyundai and Genesis Automobiles
TEHRAN, IRAN - JULY 19: (RUSSIA OUT) Russian President Vladimir Putin leaves his presidential plane during the welcoming ceremony at the airport, on July 19, 2022 in Tehran Iran. Russian President Putin and his Turkish counterpart Erdogan arrived in Iran for the summit. (Photo by Contributor/Getty Images)

A Security Researcher have disclosed a critical issue in Hyundai and Genesis vehicles that could be exploited to remotely control a car.

Yuga Labs staff security engineer Sam Curry reported the findings on a Twitter thread on November 29, noting that the bug allowed the team to “remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012”.

A bug bounty hunter under the moniker _specters_acted as a mock car thief (with his own Hyundai vehicle) for the project by Curry and other researchers.

Tekedia Mini-MBA edition 15 (Sept 9 – Dec 7, 2024) has started registrations; register today for early bird discounts.

Tekedia AI in Business Masterclass opens registrations here.

Join Tekedia Capital Syndicate and invest in Africa’s finest startups here.

Curry, noted that recent cybersecurity research on vehicles tends to focus on cryptographic assaults on physical keys but that, novel exploits aside, the websites and apps supporting modern communication protocols and controls may have been overlooked.

For example, the Hyundai and Genesis mobile device apps allow authenticated users to manage functions, including starting or stopping and locking or unlocking their vehicles, which could be a serious problem if compromised.

Using Burp Suite, the researchers proxied app traffic and monitored API calls, seeking an entry point.

Curry, explained that there appeared to be a ‘pre-flight’ check when JSON Web Tokens (JWTs) were generated during an app’s email/password credential check.

However, as the server did not require email address confirmation, it was possible to add a CRLF character to the end of an existing victim email address during registration and create an account that bypassed the JWT and email parameter check.

The app’s HTTP response returned the victim’s vehicle identification number (VIN) during testing. Curry then sent an HTTP request with the crafted account details, and after a few seconds, Specters confirmed his car had been remotely unlocked.

In the driver’s seat

In itself, the attack chain required many requests. The researchers, therefore, created a Python proof-of-concept (PoC) script compiling these steps – and according to a video of the script in action, an email address is all that is required to launch an attack.

Actions that the team carried out included:

  1. Remotely flashing the victim’s vehicle’s headlights.
  2. Honking the horn.
  3. Starting or stopping the engine.
  4. Locking or unlocking the car.
  5. Changing a PIN.
  6. Unlocking the boot.

Speaking to The Daily Swig, Curry said the vulnerability was disclosed to Hyundai roughly two months ago as part of a package of telematics issues impacting different car manufacturers related to SiriusXM remote management software.

As part of a coordinated vulnerability disclosure program, a fix was issued before the vulnerability was made public.

Fuel for thought

While Curry said the project was “mainly for fun”, commenting on the research, Specters said:

“I do want to highlight we started this research because we all recognized that embedded security for vehicles was getting increasingly better but application security was lagging behind by a large margin. We wanted to push that change and hope we did.”

No posts to display

Post Comment

Please enter your comment!
Please enter your name here