SiriusXM, MyHyundai Car Apps Showcase Next-Gen Car Hacking
At least three mobile apps tailored to allow drivers to remotely start or unlock their vehicles were found to have security vulnerabilities that could allow unauthenticated malicious types to do the same from afar. Researchers say securing APIs for these types of powerful apps is the next phase in preventing connected car hacking.
According to Yuga Labs, car-specific apps from Hyundai and Genesis, as well as the SiriusXM smart vehicle platform (used by various automakers, including Acura, Honda, Nissan, Toyota and others), could have allowed attackers to intercept traffic between the apps and vehicles made after 2012.
Hyundai Apps Allow Remote Car Control
When it comes to the MyHyundai and MyGenesis apps, an investigation of the API calls that the apps make showed that owner validation is done through matching up the driver’s email address with various registration parameters. After playing around with potential ways to subvert this “pre-flight check,” as the researchers called it, they discovered an avenue of attack:
“By adding a CRLF character at the end of an already existing victim email address during registration, we could create an account which bypassed the … email parameter comparison check,” they explained in a series of tweets detailing the weaknesses. From there, they were able to gain complete control over the apps’ commands — and over the car. In addition to starting the car, attackers could set the horn off, control the AC, and pop the trunk, among other things.
They were also able to automate the attack. “We took all of the requests necessary to exploit this and put it into a python script which only needed the victim’s email address,” they tweeted. “After inputting this, you could then execute all commands on the vehicle and takeover the actual account.”
“Many car hacking scenarios are the result of an API security issue, not an issue with the mobile app itself,” Scott Gerlach, co-founder and CSO at StackHawk, says. “All of the sensitive data and functions of a mobile app reside in the API an app talks to, so that’s what needs to be secure. The upside is this is a very targeted type of attack and would be difficult to mass execute. The downside is it’s still highly…