HQ/EMEAFind out how we can help your business
A flaw in the Hyundai automobile app could allow malicious actors to remotely influence a targeted vehicle, posing potential threats for many owners.
According to researchers, this issue has a similar attack surface in the SiriusXM platform used on cars from other manufacturers that allows a hacker to remotely unlock, start, find, flash, and make a siren.
The mobile apps of two car companies (Hyundai and Genesis) called, MyHyundai and MyGenesis, allow privileged users to start, stop, lock, and unlock their automobiles.
The researchers were able to develop, analyse, and extract API calls for further investigation after incepting the traffic created by the two applications. They discovered that validation of the owner is accomplished depending on the user’s email address, which was included in the JSON body of POST requests.
Subsequently, the investigators noticed that MyHyundai did not mandate email confirmation mechanics upon registration. They developed a new account using the target’s email address with additional characters at the end.
The researchers sent an HTTP request to Hyundai’s end that contained the impersonated address in the JSON token and the target’s address in the JSON body. This method has avoided the validity check, which allowed unwanted access to be valid.
Moreover, the analysts have tried to unlock a Hyundai unit used for the research to verify that they could use the flaw to attack a car. Unfortunately, the experimented car got unlocked successfully within just a few seconds.
The devs eventually created the multi-stage attack into an exceptionally crafted Python script, which only needed the target’s email address to execute the hack.
The Hyundai app bug has a similarity to the SiriusXM feature.
SiriusXM Connected Vehicle services is an automobile telematics service provider utilised by more than a dozen car manufacturers, and the effects of the Hyundai app caused could be similar.
The vendor of the provider claims to run 12 million connected cards that operate more than 50 services under a unified landscape. A separate researcher studied the network traffic from Nissan’s application and discovered that it could disseminate forged HTTP requests to the endpoint only by identifying a targeted vehicle identification number.
The response to the unauthorised request includes the target’s name, phone number, address, and vehicle information, which is very similar to the case of Hyundai’s app flaw.
