Vulnerabilities in Hyundai and Genesis mobile apps allow full remote vehicle access and full account takeover - Mobile Security Briefing 2023.093

Sam Curry (Twitter | Homepage), a Web Application Security Researcher, and a small group of friends found a staggering number of serious vulnerabilities in the mobile and web apps of nearly 20 automotive companies. He provides a fairly detailed write up on his blog “Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More” and here’s a Twitter thread about Hyundai and Genesis mobile app with starting with:

We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.

You know, just remotely control car engines! :-)

If you read the full Twitter thread, you’ll get a pretty good idea of how they found the vulnerability. At a high level:

  1. Proxied mobile app traffic through Burp suite
  2. Found interesting endpoint that includes email and VIN on each post (with a JWT)
  3. Fuzzed the email parameter a bit, discovered loose regex that allowed control chars in email (e.g. carriage return or 0x0d)
  4. Noted registration didn’t require users to confirm their email address

To put everything together, a request was created (and then automated) with a victim’s email and appending the control character. Once the VIN was “registered” to the fuzzed email, they could then send requests such as:

  • unlock the doors
  • start/stop the engine
  • update PIN
  • honk horn
  • etc…

Someone on Twitter challenged him about hacking a database without permission, to which Sam responded:

This was through a coordinated vulnerability disclosure program, we had full permission to test and disclose this, there was no expectation of receiving a bounty and were mainly doing this for fun :)

So, hats off to Sam and crew…amazing work for fun, not profit. Just making the world a little bit safer!