Vulnerabilities in Hyundai and Genesis mobile apps allow full remote vehicle access and full account takeover - Mobile Security Briefing 2023.093
Sam Curry (Twitter | Homepage), a Web Application Security Researcher, and a small group of friends found a staggering number of serious vulnerabilities in the mobile and web apps of nearly 20 automotive companies. He provides a fairly detailed write up on his blog “Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More” and here’s a Twitter thread about Hyundai and Genesis mobile app with starting with:
We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.
You know, just remotely control car engines! :-)
If you read the full Twitter thread, you’ll get a pretty good idea of how they found the vulnerability. At a high level:
- Proxied mobile app traffic through Burp suite
- Found interesting endpoint that includes email and VIN on each post (with a JWT)
- Fuzzed the email parameter a bit, discovered loose regex that allowed control chars in email (e.g. carriage return or
0x0d) - Noted registration didn’t require users to confirm their email address
To put everything together, a request was created (and then automated) with a victim’s email and appending the control character. Once the VIN was “registered” to the fuzzed email, they could then send requests such as:
- unlock the doors
- start/stop the engine
- update PIN
- honk horn
- etc…
Someone on Twitter challenged him about hacking a database without permission, to which Sam responded:
This was through a coordinated vulnerability disclosure program, we had full permission to test and disclose this, there was no expectation of receiving a bounty and were mainly doing this for fun :)
So, hats off to Sam and crew…amazing work for fun, not profit. Just making the world a little bit safer!