Researchers find bugs allowing access, remote control of cars

Several major car brands have addressed vulnerabilities that would have allowed hackers to remotely control the locks, engine, horn, headlights, and trunk of certain cars made after 2012, according to a security researcher. 

Yuga Labs staff security engineer Sam Curry published two threads on Twitter detailing his research into the mobile apps for several car brands that give customers the ability to remotely start, stop, lock and unlock their vehicles. 

Curry and several other researchers started with Hyundai and Genesis, finding that much of the verification process for getting access to a vehicle relied on registered email addresses. They found a way to bypass the email verification feature and gain full control.

Since exploiting this involved many steps, we took all of the requests necessary to exploit this and put it into a python script which only needed the victim's email address. After inputting this, you could then execute all commands on the vehicle and takeover the actual account. pic.twitter.com/Bz5G5ZvHro

— Sam Curry (@samwcyo) November 29, 2022

“The vulnerability has been patched, the core issue is an access control vulnerability affecting the user accounts in the app itself. You could login to anyone's account if you knew their email address and therefore remotely control/locate their vehicle,” Curry said, noting that the attack could occur “from anywhere.”

Curry said the researchers reported the issue to Hyundai and helped them resolve it.

A Hyundai spokesperson told The Record that they worked with consultants to investigate the purported vulnerability “as soon as the researchers brought it to our attention.” 

“Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised by the researchers,” the spokesperson said. 

“We also note that in order to employ the purported vulnerability, the e-mail address associated with the specific Hyundai account and vehicle as well as the specific web-script employed by the researchers were required to be known. Nevertheless, Hyundai implemented countermeasures within days of notification to further enhance the safety and security of our systems.”

Genesis did not respond to requests for comment. 

In comments to The Record, Curry explained that the maneuver would have allowed an attacker to remotely start, stop, lock, unlock, honk, flash lights, or locate any vehicle that had the remote functionality enabled. That feature has been enabled in all vehicles made after 2012. 

Sirius XM issue

In a second Twitter thread published on Tuesday evening, Curry explained that he and other researchers found similar app-based issues affecting Nissan, Infiniti, Honda, and Acura vehicles.

Curry said that by exploiting the Sirius XM app, a hacker could remotely do many of the same things, including full vehicle management, all by only knowing the VIN number. Using that number allowed them to get a suite of information about the vehicle owner and the car, and with that information they accessed vehicle commands.

“You could walk up to a vehicle in a parking lot, scan the VIN with your phone, then send remote commands/retrieve the user information: full name, email, phone, address, etc,” Curry said. 

More car hacking!

Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.

Here's how we found it, and how it works: pic.twitter.com/ul3A4sT47k

— Sam Curry (@samwcyo) November 30, 2022

“For these companies with remotely enabled vehicles – Honda, Nissan, Infiniti and Acura – you need the vehicle VIN number and you could get full vehicle access (remote start, stop, lock, unlock, flash lights, honk horn, pull customer information).”

Curry explained that the researchers found the vulnerability by investigating what was providing the auto manufacturers telematic services.

“While exploring this avenue, we kept seeing SiriusXM referenced in source code and documentation relating to vehicle telematics. This was super interesting to us, because we didn't know SiriusXM offered any remote vehicle management functionality, but it turns out, they do!” Curry said.

On the SiriusXM Connected Vehicle website, the researchers found that the company is a “leading provider of connected vehicles services to Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota."

They reverse engineered all of the mobile apps of SiriusXM customers and after some more digging, they realized that through them they could access customer information.

Curry said he was unsure of what models of cars were affected but noted that many modern ones have SiriusXM installed off the line. Sirius XM has since updated the app to address the issue. 

A spokesperson for Sirius XM Connected Vehicle Services told The Record that it has a bug bounty program to help correct potential security flaws impacting their platforms.

“As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program,” the spokesperson said. 

“The issue was resolved within 24 hours after the report was submitted.  At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”

A spokesperson for Honda denied that the issue had anything to do with their company and said that depending on the model, these issues would only allow for remote start and remote door lock. The spokesperson said it would not allow a hacker to drive the car or control functions while the car is in use. 

Curry disagreed, noting that while these are one-off issues which can be patched, architecturally, someone “has the capability to identify similar access control issues which would allow them to regain the same level of access if a similar issue were to exist.”

“I think auto manufacturers should be concerned about similar web/API vulnerabilities that lead to account and vehicle access... There has been a lot of focus on hardware and cryptographic vulnerabilities affecting vehicles but there are web/API vulnerabilities that can be exploited to achieve account/vehicle access,” Curry told The Record. 

Spokespersons for the other car companies involved responded to requests for comment but said they needed time to look through the reports.

In July, Honda said it was addressing a spate of recently-discovered vulnerabilities in its newly designed models after researchers found bugs affecting the key fob systems in its vehicles dating back to 2012.

Earlier this year, Honda was forced to address CVE-2022-27254 — a replay vulnerability affecting the Remote Keyless System in Honda Civics made between 2016 and 2020. That bug allowed researchers to eavesdrop on the unencrypted radio frequency signal and recreate it, giving them the ability to open and start vehicles. 

In an effort to deal with this issue, Honda and other car manufacturers developed a rolling code system in keyless entry systems that mitigates this vulnerability by using a Pseudorandom Number Generator (PRNG) to create several different codes between the key fob and the car. Security researchers from Star-V Lab released a report in July showing how the rolling code system could be exploited.