Cars today are veritable computers on wheels. Air conditioning, heated seat, central locking system, engine… It is possible to operate a host of functions remotely via your smartphone. In some cases, wireless control can be dangerous. Cybersecurity researchers have found a way to hijack the remote control system of several recent car models.
Use of email address
The researchers did not disclose the full procedure of their attack. They did, however, outline their technique in a thread developed on Twitter. “We recently discovered a vulnerability affecting Hyundai and Genesis vehicles that allowed remote control of the locks, engine, horn, lights and trunk of vehicles manufactured after 2012”welcomed Sam Curry, specialist in security vulnerabilities.
The researchers tackled the applications of the manufacturer Hyundai. They monitored the network traffic between the app and the server. Thus, after analysis, the specialists discovered that the API (a programming interface between two services) used simply relied on the owner’s email address to verify his identity. Second weakness of the system, the application used by Hyundai users allowed the creation of an account with an unverified email address.
The researchers then developed a Python script capable of automating their attack (use of the API using a spoofed address). The authentication of the system was then thwarted and returned the VIN code of the car (for Vehicle Identification Number), thus making it possible to launch actions remotely. The benevolent hackers were thus able to unlock and start a recent model of Hyundai with their technique. A demonstration filmed and posted on social networks.
The bug fixed
In detail, the experts claim that this formidable attack could be carried out on all Hyundai and Genesis models released after 2012 and equipped with the SiriusXM system, in charge of telematics in vehicles. Once the demonstration was completed, the researchers worked in collaboration with Hyundai to fix this flaw.
“No vehicles or customer accounts have been targeted by others following the issues raised by researchers”wanted to reassure a spokesperson for Hyundai to our colleagues from BleepingComputer. And to add: “We also note that in order to exploit the alleged vulnerability, it was necessary to know the email address associated with the Hyundai account and the vehicle in question, as well as the specific web script used by the researchers.” The company thanked the researchers for their work on its vehicles and application.
A second technique
Taking the process one step further, security researchers also managed to find a more general flaw in order to exploit multiple cars using SiriusXM technology. With this new procedure, only the VIN code of the car allowed to take control of the vehicle.
However, this identification number is specific to each car and is visible… on the dashboard. In the street or in a parking lot, a malicious person can easily pick it up. The hackers were thus able to target “any Honda, Nissan, Infiniti and Acura vehicle connected remotely”. The issue was reported to SiriusXM and corrected very quickly.
Although complex to exploit, these vulnerabilities show that there is still significant room for improvement in terms of automotive cybersecurity.