3 min read

Hacking cars remotely with just their VIN

Graham CLULEY

December 05, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Hacking cars remotely with just their VIN

Your car's mobile app might have allowed hackers to remotely unlock your vehicle, turn on or off its engine, and even honk its horn.

Those are the findings of Sam Curry, a security researcher and bug bounty hunter, who explored vulnerabilities that could affect Hyundai, Genesis, Nissan, Infiniti, Honda, and Acura vehicles, amongst others.

Curry and his colleagues first turned their attention to the official mobile apps used by owners of Hyundai and Genesis vehicles, that allow authenticated users to start, stop, lock, and unlock their cars.

In a series of tweets, Curry demonstrated how he was able to exploit vulnerabilities in the Hyundai app and API to bypass authorisation checks and remotely unlock a vehicle just by knowing its owner's email address, and ultimately achieve complete takeover of their account.

It later transpired the same risk was present for owners of Genesis vehicles.

Curry responsibly disclosed the security issue to Hyundai and Genesis.

A Hyundai spokesperson told The Record that "other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised..."

Which is, I suppose, something of a relief. But it's still a great worry that the security risk was present in the first place.

Perhaps emboldened by their discovery related to Hyundai and Genesis vehicles, Curry went on to explore vulnerabilities affecting other manufacturers - specifically those who made use of the SiriusXM Connected Vehicle Services telematics platform.

As Curry has now described unauthorised parties were able to send commands to a Nissan, Infiniti, Honda, and Acura vehicle, just by knowing its Vehicle Identification Number (VIN).

And even if a specific car was no longer actively subscribed to SiriusXM's service, Curry found he was able to sign it up to the service by simply knowing the VIN, which is typically visible through the car's windscreen.

Using this technique, cars could be remotely stopped or started, locked or unlocked, flash their headlights, or honk their horn. Even an owner's personal details (name, phone number, address, and car information) could be extracted without authorisation.

And although the API calls for telematic services worked even if the user no longer had an active SiriusXM subscription, Curry noted that he could enroll or enroll vehicle owners from the service at will.

Fortunately, being a responsible security researcher, Curry informed the relevant parties of the issue privately - allowing them to patch the vulnerability before details were made public.

Apps are supposed to make motorists' lives more convenient, not
decrease their security. We can only hope that manufacturers will put
greater effort in the future into ensuring that smartphone-connected
cars will be better protected.

Update

Hyundai have offered the following statement:

"Hyundai worked diligently with third-party consultants to investigate the purported vulnerability as soon as the researchers brought it to our attention. Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts – for either Hyundai or Genesis – were accessed by others as a result of the issues raised by the researchers."

"We also note that in order to employ the purported vulnerability, the e-mail address associated with the specific Hyundai/Genesis account and vehicle as well as the specific web-script employed by the researchers were required to be known. Nevertheless, Hyundai and Genesis implemented countermeasures within days of notification to further enhance the safety and security of our systems. Separately, Hyundai and Genesis were not affected by a Sirius XM authorization flaw that was recently disclosed."

"We value our collaboration with security researchers and appreciate this team’s assistance."

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet
Silviu STAHIE

February 08, 2023

1 min read
Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns
Silviu STAHIE

February 06, 2023

1 min read
U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine
Silviu STAHIE

February 03, 2023

1 min read