Updated on 2022-12-04: Researchers find bugs allowing access, remote control of cars
Not a great week for car makers. @samwcyo and team discovered two sets of flaws — one affecting Hyundai and Genesis cars and another affecting Honda, Nissan, Infiniti and Acura vehicles. The bugs allow remote access and control over thousands of cars made after 2012. The Record consolidates the bugs one place (and more from SecurityWeek, too). The second batch of flaws were particularly interesting as they all involve upstream telematics and broadcasting company Sirius XM, which could allow an attacker to remotely fully manage a vehicle by exploiting the app. That’s because SiriusXM is baked into many modern vehicles. (“So many brands under one roof!” remarked @samwcyo.) Forbes ($) brings this all together by looking at how police can use this broad level of remote access to vehicles’ data to obtain warrants for car data, like location data. Read more:
- Researchers find bugs allowing access, remote control of cars
- Several Car Brands Exposed to Hacking by Flaw in Sirius XM Connected Vehicle Service
- Cops Can Extract Data From 10,000 Different Car Models’ Infotainment Systems
Updated on 2022-12-01
Car hacking #1
Security researchers Sam Curry, Brett Buerhaus, and @_Specters_ have found a vulnerability in the web portal of Hyundai cars that could be used to take over a car owner’s account and remotely control the locks, engine, horn, headlights, and trunk of all vehicles made after 2012. Curry&friends said the vulnerability resided in the fact that both portals did not require users to confirm their email addresses, allowing the researcher to use a malformed email address to access other users’ accounts. The vulnerability also impacted Genesis cars, which is Hyundai’s line of luxury cars sold under its own brand. Hyundai fixed the issue following the researchers’ report.
Car hacking #2
The same trio also found a vulnerability in the SiriusXM app that ships with cars from Honda and Nissan. Curry&friends said the vulnerability could be used to remotely unlock, start, locate, flash, and honk the horn of cars running the vulnerable app. Unlike the first vulnerability, to exploit this one, an attacker would have had to know a targeted car’s VIN number. The same app also ships with cars from BMW, Hyundai, Jaguar, Land Rover, Subaru, and Toyota, although the researchers said they didn’t test these models. SiriusXM has since fixed the vulnerability.
Overview
Researchers from Yuga Labs found that vulnerabilities in mobile apps exposed Genesis and Hyundai car models after 2012 to remote attacks, including unlocking and starting the cars. Read more: Hyundai app bugs allowed hackers to remotely unlock, start cars
