Updated on 2022-12-04: Researchers find bugs allowing access, remote control of cars
Not a great week for car makers. @samwcyo and team discovered two sets of flaws — one affecting Hyundai and Genesis cars and another affecting Honda, Nissan, Infiniti and Acura vehicles. The bugs allow remote access and control over thousands of cars made after 2012. The Record consolidates the bugs one place (and more from SecurityWeek, too). The second batch of flaws were particularly interesting as they all involve upstream telematics and broadcasting company Sirius XM, which could allow an attacker to remotely fully manage a vehicle by exploiting the app. That’s because SiriusXM is baked into many modern vehicles. (“So many brands under one roof!” remarked @samwcyo.) Forbes ($) brings this all together by looking at how police can use this broad level of remote access to vehicles’ data to obtain warrants for car data, like location data. Read more:
- Researchers find bugs allowing access, remote control of cars
- Several Car Brands Exposed to Hacking by Flaw in Sirius XM Connected Vehicle Service
- Cops Can Extract Data From 10,000 Different Car Models’ Infotainment Systems
We found the SiriusXM Connected Vehicle website and noticed the following quote:
"[SiriusXM] is a leading provider of connected vehicles services to Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota."
So many brands under one roof! pic.twitter.com/uw1321BFyD
— Sam Curry (@samwcyo) November 30, 2022
Updated on 2022-12-01
Car hacking #1
Security researchers Sam Curry, Brett Buerhaus, and @_Specters_ have found a vulnerability in the web portal of Hyundai cars that could be used to take over a car owner’s account and remotely control the locks, engine, horn, headlights, and trunk of all vehicles made after 2012. Curry&friends said the vulnerability resided in the fact that both portals did not require users to confirm their email addresses, allowing the researcher to use a malformed email address to access other users’ accounts. The vulnerability also impacted Genesis cars, which is Hyundai’s line of luxury cars sold under its own brand. Hyundai fixed the issue following the researchers’ report.
Car hacking #2
The same trio also found a vulnerability in the SiriusXM app that ships with cars from Honda and Nissan. Curry&friends said the vulnerability could be used to remotely unlock, start, locate, flash, and honk the horn of cars running the vulnerable app. Unlike the first vulnerability, to exploit this one, an attacker would have had to know a targeted car’s VIN number. The same app also ships with cars from BMW, Hyundai, Jaguar, Land Rover, Subaru, and Toyota, although the researchers said they didn’t test these models. SiriusXM has since fixed the vulnerability.
Good Morning, I feel like we need more car haxs. So here is another vulnerability we found that got us remote commands on every internet connected Nissan & Infiniti. Bug was fixed.
shout out to @samwcyo @bbuerhaus @sshell_ @d0nutptr @xEHLE_ @iangcarroll @sshell_ @infosec_au pic.twitter.com/5TbC9G1Oxk
— ꙅɿɘƚɔɘqꙅ (@_specters_) November 30, 2022
Overview
Researchers from Yuga Labs found that vulnerabilities in mobile apps exposed Genesis and Hyundai car models after 2012 to remote attacks, including unlocking and starting the cars. Read more: Hyundai app bugs allowed hackers to remotely unlock, start cars
We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.
To explain how it worked and how we found it, we have @_specters_ as our mock car thief: pic.twitter.com/WWyY6vFoAF
— Sam Curry (@samwcyo) November 29, 2022
More car hacking!
Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.
Here's how we found it, and how it works: pic.twitter.com/ul3A4sT47k
— Sam Curry (@samwcyo) November 30, 2022
