A white hat hacker named Sam Curry – who is essentially a good and ethical hacker – recently discovered Several security vulnerabilities in new cars allow him to remotely unlock, start, search, flash and honk new cars from numerous manufacturers.
The exploits discovered by Yuga Labs security engineer Curry have already been patched and unethical hackers can no longer use them. But that took nothing away from the fact that security cracks were pre-existing and posed a risk to those who owned cars that could be affected.
The first hack detailed by Curry (he posted a detailed tutorial on Twitter) used a vulnerability. Sirius XM Connected Vehicles service. After all, many OEMs are using Sirius XM Connected Vehicle Services to provide remote service to their vehicles. The list of manufacturers currently using the system includes Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota. With so many businesses under his one roof, it becomes all the more important that that roof is secure, as a hacker can access multiple car companies in his one way at the same time.
Hack more cars!
Earlier this year, remotely unlocking, starting, locating, flashing and honking remotely connected Honda, Nissan, Infiniti and Acura vehicles, completely unauthorized, knowing only the vehicle’s VIN number. I was able to.
Here’s how we found it and how it works: pic.twitter.com/ul3A4sT47k
— Sam Curry (@samwcyo)
November 30, 2022
If you speak the language of computers and online security, I encourage you to refer to Curry’s Twitter thread above. To simplify things greatly, all Curry needed to execute the aforementioned commands on a car using his Sirius XM Connected Vehicles service was his VIN on the car. Of course, this took a lot of work to finally get there. It is a task that only professionals in this field can do. Curry has admitted that his hack has worked on Honda, Acura, Infiniti and Nissan vehicles, but has suggested that it also works on other manufacturers who use the Sirius XM Connected Vehicles service. did.
When I contacted Sirius about this hacking activity, I received the following statement from the company:
“We take the security of our customers’ accounts seriously and participate in our bug bounty program to help us identify and fix potential security flaws impacting our platform. A security researcher submitted a report to Sirius XM’s Connected Vehicles service about an authentication flaw affecting certain telematics programs, and the issue was resolved within 24 hours of the report being submitted. No subscriber or other data has been compromised or unauthorized accounts have been modified using this method.”
Thankfully, this hack comes from the good side of the hacking world. Also, Sirius took the security flaw seriously and quickly fixed the issue to prevent malicious actors from replicating it. Hacking the Sirius XM wasn’t the only automotive exploit Curry recently worked on, though. Hyundai’s car smartphone app was also targeted.
Instead of attacking the problem from a larger umbrella at the Sirius XM service, Curry turned his attention to Hyundai’s mobile vehicle app itself…and he found a way. All he did was the vehicle owner’s email address.With this information, Curry was able to create a script that unlocked access to all the vehicle commands that could be performed from Hyundai’s smartphone app. . Specifically, it worked on Hyundai and Genesis models manufactured after 2012. The example car Curry used is the latest generation of Hyundai his Elantra. Curry could remotely control the locks, engine, horn, headlights and trunk. As with the Sirius XM exploit, we encourage you to read his Twitter thread below for more details on how Curry hacked the app.
A vulnerability was recently discovered affecting Hyundai and Genesis vehicles that allows remote control of the locks, engine, horn, headlights, and trunk on vehicles manufactured after 2012.
To explain how it works and how I found @_specters_ As our simulated car thief: pic.twitter.com/WWyY6vFoAF
— Sam Curry (@samwcyo)
November 29, 2022
When we asked Hyundai about this hacking activity, we received the following statement back from Hyundai:
“Hyundai worked diligently with third-party consultants to investigate the alleged vulnerability as soon as the researchers came to our attention. Importantly, Hyundai vehicles owned by the researchers themselves With the exception of accounts, our research showed that no other user ever accessed a customer’s vehicle or account as a result of the issues raised by the researchers.
“We also noted that we needed to know the email addresses associated with specific Hyundai accounts and vehicles, as well as specific web scripts utilized by the researchers in order to exploit the alleged vulnerabilities. However, Hyundai has implemented measures within days of the notification to further enhance the safety and security of the system.
“We value working with security researchers and appreciate the support of this team.”
Like the Sirius XM, Hyundai seems to have taken the security flaw seriously and patched it so it can’t be reproduced. Both the Hyundai-specific hack here and the Sirius XM hack are examples of good bug bounty hunting by good actors, but the risks we are exposed to using cars that are always connected to the internet. It also serves as an example for. While it is convenient to be able to lock your car from anywhere in the country, it is important to remember that if anything is connected to the internet, it can be hacked. OEMs are aware of this and take cybersecurity very seriously, but the threat of the bad guys still looms large as vehicles become increasingly intertwined with online and connected services.