SiriusXM, MyHyundai Car Apps showcase the next generation of car hacking
At least three mobile apps tailored to allow drivers to remotely start or unlock their vehicles were found to have security vulnerabilities that could allow unauthenticated malicious actors to do the same from afar. Researchers say securing APIs for these kinds of powerful apps is the next phase in preventing hacking of connected cars.
According to Yuga Labs, car-specific apps from Hyundai and Genesis, as well as the SiriusXM smart vehicle platform (used by various automakers, including Acura, Honda, Nissan, Toyota and others), could have allowed attackers to intercept traffic between the apps and vehicles made after 2012.
Hyundai apps allow remote control of car
When it comes to the MyHyundai and MyGenesis apps, an examination of the API calls that the apps make showed that owner validation is done by matching the driver’s email address with various registration parameters. After toying with potential ways to subvert this “pre-flight check,” as the researchers called it, they discovered a path of attack:
“By appending a CRLF character to the end of a pre-existing victim email address during registration, we were able to create an account that bypassed email parameter comparison checks,” they explained in a series of tweets describes the weaknesses. From there, they could gain full control over the app’s commands — and over the car. In addition to starting the car, attackers could, among other things, turn off the horn, control the AC and pop the trunk.
They were also able to automate the attack. “We took all the requests necessary to exploit this and put it into a python script that only needed the victim’s email address,” they tweeted. “After entering this, you can perform all commands on the vehicle and take over the actual account.”
“Many car hacking scenarios are the result of an API security issue, not an issue with the mobile app itself,” said Scott Gerlach, co-founder and CSO at StackHawk. “All the sensitive data and functionality of a mobile app resides in the API an app talks to, so that’s what needs to be secure. The upside is that this is a very targeted type of attack and will be difficult to mass-perform. The downside is that it’s still very invasive to the targeted car owner.”
The finding shows the critical nature of API security testing, says Gerlach.
“Testing APIs for OWASP’s top 10 vulnerabilities, including insecure direct object access and broken feature authorization, is no longer a good step in the software development lifecycle,” he notes. “The way connected cars are sold today … it’s similar to a customer opening a bank account and then being tasked with creating their online access based on the account number alone. Anyone could find that data with little effort and put your assets at risk because the verification process was not thought through.”
SiriusXM based car hacking
While most people know SiriusXM as a satellite radio station, the company is also a connected vehicle telemetry provider, providing 12 million connected cars with features like remote start, GPS location, remote climate control and more. A wide range of automakers, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota, all use the SiriusXM connected car platform, according to the website.
The Yuga researchers examined one of the mobile apps that SiriusXM operates, the NissanConnect app, and found that if they knew a target’s vehicle identification number (VIN, which is visible through the windshields of most cars), they could send fake HTTP requests to the endpoint and get returns a range of information including the driver’s name, phone number, address and vehicle details that can be used to perform remote commands on the car through the app.
From there, they built a new automated script. “We created a simple Python script to retrieve the customer details of any VIN number,” they said in one tweet thread.
“This latest vulnerability is not about embedded systems or production, but rather the web application itself,” Connor Ivens, competitive security manager at Tanium, told Dark Reading. “Researchers use the car’s VIN numbers as the primary key to the customer ID, and send POST requests to generate a bearer token. This allows you administrative control to issue other requests over the car.”
It is clear that the security of mobile apps must be strengthened. “The app service itself is almost an afterthought of the purchase process,” says Gerlach. “Automakers need to think more deeply about how to better integrate the connected service into the purchase and validation process for the customer.”
Expect to crash into security vulnerabilities in cars
The Yuga disclosed the errors to both Hyundai and SiriusXM, who immediately issued updates. No real-world attacks occurred, but researchers tell Dark Reading that these types of bugs will continue to surface, especially as vehicles become more connected and the complexity of embedded software and external functions increases.
While connected and autonomous vehicles have an expanded attack surface similar to enterprise environments, affected consumers don’t have an entire cybersecurity team working for them, said Karen Walsh, cybersecurity compliance expert and CEO of Allegro Solutions. It is therefore the car manufacturers who must do better.
“Whether the industry likes it or not, it will have to work harder to secure this attack vector. This will also put a much greater burden on the industry from a supply chain standpoint. It’s not just the vehicles that need to be secured, but all the ancillary technologies – in this case infotainment like SiriusXM – which must be included in any security initiative.”
Evolving past the Jeep Hacking demo
We can also see an increase in looking for such errors. Since the infamous 2015/2016 Jeep hacking demos by Charlie Miller and Chris Valasek at Black Hat USA brought to light potential physical vulnerabilities in connected cars, the field of car hacking has exploded.
“The Jeep hacking demo involved hacking over cellular modems (and cellular carriers disabled some key features as a result),” says John Bambenek, principal threat hunter at Netenrich. “Web apps have their own security issues that are different from that communication path. I don’t need to own the entire communication stack, I just need to find a soft spot and researchers keep finding them. The reality is that everything is put together with faulty duct tape and security wire.. . always has been.”
Mike Parkin, senior technical engineer at Vulcan Cyber, says mobile is the next frontier.
“It was challenging enough when threat actors were only attacking key fobs with remote range and limited capacity,” he tells Dark Reading. “Now, with cars being as much a mobile computing platform as a vehicle, it’s only going to get more challenging.”
He adds: “If an attacker can compromise a mobile device, they can potentially control many of the applications on it, including a user’s vehicle control app. The control channels between a user’s mobile device, the manufacturer’s cloud services and the vehicle itself is another surface attack actors can exploit .”