RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

MyHyundai

Product
Developers: Hyundai Motor Company and Kia Motors Corporation
Branches: Transport

2022: Errors detected in mobile app

In early December 2022, it became known that the same bug in the regular operation of MyHyundai and MyGenesis mobile applications allowed hackers to remotely unlock and start Hyundai and Genesis cars, as well as several more brands of cars.

Independent information security researchers have discovered problems and studied similar attack surfaces in the SiriusXM smart car platform. The platform is used in cars from other manufacturers (Toyota, Honda, FCA, Nissan, Acura and Infinity), which allowed hackers after 2012 to remotely unlock, launch, locate, flash and signal and even start cars.

Errors in the Hyundai mobile application allowed car thieves to take possession of cars

For December 2022, the researchers did not publish detailed technical descriptions of their findings, but shared some information on Twitter, in two separate topics (Hyundai, SiriusXM). Hyundai and Genesis mobile apps, called MyHyundai and MyGenesis, allow authenticated users to start, stop, lock and unlock their vehicles. Information security specialists, intercepting the traffic generated by these two applications, analyzed it and were able to extract API calls for further study. They found that owner verification is based on the user's email address, which was included in the JSON body of POST requests.

Analysts went on to find that MyHyundai does not require email confirmation when registering. They created a new account using the target's email address with an additional control symbol at the end. Finally, they sent an HTTP request to the Hyundai endpoint containing a fake address in a JSON token and the victim's address in the JSON body, bypassing the validation. In order to make sure that they could use this access to attack the car, they tried to unlock the Hyundai car used for the study. After a few seconds, the car was unlocked. The researchers' multi-stage attack was embodied in a user script that Python only required the victim's email address to attack.

SiriusXM is, among other things, a provider of telematics services for vehicles used by more than 15 automakers. The company claims it operates 12 million connected vehicles that run more than 50 services on a single platform.[1]

Notes

Шаблон:Remarks