At least three mobile apps tailored to allow drivers to remotely start or unlock their vehicles were found to have security vulnerabilities that could allow unauthenticated malicious types to do the same from afar. Researchers say securing APIs for these types of powerful apps is the next phase in preventing connected car hacking.
According to Yuga Labs, car-specific apps from Hyundai and Genesis, as well as the SiriusXM smart vehicle platform (used by various automakers, including Acura, Honda, Nissan, Toyota and others), could have allowed attackers to intercept traffic between the apps and vehicles made after 2012.
Hyundai Apps Allow Remote Car Control
When it comes to the MyHyundai and MyGenesis apps, an investigation of the API calls that the apps make showed that owner validation is done through matching up the driver's email address with various registration parameters. After playing around with potential ways to subvert this "pre-flight check," as the researchers called it, they discovered an avenue of attack:
"By adding a CRLF character at the end of an already existing victim email address during registration, we could create an account which bypassed the ... email parameter comparison check," they explained in a series of tweets detailing the weaknesses. From there, they were able to gain complete control over the apps' commands — and over the car. In addition to starting the car, attackers could set the horn off, control the AC, and pop the trunk, among other things.
They were also able to automate the attack. "We took all of the requests necessary to exploit this and put it into a python script which only needed the victim's email address," they tweeted. "After inputting this, you could then execute all commands on the vehicle and takeover the actual account."
"Many car hacking scenarios are the result of an API security issue, not an issue with the mobile app itself," Scott Gerlach, co-founder and CSO at StackHawk, says. "All of the sensitive data and functions of a mobile app reside in the API an app talks to, so that's what needs to be secure. The upside is this is a very targeted type of attack and would be difficult to mass execute. The downside is it's still highly invasive for the targeted car owner."
The finding showcases the criticality of API security testing, Gerlach says.
"Testing APIs for OWASPs Top 10 vulnerabilities including Insecure Direct Object Access and Broken Function Authorization is no longer a nice-to-have step in the software development lifecycle," he notes. "In the way connected cars are sold today ... is similar to a customer opening a bank account and then being tasked to create their online access based on the account number alone. Anyone could find that data with little effort and put your assets at risk because the verification process was not thought through."
SiriusXM-Based Car Hacking
While most people know SiriusXM as a satellite radio juggernaut, the company is also a connected vehicle telemetry provider, providing 12 million connected cars with functions like remote start, GPS location, remote climate controls, and more. A wide range of automakers, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, all use the SiriusXM connected car platform, according to its website.
The Yuga researchers examined one of the mobile apps that SiriusXM powers, the NissanConnect app, and found that if they knew a target's vehicle identification number (VIN, which is visible through most cars' front windshields), they could send forged HTTP requests to the endpoint and get back a host of information, including a driver's name, phone number, address, and vehicle details that could be used to execute remote commands on the car through the app.
From there, they built another automated script. "We made a simple Python script to fetch the customer details of any VIN number," they said in a tweet thread.
"This latest vulnerability isn’t about embedded systems or the manufacturing, but rather the web application itself," Connor Ivens, competitive intelligence manager for security at Tanium, tells Dark Reading. "Researchers are using the car VIN numbers as the primary key of customer ID, and sending POST requests to generate a bearer token. This allows you administrative control to issue other requests over the car."
It's clear that mobile app security needs to be hardened. "The app service itself is almost an afterthought of the purchase process," Gerlach says. "Car manufacturers need to think more deeply about how to better integrate the connected service into the purchase and validation process for the customer."
Expect to Crash Into Car Security Vulnerabilities
Yuga disclosed the flaws to both Hyundai and SiriusXM, which promptly issued patches. No real-world attacks occurred, but researchers tell Dark Reading that these kinds of bug discoveries will continue to come to the fore, especially as vehicles become more connected, and the complexity of onboard software and remote capabilities goes up.
While connected and autonomous vehicles have an expanded attack surface similar to enterprise environments, impacted consumers don’t have an entire cybersecurity team working for them, says Karen Walsh, cybersecurity compliance expert and CEO at Allegro Solutions. Thus, the onus is on carmakers to do better.
"Whether the industry likes it or not, it’s going to need to work harder to secure this attack vector. This will also place a much larger burden on the industry from a supply chain standpoint. It’s not just the vehicles that need to be secured, but all the additional technologies — in this case infotainment like SiriusXM — that need to be included in any security initiative."
Evolving Past the Jeep Hacking Demo
We may see an uptick in probing for such flaws as well. Since the infamous 2015/2016 Jeep hacking demos from Charlie Miller and Chris Valasek at Black Hat USA brought potential physical vulnerabilities in connected cars to light, the field of automotive hacking has exploded.
"The Jeep hacking demo involved hacking over cellular modems (and cell companies disabled some key functionality as a result)," says John Bambenek, principal threat hunter at Netenrich. "Web apps have their own security concerns distinct from that path of communication. I don't have to own the entire communication stack, I just need to find a soft spot and researchers continue to find them. The reality is that it's all put together with defective duct tape and bailing wire ... it always has been."
Mike Parkin, senior technical engineer at Vulcan Cyber, says that mobile is the next frontier.
"It was challenging enough when threat actors were just attacking key fobs with remote range and limited capability," he tells Dark Reading. "Now, with cars being as much a mobile computing platform as a vehicle, it will only get more challenging."
He adds, "If an attacker can compromise a mobile device, they could potentially control many of the applications on it including a user’s vehicle control app. The control channels between a user's mobile device, the manufacturer’s cloud services, and the vehicle itself are another attack surface threat actors could leverage."