News, 06.12.2022, 12:00 PM
A car’s mobile app can allow hackers to remotely unlock the vehicle, turn the engine on or off, and even honk the horn.
These are the findings of Sam Curry, a security researcher and bug hunter, who investigated vulnerabilities that could affect vehicles from Hyundai, Genesis, Nissan, Infiniti, Honda and Acura, among others.
Kari and his colleagues first turned their attention to the official mobile apps used by Hyundai and Genesis vehicle owners, which allow authenticated users to start, stop, lock and unlock their cars.
U a series of tweetsKari showed how he was able to exploit flaws in the Hyundai app to bypass checks and remotely unlock the vehicle knowing only the car owner’s email address, eventually taking over his account entirely.
Later it turned out that the same risk exists for owners of Genesis vehicles.
Kari informed Hyundai and Genesis about his discovery.
A Hyundai spokesperson said that “apart from the Hyundai vehicles and accounts belonging to the researchers themselves, the investigation showed that no one else accessed any vehicles or customer accounts…”
Possibly emboldened by the revelation regarding the Hyundai and Genesis vehicles, Curry continued to investigate vulnerabilities affecting other manufacturers, particularly those that used the SiriusXM Connected Vehicle Services telematics platform.
As Kari explained, unauthorized persons were able to send commands to Nissan, Infiniti, Honda and Acura vehicles, knowing only the vehicle identification number (VIN).
Even if a particular car was no longer actively subscribed to SiriusXM, Kari found he was able to sign it up for the service simply by knowing the VIN, which is usually visible through the car’s windshield.
Using this technique, cars can be remotely stopped or started, locked or unlocked, their headlights turned on or their horns sounded. Even the owner’s personal information (name, phone number, address and car details) can be extracted without permission.
Kari also noted that he can add or remove vehicle owners from the service at will.
Fortunately, as a responsible security researcher, Kari notified the relevant manufacturers of the issue, allowing them to patch the vulnerability before the details were made public.
Apps should make the life of drivers easier, without reducing their safety. We can only hope that car manufacturers will take care of this in the future.
