Researchers used a vulnerability in Hyundai and Genesis software to open a vehicle and start the motor.

The vulnerability was found by Yuga Labs. The team notified Hyundai Motor Group, the parent company of Hyundai and Genesis. The vulnerability has since been fixed.

The problem was caused by security holes in the mobile apps of Hyundai and Genesis. The vulnerability allowed cars built after 2012 to be opened and started. The mobile apps are supposed to only provide access to a car’s owner, but the researchers managed to circumvent authentication.

The security team did not test the vulnerability in the wild. Yuga Labs used a test car for research purposes. Hyundai indicates that the researchers are the first to exploit the vulnerability. In a statement, the organization told Techzine that its investigation indicated “that no customer vehicles or accounts were accessed as a result of the issues raised”.

Exploit

At the time of writing, the researchers have not published a detailed report on the exploit’s process. The team did share a general description on Twitter.

The researchers started by analyzing MyHyundai’s network traffic. The analysis indicated that the app uses the email address of a car’s owner to authenticate. Next, the researchers discovered that MyHyundai doesn’t confirm the email address of newly registered accounts. This oversight made it possible to create a user account for MyHyundai using an existing user’s email address.

The researchers created a new account with the same email address as the car’s owner. Finally, the researchers analyzed the app’s network traffic to find out how MyHyundai receives and processes login requests. The researchers mimicked data formats and sent an HTTP request with the email address of the new account. The app accepted the request. Eventually, the researchers managed to open the car.

Hyundai noted that several conditions need to be met to perform the exploit. “The e-mail address associated with the specific account and vehicle as well as the web script employed by the researchers were required to be known”, the organization said. “Nevertheless, we implemented countermeasures within days of notification to further enhance the safety and security of our systems.”

Tip: Data protection is becoming more workload-specific (and software-defined)