Hacking cars remotely with just their VIN

Hacking cars remotely with just their VIN

Your car’s mobile app might have allowed hackers to remotely unlock your vehicle, turn on or off its engine, and even honk its horn.

Those are the findings of Sam Curry, a security researcher and bug bounty hunter, who explored vulnerabilities that could affect Hyundai, Genesis, Nissan, Infiniti, Honda, and Acura vehicles, amongst others.

Curry and his colleagues first turned their attention to the official mobile apps used by owners of Hyundai and Genesis vehicles, that allow authenticated users to start, stop, lock, and unlock their cars.

In a series of tweets, Curry demonstrated how he was able to exploit vulnerabilities in the Hyundai app and API to bypass authorisation checks and remotely unlock a vehicle just by knowing its owner’s email address, and ultimately achieve complete takeover of their account.

It later transpired the same risk was present for owners of Genesis vehicles.

Curry responsibly disclosed the security issue to Hyundai and Genesis.

A Hyundai spokesperson told The Record that “other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised…”

Which is, I suppose, something of a relief. But it’s still a great worry that the security risk was present in the first place.

Perhaps emboldened by their discovery related to Hyundai and Genesis vehicles, Curry went on to explore vulnerabilities affecting other manufacturers – specifically those who made use of the SiriusXM Connected Vehicle Services telematics platform.

As Curry has now described unauthorised parties were able to send commands to a Nissan, Infiniti, Honda, and Acura vehicle, just by knowing its Vehicle Identification Number (VIN).

And even if a specific car was no longer actively subscribed to SiriusXM’s service, Curry found he was able to sign it up to the service by simply knowing the VIN, which is typically visible through the car’s windscreen.

Using this technique, cars could be remotely stopped or started, locked or unlocked, flash their headlights, or honk their horn. Even an owner’s personal details (name, phone number, address, and car information) could be extracted without authorisation.

And although the API calls for telematic services worked even if the user no longer had an active SiriusXM subscription, Curry noted that he could enroll or enroll vehicle owners from the service at will.

Fortunately, being a responsible security researcher, Curry informed the relevant parties of the issue privately – allowing them to patch the vulnerability before details were made public.

Apps are supposed to make motorists’ lives more convenient, not
decrease their security. We can only hope that manufacturers will put
greater effort in the future into ensuring that smartphone-connected
cars will be better protected

Leave a Reply

Your email address will not be published. Required fields are marked *