According to FireTail’s First Law of API Security: If an API can be hacked and compromised, it will be. And indeed, security researchers found a vulnerability in myHyundai’s API that allowed a potential attacker to access functions that the app would allow, including starting the car, turning the lights on and off, locking the car and more.
Vehicles have been among the things among the Internet of Things for some time now, which has brought some genuine innovation. Instead of trundling out to your car on an icy Wisconsin driveway to chip away enough ice to free the door handle to open and warm your car ahead of your morning commute, you can do all of that with an app instead.
But with apps come APIs. And according to FireTail’s First Law of API Security: If an API can be hacked and compromised, it will be. And indeed, security researchers found a vulnerability in myHyundai’s API that allowed a potential attacker to access functions that the app would allow, including starting the car, turning the lights on and off, locking the car, et cetera.
The researchers started by intercepting via BurpSuite the API traffic a Hyundai sent. It turned out that the email addresses of the myHyundai users were not well authenticated and could be used to mimic a user. API requests also returned the VIN (Vehicle Identification Number), which coupled with the email address (plus a couple of trailing control characters) could be used to register a car on the app. This revealed the second problem: email verification, while sent, was not necessary to continue sending and receiving requests.
If you’ve signed up for an account on pretty much anything on the internet, you’ll get sent an email verification. Some services treat this as a formality and let you continue on without clicking the link sent to your email, more secure ones do not. For a trivial sports blog, the former is okay (although still not recommended). But when access to one’s car is at stake, verification is mandatory.
Indeed, the final result allowed the researchers to access, unlock, and start a “victim” car. For their part, Hyundai said they were in contact with the researchers and closed the vulnerability upon its discovery. Indeed, the researchers themselves indicated they were working with Hyundai to find the vulnerabilities.
As for the vulnerability itself, Hyundai clarified that it was necessary to know a Hyundai owner’s email address to exploit it, which is trivial to acquire. Vehicle registration databases are notoriously easy to find - just ask anyone who has gotten email spam or postal junk mail offering an extended warranty. So an attacker could hypothetically have fed the API a huge number of known working emails in an attempt to attack those who owned Hyundais.
RSA is all about building bridges and connections.
Meet up with the FireTail team at stand D20 in the exhibitor area at Uk Cyber Week!