Hyundai app bug allows anyone to unlock and start the car remotely


The flaw affects Hyundai and Genesis vehicles made over the past decade. Exploiting the bug would allow controlling the locks, engine, and other critical features. Hyundai claims the bug was not exploited in the wild.

The newly discovered vulnerability impacts mobile apps Hyundai and its luxury brand Genesis owners use to monitor their vehicles. Next to vehicle diagnostics and service scheduling, the apps also allow users to remotely start, stop, lock, and unlock their vehicle.

According to Sam Curry, hacker and bug bounty hunter, mobile apps for Hyundai and Genesis vehicles provide vehicle control privileges only to authorized users. However, researchers noted irregularities in how the app communicates with the authorization server, leading them to look into the Hyundai user account registration.

“Immediately, we noticed that the server did not require users to confirm their email address. There additionally appeared to be a very loose regex which allowed control characters in your email,” Curry said in a Tweet detailing the flaw.

Diving into possible ways to bypass the authentication, Curry and his team found that adding CRLF characters at the end of an existing victim email during registration. That way, a threat actor could register a new account with an already existing email.

The new account would be issued a JSON web token (JWT) that matched the legitimate email in the server, granting the attacker access to the targeted vehicle.

“Our final check was to see if we could perform actual actions like unlocking or starting the car using our tampered JWT. If we could do this, it would be full account, and full vehicle takeover for all remotely enabled Hyundai (and, later, we learned, Genesis) vehicles,” Curry said.

Researchers used one of their cars to test out the exploit. They found that using a victim’s email address with added CRLF characters allowed them to remotely unlock the vehicle connected to the victim’s email address.

The team behind the hack even developed a python script that would only need the victim’s email address to execute all commands on the vehicle and even take over the owner’s account.

The vulnerability was reported to Hyundai and, according to Curry, resolved. Hyundai claims that the company investigated the issue and discovered no exploits of the vulnerability in the wild.

"Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised by the researchers," the company said in a statement.

Hyundai also noted that for the flaw to be exploited, "the e-mail address associated with the specific Hyundai account and vehicle as well as the specific web-script employed by the researchers were required to be known."

Over the years, a growing number of security experts have focused their studies on car hacking, demonstrating with success how attackers could compromise the various components in the vehicles.

Recently, Europol arrested 31 suspects dismantling an alleged car theft ring that employed hacking software to steal French-made cars.