Share this page!

Maybe Scrolly?
Sam Curry Profile picture
Twitter logo
Nov 29 15 tweets 6 min read
We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.

To explain how it worked and how we found it, we have @_specters_ as our mock car thief:
Our finding began with @_specters_ reaching out to @bbuerhaus and myself to help explore potential security issues affecting vehicle telematics services.

Most car research we'd seen in the past involved really cool crypto attacks on physical keys, but what about the websites?
Both the Hyundai and Genesis mobile apps allow authenticated users to start/stop/lock/unlock their vehicle. Since we had access to a Hyundai, we began proxying all of the app traffic through Burp Suite and seeing what actual API calls were taking place.
The following is the simplified HTTP request to normally unlock the car:

POST /ac/v2/rcs/rdo/unlock HTTP/1.1
Access_token: token

{"userName":"EMAIL","vin":"VIN"}

The "Access_token" header was our JWT generated from authenticating via email/password to the mobile app.
What was interesting was that we were re-sending our email within the JSON body of the POST request. This was irregular as the server should be able to identify our email via our session token in the JWT.

We were curious: how was the server handling the JSON email parameter?
If we modified the email parameter to anything else besides the JWT email, the server would return "unauthorized".

It appeared that the server was comparing the email we sent in the JSON body to the email address parsed from our JWT and performing some sort of pre-flight check.
Since this was being done on the actual request to unlock the car, if it could be bypassed then we could theoretically unlock the car and perform all other actions.

We needed to find some way to trick the server into parsing out a victim email as valid from both of our inputs.
The first approach we thought of was fuzzing the Hyundai user account registration. Immediately, we noticed that the server did not require users to confirm their email address. There additionally appeared to be a very loose regex which allowed control characters in your email.
We played around with this for a while, until we tried something that worked:

By adding a CRLF character at the end of an already existing victim email address during registration, we could create an account which bypassed the JWT and email parameter comparison check!
To test if this worked, we sent an HTTP request to an endpoint which lists vehicles connected to the account using the following variables:

Registered JWT email: victim@gmail.com%0d
JSON parameter email: victim@gmail.com

The HTTP response returned the victim's VIN! We were in!
Our final check was to see if we could perform actual actions like unlocking or starting the car using our tampered JWT.

If we could do this, it would be full account and full vehicle takeover for all remotely enabled Hyundai (and, later we learned, Genesis) vehicles.
We sent the HTTP request using our CRLF-appended victim account to attempt to remotely unlock the vehicle connected to the victim's email address. The service took a few seconds, then finally returned "200 OK".

@_specters_ confirmed that his car had unlocked!
Since exploiting this involved many steps, we took all of the requests necessary to exploit this and put it into a python script which only needed the victim's email address. After inputting this, you could then execute all commands on the vehicle and takeover the actual account.
After putting everything together, we reported the issue to Hyundai and worked with them to confirm the fix.

Thanks for reading! This thread is a small part of a few months of web security research in the auto industry. We're hoping to disclose more related issues in the future.
Nearly forgot: huge thanks to @netspooky for making the amazing ASCII art in the python script 💕

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sam Curry

Sam Curry Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @samwcyo

Sam Curry Profile picture
Nov 30
More car hacking!

Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.

Here's how we found it, and how it works: Image
After finding individual vulnerabilities affecting different car companies, we became interested in finding out who exactly was providing the auto manufacturers telematic services.

We thought it was likely there was a company who provided multiple automakers telematic solutions. Image
While exploring this avenue, we kept seeing SiriusXM referenced in source code and documentation relating to vehicle telematics.

This was super interesting to us, because we didn't know SiriusXM offered any remote vehicle management functionality, but it turns out, they do! Image
Read 16 tweets
Sam Curry Profile picture
Nov 8
Between July 7th to July 17th, 2022, we formed a small team of hackers and collectively hunted for vulnerabilities on John Deere’s security program.

During our 10 day engagement, we found 100 unique vulnerabilities with 50 rated critical, 32 high, 14 medium, and 4 low severity.
Throughout the process, our most impactful finding allowed us to provision, modify, impersonate, and delete all John Deere SSO and LDAP users across the entire organization with full access to hundreds of internal and employee-only services including…
Office 365 (full email, file, and spreadsheet access for everyone), NetScaler Gateway for SSL VPN (could grant ourselves full VPN access and login to all applications behind the VPN), Github Enterprise, Service Now, AWS, and many more.
Read 9 tweets
Sam Curry Profile picture
Sep 16
Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports.
The attacker is claiming to have completely compromised Uber showing screenshots where they’re full admin on AWS and GCP.
From an Uber employee:

Feel free to share but please don’t credit me: at Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.”
Read 4 tweets
Sam Curry Profile picture
Apr 1
Over the last few months, we found a number of vulnerabilities in the largest Discord plugins (Dyno, MEE6, CollabLand) which would've allowed attackers to become administrators, send messages, and DM users.

The tagged hack happened a few days after we accidentally triggered /1 ImageImage
an "@Everyone" message to be sent in a large public server using the Dyno bot, and I'm wondering if the hackers noticed this and began looking themselves? These bots have a massive amount of trust (admin roles on >1mm servers, people click URLs willingly, etc), and for /2
crypto servers (where there really aren't too many points of trust), people only really know to check if the bot is the "official bot" before they'll click a link and sign a message to prove their identity (or whatever a hacker may modify the signing to do). /3
Read 5 tweets
Sam Curry Profile picture
Dec 25, 2021
I think my router or ISP has been hacked, but it's the strangest thing of all time: every time I send an HTTP request to an IP address, a follow up HTTP request is sent to the exact same URL by a Digital Ocean box. I've confirmed that...
(1) All devices on my WiFi will have their HTTP request replayed if sent to an IP address
(2) It doesn't matter what IP address it is (I've tested this on different IPs from different places)
(3) I've factory reset my modem and the behavior is the exact same every time
This is what this looks like: I'll send an HTTP request (doesn't matter if from my computer, phone, or anything else) and another IP address will send the exact same HTTP request 10 seconds later.
Read 6 tweets
Sam Curry Profile picture
Dec 22, 2021
Found some fun vulnerabilities on Instapage and HubSpot with @bbuerhaus, @sshell_, and @xEHLE_. Here's a thread with a couple mini writeups for them:

There are a few routes on the Hubspot CMS which are actually reverse proxies to Hubspot's CDN, you can see the "hs-fs" one below:
The "hs-fs" directory is pointed towards some CDN owned by Hubspot which all customers are allowed to add JavaScript and CSS to, but after registering to the Hubspot portal we found that you could deploy HTML files directly via a legacy API.
After uploading the file, it was possible to access it on any Hubspot website via the reverse proxy after adding in your customer ID and version numbers to the route. An example would be the following URL:

GET /hs-fs/hub/:uid/hub_generated/template_assets/:timestamp/:id/xss.html
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(