Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Sam Curry Profile picture
@samwcyo
Nov 30, 2022 16 tweets 7 min read Read on X
Scrolly
More car hacking!

Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.

Here's how we found it, and how it works: Image
After finding individual vulnerabilities affecting different car companies, we became interested in finding out who exactly was providing the auto manufacturers telematic services.

We thought it was likely there was a company who provided multiple automakers telematic solutions. Image
While exploring this avenue, we kept seeing SiriusXM referenced in source code and documentation relating to vehicle telematics.

This was super interesting to us, because we didn't know SiriusXM offered any remote vehicle management functionality, but it turns out, they do! Image
We found the SiriusXM Connected Vehicle website and noticed the following quote:

"[SiriusXM] is a leading provider of connected vehicles services to Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota."

So many brands under one roof! Image
At this point, we kicked off scans and scoured the internet trying to find as many domains we could owned by SiriusXM, and additionally reverse engineered all of the mobile apps of SiriusXM customers to see how the remote management actually worked.
During this process, we found the domain "telematics.net" and began investigating. From what we found, it appeared to handle services for enrolling vehicles in the SiriusXM remote management functionality. Image
After pivoting to this domain in particular, we found a large number of references to it in the NissanConnect app and decided to dig as deep as we could.

We reached out to someone who owned a Nissan, signed into their account, then began inspecting the HTTP traffic. Image
There was one HTTP request in particular that was interesting: the "exchangeToken" endpoint would return an authorization bearer dependent on the provided "customerId".

While fuzzing, we removed the "vin" parameter and it still worked. It seemed to only care about "customerId". Image
The format of the "customerId" parameter was interesting as there was a "nissancust" prefix to the identifier along with the "Cv-Tsp" header which specified "NISSAN_17MY".

When we changed either of these inputs, this request failed.
Trying to be cheeky, we went for an obvious IDOR and changed it the "customerId" parameter to another users customer ID. This failed and gave us an authorization error.

Not entirely satisfied, we left this endpoint to rest and began looking at other endpoints. Image
Hours later, in one of the HTTP responses we saw the following format of a VIN number:

vin:5FNRL6H82NB044273

This vin format looked eerily similar to the "nissancust" prefix from the earlier HTTP request. What if we tried sending the VIN prefixed ID as the customerId?
It returned "200 OK" and returned a bearer token! This was exciting, we were generating some token and it was indexing the arbitrary VIN as the identifier.

To make sure this wasn't related to our session JWT, we completely dropped the Authorization parameter and it still worked! Image
We took the authorization bearer and used it in an HTTP request to fetch the user profile. It worked!

The response contained the victim's name, phone number, address, and car details.

At this point, we made a simple python script to fetch the customer details of any VIN number. Image
We continued to escalate this and found the HTTP request to run vehicle commands.

This also worked!

We could execute commands on vehicles and fetch user information from the accounts by only knowing the victim's VIN number, something that was on the windshield. Image
At this point, we identified that it was also possible to access customer information and run vehicle commands on Honda, Infiniti, and Acura vehicles in addition to Nissan.

We reported the issue to SiriusXM who fixed it immediately and validated their patch.
Thank you for reading, huge shout out to all of these amazing people for helping with this research:
@_specters_ @bbuerhaus @d0nutptr @xEHLE_ @iangcarroll @sshell_ @infosec_au!

We hope to publish more security findings over our few months spent researching this topic soon.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sam Curry

Sam Curry Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @samwcyo

Sam Curry Profile picture
Sep 27, 2023
Upon my return to the United States from a trip to Japan, I was directed to a secondary inspection room where I was presented with a Grand Jury subpoena by officers from the IRS-CI and DHS. The subpoena required me to appear in New York to provide testimony for wire fraud. 🧵 Image
For about an hour they asked me vague questions related to a "high profile phishing campaign" and how my IP address could've end up being "tagged" to a threat actor, showing me a manila folder with my own photo, my home IP address, and some random social media accounts of mine.
When I'd arrived at secondary I assumed it was just a random selection, so I'd given my unlocked device to the inspecting officer, but then watched as it was passed to the DHS and IRS-CI agents who were investigating the money laundering, conspiracy, and wire fraud charges.
Read 11 tweets
Sam Curry Profile picture
Nov 29, 2022
We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.

To explain how it worked and how we found it, we have @_specters_ as our mock car thief:
Our finding began with @_specters_ reaching out to @bbuerhaus and myself to help explore potential security issues affecting vehicle telematics services.

Most car research we'd seen in the past involved really cool crypto attacks on physical keys, but what about the websites?
Both the Hyundai and Genesis mobile apps allow authenticated users to start/stop/lock/unlock their vehicle. Since we had access to a Hyundai, we began proxying all of the app traffic through Burp Suite and seeing what actual API calls were taking place.
Read 15 tweets
Sam Curry Profile picture
Nov 8, 2022
Between July 7th to July 17th, 2022, we formed a small team of hackers and collectively hunted for vulnerabilities on John Deere’s security program.

During our 10 day engagement, we found 100 unique vulnerabilities with 50 rated critical, 32 high, 14 medium, and 4 low severity.
Throughout the process, our most impactful finding allowed us to provision, modify, impersonate, and delete all John Deere SSO and LDAP users across the entire organization with full access to hundreds of internal and employee-only services including…
Office 365 (full email, file, and spreadsheet access for everyone), NetScaler Gateway for SSL VPN (could grant ourselves full VPN access and login to all applications behind the VPN), Github Enterprise, Service Now, AWS, and many more.
Read 9 tweets
Sam Curry Profile picture
Sep 16, 2022
Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports.
The attacker is claiming to have completely compromised Uber showing screenshots where they’re full admin on AWS and GCP.
From an Uber employee:

Feel free to share but please don’t credit me: at Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.”
Read 4 tweets
Sam Curry Profile picture
Apr 1, 2022
Over the last few months, we found a number of vulnerabilities in the largest Discord plugins (Dyno, MEE6, CollabLand) which would've allowed attackers to become administrators, send messages, and DM users.

The tagged hack happened a few days after we accidentally triggered /1 ImageImage
an "@Everyone" message to be sent in a large public server using the Dyno bot, and I'm wondering if the hackers noticed this and began looking themselves? These bots have a massive amount of trust (admin roles on >1mm servers, people click URLs willingly, etc), and for /2
crypto servers (where there really aren't too many points of trust), people only really know to check if the bot is the "official bot" before they'll click a link and sign a message to prove their identity (or whatever a hacker may modify the signing to do). /3
Read 5 tweets
Sam Curry Profile picture
Dec 25, 2021
I think my router or ISP has been hacked, but it's the strangest thing of all time: every time I send an HTTP request to an IP address, a follow up HTTP request is sent to the exact same URL by a Digital Ocean box. I've confirmed that...
(1) All devices on my WiFi will have their HTTP request replayed if sent to an IP address
(2) It doesn't matter what IP address it is (I've tested this on different IPs from different places)
(3) I've factory reset my modem and the behavior is the exact same every time
This is what this looks like: I'll send an HTTP request (doesn't matter if from my computer, phone, or anything else) and another IP address will send the exact same HTTP request 10 seconds later.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(