Full Report
Most people focus on the key fob hacking and other things in order to break into a car. But, what could the mobile and web issues? If you can open up a door via the web, that's still a major problem. Because Hyundai allows for this, they starting proxying the actions on the mobile application. Below is the simple HTTP request to unlock a car: POST /ac/v2/rcs/rdo/unlock HTTP/1.1 Access_token: token {"userName":"EMAIL","vin":"VIN"} The access token was a JWT with our email inside of it. So, why would they request an email for the request if they already had it in the JWT? Any time you attempt to use a different email than your own, it is rejected. Sam's thought was what if we could trick the server into parsing a victim email from both inputs? Let's fuzz! They started by fuzzing the registration page to find out two things: the character allowance was high and no email verification was required. From fuzzing, they noticed that adding a CRLF to the account email made it a valid email but still functioned as the original email! For instance, [email protected]%0d and [email protected] would work as the same email, even though they were physically different. Using this, they had a complete authorization bypass which led to the ability to unlock arbitrary cars if they knew the email. Pretty neat! Overall, an amazing find! Input validation is extremely important and fuzzing is a great way to find strange bugs.
Analysis Summary
This summary is based on the research published by Sam Curry and his team regarding an authorization bypass affecting Hyundai and Genesis telematics systems.
# Vulnerability: Hyundai/Genesis Telematics Authorization Bypass via Email Parameter Injection
## CVE Details
- **CVE ID:** Not assigned (Common for reported web-based API vulnerabilities in SaaS/Telematics platforms).
- **CVSS Score:** Estimated 8.8 (High/Critical) (Calculated based on Remote Code Execution-like impact on physical hardware).
- **CWE:** [CWE-20](https://cwe.mitre[.]org/data/definitions/20.html): Improper Input Validation; [CWE-287](https://cwe.mitre[.]org/data/definitions/287.html): Improper Authentication.
## Affected Systems
- **Products:** Hyundai and Genesis vehicles utilizing MyHyundai/MyGenesis mobile apps and web portals.
- **Versions:** Vehicles equipped with telematics (BlueLink) units produced after 2012.
- **Configurations:** Systems relying on API-based authentication where the user email is a primary identifier in the JSON request body.
## Vulnerability Description
The vulnerability existed in the way the backend API (specifically the `/ac/v2/rcs/rdo/unlock` and similar endpoints) validated the identity of the requester.
While the system required a JSON Web Token (JWT) for authentication, it also required a `userName` (email) and a Vehicle Identification Number (VIN) in the POST request body. The server compared the email in the JWT to the email in the request body. Researchers discovered that by appending a Carriage Return Line Feed (CRLF) character (`%0d`) to a victim's email address during registration, they could create an account that the system treated as a distinct entity for validation purposes but resolved to the target victim's email during command execution logic. This allowed an attacker to bypass the authorization check and send commands to any vehicle if the owner's email was known.
## Exploitation
- **Status:** PoC demonstrated by researchers; vulnerability has since been patched by the vendor.
- **Complexity:** Medium (Requires knowledge of the victim's email address and VIN, which can often be found on the vehicle windshield).
- **Attack Vector:** Network (Remote via Web/API).
## Impact
- **Confidentiality:** Low (Access to account-linked data).
- **Integrity:** High (Ability to remotely execute commands: unlock doors, start/stop engine, honk horn).
- **Availability:** Low (Limited impact on vehicle drivability beyond engine start/stop).
## Remediation
### Patches
- **Vendor Action:** Hyundai/Genesis implemented server-side fixes to their API gateway and registration logic to strictly validate input and prevent CRLF injection. No owner action was required as this was a cloud-side fix.
### Workarounds
- **None:** Vulnerabilities in telematics cloud infrastructures generally require vendor-side remediation.
## Detection
- **Indicators of Compromise:** Unusual account registration attempts containing control characters (e.g., `%0d`, `%0a`) followed by unauthorized remote command requests in API logs.
- **Detection Methods:** Security teams should audit API logs for mismatches between JWT `sub` claims and JSON request body parameters.
## References
- **Sam Curry's Technical Blog:** hxxps://samcurry[.]net/hacking-car-companies-and-sending-translated-http-requests/
- **Original Disclosure X (Twitter) Post:** hxxps://x[.]com/samwcyo/status/1597731993436037120
- **Hyundai Security:** hxxps://www[.]hyundai[.]com/us/en/security-vulnerability-reporting-policy