When is a car more than a car?
Vehicles have been among the things among the Internet of Things for some time now, which has brought some genuine innovation. Instead of trundling out to your car on an icy Wisconsin driveway to chip away enough ice to free the door handle to open and warm your car ahead of your morning commute, you can do all of that with an app instead.
Your car has APIs. So your car has API security problems.
But with apps come APIs. And according to FireTail’s First Law of API Security: If an API can be hacked and compromised, it will be. And indeed, security researchers found a vulnerability in myHyundai’s API that allowed a potential attacker to access functions that the app would allow, including starting the car, turning the lights on and off, locking the car, et cetera.
The researchers started by intercepting via BurpSuite the API traffic a Hyundai sent. It turned out that the email addresses of the myHyundai users were not well authenticated and could be used to mimic a user. API requests also returned the VIN (Vehicle Identification Number), which coupled with the email address (plus a couple of trailing control characters) could be used to register a car on the app. This revealed the second problem: email verification, while sent, was not necessary to continue sending and receiving requests.
If you’ve signed up for an account on pretty much anything on the internet, you’ll get sent an email verification. Some services treat this as a formality and let you continue on without clicking the link sent to your email, more secure ones do not. For a trivial sports blog, the former is okay (although still not recommended). But when access to one’s car is at stake, verification is mandatory.
Indeed, the final result allowed the researchers to access, unlock, and start a “victim” car. For their part, Hyundai said they were in contact with the researchers and closed the vulnerability upon its discovery. Indeed, the researchers themselves indicated they were working with Hyundai to find the vulnerabilities.
As for the vulnerability itself, Hyundai clarified that it was necessary to know a Hyundai owner’s email address to exploit it, which is trivial to acquire. Vehicle registration databases are notoriously easy to find - just ask anyone who has gotten email spam or postal junk mail offering an extended warranty. So an attacker could hypothetically have fed the API a huge number of known working emails in an attempt to attack those who owned Hyundais.
Some key questions about these connected car API security vulnerabilities:
- Can the connected car API be hacked?
When the initial research was conducted, it appeared entirely possible that these APIs could be abused. Whether the APIs were "hacked" or exploited is somewhat a question of semantics. Hacking an API is typically thought of as willfully violating the rules of an API's access policies, while misuse or abuse or exploitation typically means using the API in a way that was not intended, but is logically available.
- Can the connected car APIs be exploited?
At the time of publication of the research, yes, the APIs could be exploited. Demonstrated proof of concept exploit methods proved this. Vehicle identification numbers (VINs) and easily guessed or intercepted email addresses could be used easily to impersonate a valid user via weak authentication methods. Published explanations and videos showed just how easy and accessible the exploitation of these APIs was.
- Are connected car APIs secure?
As with all new and rapidly developing technologies, there are risks. These risks range from novel attack vectors (things never seen by security teams before) to weak testing, disjointed internal processes and much more. Connected cars, with the value that they provide to the consumer, are one example of this risk. The facilitation of customer convenience may have outweighed the perceived need to moderate the development of these connected car features and their associated APIs.
- What is the danger of the API in the connected car technology stack?
This is one of the most outstanding and impactful proven API security exploits proven up to the point of its disclosure, remediation and publication. The real-world impact of a single stolen car is on the order of tens of thousands of dollars per event or customer. Compare this to the average estimate of the value of a stolen data record - closer to $100/personal record. Therefore, the danger in this case was strong financial impact. Additionally, the connected car APIs could open access to other systems from the manufacturers, as has been seen in other API security breaches.