We value our collaboration with security researchers and appreciate this team’s assistance."Įarlier in the year, Curry and other researchers stress-tested a number of similar telematics apps, with the common link of developer SiriusXM Connected Vehicle Services (SiriusXM), as outlined in a subsequent Twitter thread. Nevertheless, Hyundai implemented countermeasures within days of notification to further enhance the safety and security of our systems. "We also note that in order to employ the purported vulnerability, the e-mail address associated with the specific Hyundai account and vehicle as well as the specific web-script employed by the researchers were required to be known. "Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised by the researchers. "Hyundai worked diligently with third-party consultants to investigate the purported vulnerability as soon as the researchers brought it to our attention," a Hyundai spokesperson told IT Pro. Using this, all that was required was the victim’s email address to gain access to their car, and commands could be run entirely within the program. Once the manual process had been figured out, the researchers were able to massively reduce the steps a threat actor would have to take, using a simple script written in Python. Using the faked JWT, the researchers sent an unlock vehicle request to a car owned by a collaborator, and received “200 OK” back at the same time as the car's locks responded to the request.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |