Cars can be opened via an app

Security researchers warn that many Hyundai cars can be opened without authorization. Even the email address of the owner should be enough to unlock and steal cars. Hyundai wants to investigate the vulnerability.

Researcher: Hyundai cars have safety problem

Security researchers from Yuga Labs have one serious gap in cars from Hyundai and Hyundai luxury brand Genesis made public. Not only the owner himself, but basically anyone can outsmart the manufacturer apps MyHyundai and MyGenesis. As a result, according to Yuga Labs, the cars can be unlocked and started remotely. Thefts would be so easy (source: Sam Curry on Twitter).

By intercepting API commands, it is possible to modify an HTTP request in such a way that the app assumes a legitimate opening attempt. Using a Python script the security researchers created themselves, it would be sufficient to enter the email address of the owner.

A similar vulnerability According to Yuga Labs, this could not only affect Hyundai and Genesis, but also other manufacturers and brands if they rely on the SiriusXM platform. That would Acura, bmwHonda, Infiniti, Jaguar, Land Rover, Lexus, Nissan, and Subaru Toyota affect. By exploiting the vulnerability, which is said to affect cars manufactured from 2012, it is possible to monitor vehicles and make settings remotely.

The MyHyundai app is also used with the Ioniq 6:

Hyundai: Attacks not yet known

According to the security researchers, Hyundai has confirmed that one the “alleged vulnerability” investigated internally. In a statement, the manufacturer points out that there have been no attacks on vehicles so far. Nevertheless, unspecified countermeasures have been taken to increase security. However, one is not affected by the authorization gap within the SiriusXM platform.