A Remote-Start App Exposed Thousands of Cars to Hackers

Credit to Author: Andy Greenberg| Date: Sat, 10 Aug 2019 18:50:00 +0000

Last winter, a hacker who goes by the handle Jmaxxz was looking for a Christmas present for his girlfriend. She’d recently flown back from a work trip and complained that her fingers had been painfully cold on her drive home from the airport, thanks to below-freezing winter weather and a circulatory system condition known as Raynaud’s disease. So Jmaxxz had the idea to buy her a remote starter that would connected to her car’s dashboard and, with an accompanying device and app called Linkr, allow her to start the car's engine with a tap on her phone. That way, on her next trip, she could start heating up the car as soon as her plane touched down.

But even as he was installing that setup, he had misgivings. A security-minded software engineer for a company he declined to name, Jmaxxz wondered what sort of remote hacking he might have left his girlfriend’s car susceptible to. "In the back of my head I kept thinking, what’s the risk of this system, I’m putting her car on the internet," he remembers. "I told myself, 'ignorance is bliss. I’m not going to look at it. Don’t look at it.'"

He looked at it. And within 24 hours of doing so, in January of this year, he found exactly what he had feared: vulnerabilities that would let any hacker fully hijack that remote unlock and ignition device, providing a handy tool for stealing any of tens of thousands of vehicles. "You could locate cars, identify them, unlock them, start the car, trigger the alarm," says Jmaxxz. "Really anything a legitimate user could do, you could do."

"The problem is that these bugs shipped in the first place."

Jmaxxz, Hacker

In a talk at the Defcon hacker conference today in Las Vegas, Jmaxxz described a series of vulnerabilities in MyCar, a system made by Canadian company Automobility, whose software is rebranded and distributed under names including MyCar Kia, Visions MyCar, Carlink, and Linkr-LT1. MyCar's devices and apps connect to radio-based remote start devices like Fortin, CodeAlarm, and Flashlogic, using GPS and a cellular connection to extend their range to anywhere with an internet connection. But with any of three different security flaws present across those apps—which Jmaxxz says he reported to the company and have since been fixed—he says he could have gained access to MyCar's database backend, letting him or a less friendly hacker pinpoint and steal any car connected to the MyCar app, anywhere in the world.

Based on a scan of MyCar's exposed database—and Jmaxxz says he was careful not to access anyone else's private data—he estimates that there were roughly 60,000 cars left open to theft by those security bugs, with enough exposed data for a hacker to even choose the make and model of the car they wanted to steal. "You want a new Cadillac? You can find a new Cadillac," Jmaxxz says.

When Jmaxxz began digging into the internals of Automobility's apps in January, he says he first found that they included hardcoded administrator credentials, which he could pull out and use to access the company's backend data. But even beyond that, he describes two other kinds of common hackable flaws—widespread SQL injection bugs and direct object references vulnerabilities—that would have let him gain access to the same data and send commands to other users' vehicles.

Jmaxxz says he warned Automobility and the US Computer Emergency Response Team of those vulnerabilities in February of this year. They were fixed over the next months. But he says he continued to find and report lingering SQL injection vulnerabilities in MyCar's code to MyCar's developer Automobility, some of which weren't fixed until just days before his Defcon talk. WIRED reached out to Automobility, who didn't immediately respond. A notice on the CERT website in April confirmed the vulnerability, and includes a statement from Automobility. "All the resources at our disposal have been used to promptly address the situation, and we have fully resolved the issue," the company wrote in the statement to CERT. "During this vulnerability period, no actual incident or issue with compromised privacy or functionality has been reported to us or detected by our systems."

The danger of those bugs, Jmaxxz argues, went beyond theft or remote alarm-triggering pranks. Remotely starting a car without the owner's knowledge could lead to dangerous carbon monoxide leaks, he points out. "If you start a car and it’s in a closed structure, you can end up in a situation where someone can die," Jmaxxz says.

Separately, Jmaxxz says he found in his probing of MyCar's database that it had also stored vastly more information about his girlfriend's car than he expected. Over just 13 days, it had collected 2,000 locations of the car. "That one offends me more than all the others," he says."That’s not what I signed up for."

Even now that Automobility has fixed the bugs that Jmaxxz reported, he argues that it still represents a worst-case scenario of internet-of-things companies that don't carry out even basic security practices. "The problem is that these bugs shipped in the first place," he says. "In my opinion this should have come up in any kind of security testing."

Needless to say, Jmaxxz pulled the MyCar device out of his girlfriend's car earlier this year. He eventually built his own DIY solution, with code he says he'll make available on Github. The system, he says, will do just as good a job as MyCar at remotely warming up a car—and makes a better Christmas present than exposing her vehicle to an internet full of car thieves.

https://www.wired.com/category/security/feed/

Leave a Reply