Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Most people focus on the key fob hacking and other things in order to break into a car. But, what could the mobile and web issues? If you can open up a door via the web, that's still a major problem. Because Hyundai allows for this, they starting proxying the actions on the mobile application.

Below is the simple HTTP request to unlock a car:

POST /ac/v2/rcs/rdo/unlock HTTP/1.1
Access_token: token

{"userName":"EMAIL","vin":"VIN"}

The access token was a JWT with our email inside of it. So, why would they request an email for the request if they already had it in the JWT? Any time you attempt to use a different email than your own, it is rejected. Sam's thought was what if we could trick the server into parsing a victim email from both inputs?

Let's fuzz! They started by fuzzing the registration page to find out two things: the character allowance was high and no email verification was required. From fuzzing, they noticed that adding a CRLF to the account email made it a valid email but still functioned as the original email!

For instance, victim@gmail.com%0d and victim@gmail.com would work as the same email, even though they were physically different. Using this, they had a complete authorization bypass which led to the ability to unlock arbitrary cars if they knew the email. Pretty neat!

Overall, an amazing find! Input validation is extremely important and fuzzing is a great way to find strange bugs.