Hyundai app security blunder allowed crooks to 'steal victims' cars'
Remote locate, unlock, and start vehicles – using a fixed encryption key... ouch
Hyundai has patched its Blue Link smartphone app to stop it blabbing private info that could, it is claimed, be used to break into and steal people's cars.
The now-updated software, available for iOS and Android, leaked sensitive personal information about registered users and their vehicles, including usernames, passwords, PINs, and GPS location records.
Essentially, versions 3.9.4 and 3.9.5 of the app transmitted this private information back to Hyundai using plain old HTTP albeit encrypted using the fixed key "1986l12Ov09e" – this key can be easily extracted from the application's code. Any man-in-the-middle attacker eavesdropping on the app's network connections – such as by snooping on Wi-Fi traffic – can grab this data and decrypt it using the key. Hyundai seemingly collected this information as telemetry for its app usage.
After being alerted to the botched encryption in February, the South Korean automaker quietly updated its software to shut down the disclosures, and offered a new version, 3.9.6, to people's handsets in early March. Now that folks have had enough time to install the update, the independent security researchers who discovered the design blunder have gone public with their findings.
William Hatzer and Arjun Kumar warn, via Rapid7, that the vulnerabilities could be exploited to find, unlock, and start a victim's car.
The Blue Link software is available for Hyundai vehicles sold in the US from 2012 onwards. According to Rapid7, the vulnerable features were introduced in version 3.9.4 on December 8, 2016, and fixed by Hyundai on March 6, 2017 with the release of version 3.9.6, which halts data transmissions.
The automaker claims no vehicles were set upon by crooks exploiting the vulnerability. The biz told us in a statement:
Hyundai Motor America was made aware of a vulnerability in the Hyundai Blue Link mobile application by security researchers. Upon learning of this vulnerability, Hyundai promptly launched an investigation to validate the research and took immediate steps to remediate the issue.
Hyundai released mandatory updates to the Android and Apple app stores that mitigated the potential effects of the vulnerability. The issue did not have a direct impact on vehicle safety. Hyundai is not aware of any customers being impacted by this potential vulnerability.
The privacy and security of our customers is of the utmost importance to Hyundai. Hyundai continuously seeks to improve its mobile application and system security.
The security research serves to illustrate that basic slip-ups – such as insecure or absent encryption and password insecurity – continue to bedevil connected car as well as other IoT deployments. ®