Flawed Hyundai app could have helped hackers break into cars

Cleartext comms AND a hard-coded decryption password? There’s your problem!

David bisson
David Bisson
@

Flawed Hyundai app could have helped hackers break into cars

Hyundai has patched a vulnerability in its Blue Link application software that potentially exposed registered users’ sensitive information, and could have resulted in cars being broken into.

Will Hatzer and Arjun Kumar discovered the issue in version 3.9.4 of Blue Link, a “comprehensive safety and car care package” offered by the South Korean automobile manufacturer.

Registered users download Blue Link to their Android or iOS devices and can then use the mobile app to remotely start or unlock/lock their cars. They can also search destinations, schedule a service appointment, and call emergency roadside assistance via the app.

Sign up to our free newsletter.
Security news, advice, and tips.

https://youtu.be/5ea0ovL7cdc

So what’s the problem?

Versions 3.9.4 and 3.9.5 of Hyundai’s application software uploads logs to a static IP address over HTTP. Blue Link encrypts those logs, but using a symmetrical key “1986l12Ov09e” that’s hard-coded in the application.

Security firm Rapid7, which learned of the vulnerability from the discoverers back in February, clarifies how the flaw is a security issue:

“The potential data exposure can be exploited one user at a time via passive listening on insecure WiFi, or by standard man-in-the-middle (MitM) attack methods to trick a user into connecting to a WiFi network controlled by an attacker on the same network as the user. If this is achieved, an attacker would then watch for HTTP traffic directed at http://54.64.135.113:8080/LogManager/LogServlet, which includes the encrypted logfile with a filename that includes the user’s email address.”

Once decoded, those logs reveal an individual’s username, password, PIN, and GPS location data associated with the vehicle. This information, in turn, can allow an actor to remotely locate, unlock, and start the car.

Certainly not as widespread a problem as the Volkswagen issues disclosed in August 2016, but still serious for registered users!

Rapid7 reached out to Hyundai about the vulnerability in late February. In response to this disclosure, the car manufacturer released this statement to The Register:

“Hyundai Motor America was made aware of a vulnerability in the Hyundai Blue Link mobile application by security researchers. Upon learning of this vulnerability, Hyundai promptly launched an investigation to validate the research and took immediate steps to remediate the issue.

“Hyundai released mandatory updates to the Android and Apple app stores that mitigated the potential effects of the vulnerability. The issue did not have a direct impact on vehicle safety. Hyundai is not aware of any customers being impacted by this potential vulnerability.

“The privacy and security of our customers is of the utmost importance to Hyundai. Hyundai continuously seeks to improve its mobile application and system security.”

To protect themselves against the flaw, Blue Link users should update their software to version 3.9.6, which was released by Hyundai in March 2017.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Flawed Hyundai app could have helped hackers break into cars”

  1. Mark Jacobs

    Does version 3.9.6 use https?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.