Hyundai ‘Blue Link’ Vulnerability Allows Thieves To Start Cars Remotely (Update: Hyundai's Statement)

Researchers Will Hatzer and Arjun Kumar from enterprise security company Rapid7 uncovered a vulnerability in Hyundai’s “Blue Link” application that would have allowed car thieves to remotely start Hyundai vehicles.

Hyundai’s Blue Link mobile application allows customers to remotely lock, unlock, start, and stop the air conditioning, and even remotely start the car itself. Due to a recent bug, introduced in version 3.9.4 of the app on December 8, 2016, and a reliance on cleartext over encrypted communications, sensitive customer information such as usernames and passwords could have been stolen by malicious hackers.

The application would upload a log of the customer information to Hyundai’s servers over unencrypted HTTP. The log itself would be encrypted with symmetric encryption, using the string “1986l12Ov09e” as the hardcoded decryption password. The password could not be modified by the user.

Once the attackers could obtain the hardcoded password and the log, via man-in-the-middle attacks or non-secure Wi-Fi connections, they could use the information in it to remotely unlock and start Hyundai cars (2012 and newer).

The attack can’t be done at scale, because the local network that the vehicle owner is using would have to be infiltrated by the attacker. However, this could still be an effective enough attack for more sophisticated car thieves that set up malicious Wi-Fi hotspots next to parking places and wait for Hyundai car owners to take the bait and use their Wi-Fi hotspots.

As Hyundai has already been notified by the two security researchers, it said that it fixed the vulnerability in version 3.9.6 of the software by removing the log feature. Hyundai owners will need to update their Blue Link apps immediately to the latest version, which is available in both the Google Play Store and Apple’s App Store.

Non-Secure By Design?

In previous posts on car security, we’ve pointed out that modern “connected cars,” and even more so the self-driving cars of the future, need to treat security much more seriously. If possible, car security should be considered (or reconsidered) from the ground up.

Self-driving cars’ controls will essentially be “all software,” which means we can expect many of the same types of vulnerabilities we see on PCs and smartphones to affect future cars as well. A self-driving car is not a place where we can accept a compromise on security, due to the fact that a hack could also mean a loss of life.

Using hardcoded passwords and cleartext communications at the time when even small websites can use free HTTPS encryption tells us that Hyundai is one of the companies that doesn't take security as seriously as it said it does in previous statements.

As we’ve seen before, Hyundai is not the only car company to have made embarrassing security blunders in the past few years. However, with self-driving cars already on the roadmap, and soon on roadways, there isn’t any time left to waste when it comes to strengthening the security of these cars. Cars makers need to design and develop every new software feature for a self-driving car in a way that promises maximum security with no compromises.

Updated, 4/27/2017, 8:10am PT: Hyundai Motor America sent Tom's Hardware an official statement about the discovery of the Blue Link vulnerability:

Hyundai Motor America (Hyundai) was made aware of a vulnerability in the Hyundai Blue Link mobile application by security researchers. Upon learning of this vulnerability, Hyundai promptly launched an investigation to validate the research and took immediate steps to remediate the issue.Within three days, Hyundai released mandatory updates to the Android and Apple app stores that mitigated the potential effects of the vulnerability. The issue did not have a direct impact on vehicle safety. Hyundai is not aware of any customers being impacted by this potential vulnerability.The privacy and security of our customers is of the utmost importance to Hyundai. Hyundai continuously seeks to improve its mobile application and system security.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • ddpruitt
    Just another reason not to buy Hyundai. Can't build cars can't build software.
  • You can start the car, doesn't mean you can drive it.
  • hannibal
    And so it begins... Soon this will be epidemic in all cars that have been made after year 1970...
  • hellwig
    There's an even bigger security risk. Did you know Hyundai makes their windows out of a fragile silicon-based GLASS? You don't even need fancy hacking tools, you can break into most Hyundai's with something as primitive as a rock. This affects ALL MODEL YEARS, yet, hasn't been covered by any news outlets to date.

    Seriously though, this is only going to get more common as the "Internet of Things" expands. Not a week goes by where something that doesn't really need to be connected to the internet, but is, is hacked.
  • jimmysmitty
    19614431 said:
    You can start the car, doesn't mean you can drive it.

    That is correct. While you can remote start the car and lock/unlock it with a phone application the car still requires the key fob to be inside the vehicle to drive.

    Instead of adding a remote start to the key fob they set it up through a "OnStar" like system using the phone but it still follows the rules of any car that uses a remote start system, the key fob or key still needs to be present in the system for it to do anything more than idle for 10 minutes.

    However, it is a pretty big security flaw and needs to be addressed and fixed ASAP. At minimum that key should be encrypted with 256bit encryption.
  • captaincharisma
    19614340 said:
    Just another reason not to buy Hyundai. Can't build cars can't build software.

    they're still more reliable vehicles then any made by the US automakers

  • dogofwars
    Should use software like signal to use in their cars.
  • redgarl
    If you think this will only affect Hyundai, you are mistaken. It will be a huge issue for car manufacturers since they are not software developers.
  • hst101rox
    Car manufactures are software developers with all the ECUs in modern cars and an electric vehicle wing in many. Though not educated enough with security though.
  • hst101rox
    How would they get that hardcoded password? Brute force, or is it the same password for every Hyundai user 1986l12Ov09e?