Researchers Will Hatzer and Arjun Kumar from enterprise security company Rapid7 uncovered a vulnerability in Hyundai’s “Blue Link” application that would have allowed car thieves to remotely start Hyundai vehicles.
Blue Link Application
Hyundai’s Blue Link mobile application allows customers to remotely lock, unlock, start, and stop the air conditioning, and even remotely start the car itself. Due to a recent bug, introduced in version 3.9.4 of the app on December 8, 2016, and a reliance on cleartext over encrypted communications, sensitive customer information such as usernames and passwords could have been stolen by malicious hackers.
The application would upload a log of the customer information to Hyundai’s servers over unencrypted HTTP. The log itself would be encrypted with symmetric encryption, using the string “1986l12Ov09e” as the hardcoded decryption password. The password could not be modified by the user.
Once the attackers could obtain the hardcoded password and the log, via man-in-the-middle attacks or non-secure Wi-Fi connections, they could use the information in it to remotely unlock and start Hyundai cars (2012 and newer).
The attack can’t be done at scale, because the local network that the vehicle owner is using would have to be infiltrated by the attacker. However, this could still be an effective enough attack for more sophisticated car thieves that set up malicious Wi-Fi hotspots next to parking places and wait for Hyundai car owners to take the bait and use their Wi-Fi hotspots.
As Hyundai has already been notified by the two security researchers, it said that it fixed the vulnerability in version 3.9.6 of the software by removing the log feature. Hyundai owners will need to update their Blue Link apps immediately to the latest version, which is available in both the Google Play Store and Apple’s App Store.
Non-Secure By Design?
In previous posts on car security, we’ve pointed out that modern “connected cars,” and even more so the self-driving cars of the future, need to treat security much more seriously. If possible, car security should be considered (or reconsidered) from the ground up.
Self-driving cars’ controls will essentially be “all software,” which means we can expect many of the same types of vulnerabilities we see on PCs and smartphones to affect future cars as well. A self-driving car is not a place where we can accept a compromise on security, due to the fact that a hack could also mean a loss of life.
Using hardcoded passwords and cleartext communications at the time when even small websites can use free HTTPS encryption tells us that Hyundai is one of the companies that doesn't take security as seriously as it said it does in previous statements.
As we’ve seen before, Hyundai is not the only car company to have made embarrassing security blunders in the past few years. However, with self-driving cars already on the roadmap, and soon on roadways, there isn’t any time left to waste when it comes to strengthening the security of these cars. Cars makers need to design and develop every new software feature for a self-driving car in a way that promises maximum security with no compromises.
Updated, 4/27/2017, 8:10am PT: Hyundai Motor America sent Tom's Hardware an official statement about the discovery of the Blue Link vulnerability:
Hyundai Motor America (Hyundai) was made aware of a vulnerability in the Hyundai Blue Link mobile application by security researchers. Upon learning of this vulnerability, Hyundai promptly launched an investigation to validate the research and took immediate steps to remediate the issue.
Within three days, Hyundai released mandatory updates to the Android and Apple app stores that mitigated the potential effects of the vulnerability. The issue did not have a direct impact on vehicle safety. Hyundai is not aware of any customers being impacted by this potential vulnerability.
The privacy and security of our customers is of the utmost importance to Hyundai. Hyundai continuously seeks to improve its mobile application and system security.