Hyundai?s Blue Link mobile application allows customers to remotely lock, unlock, start, and stop the air conditioning, and even remotely start the car itself. Due to a recent bug, introduced in version 3.9.4 of the app on December 8, 2016, and a reliance on cleartext over encrypted communications, sensitive customer information such as usernames and passwords could have been stolen by malicious hackers.
The application would upload a log of the customer information to Hyundai?s servers over unencrypted HTTP. The log itself would be encrypted with symmetric encryption, using the string ?1986l12Ov09e? as the hardcoded decryption password. The password could not be modified by the user.
Once the attackers could obtain the hardcoded password and the log, via man-in-the-middle attacks or non-secure Wi-Fi connections, they could use the information in it to remotely unlock and start Hyundai cars (2012 and newer).
The attack can?t be done at scale, because the local network that the vehicle owner is using would have to be infiltrated by the attacker. However, this could still be an effective enough attack for more sophisticated car thieves that set up malicious Wi-Fi hotspots next to parking places and wait for Hyundai car owners to take the bait and use their Wi-Fi hotspots.
As Hyundai has already been notified by the two security researchers, it said that it fixed the vulnerability in version 3.9.6 of the software by removing the log feature. Hyundai owners will need to update their Blue Link apps immediately to the latest version, which is available in both the Google Play Store and Apple?s App Store.
Reply With Quote
Bookmarks