Follow
Subscribe

Hyundai Patches Vulnerable Blue Link Smart Car App

Home > News > Content

【Summary】In the event of a “man-in-the-middle” attack, a hacker could snoop or “intercept” data from the smartphone, capture the key and decrypt the log files. With this information, a hacker could log into the app and exploit its features without limits.

Michael Cheng    May 04, 2017 4:51 AM PT
Hyundai Patches Vulnerable Blue Link Smart Car App

The Internet-of-Things (IoT) space has been the victim of numerous blunders, due businesses overlooking best security practices when releasing their products. But it's not always the developer's fault, as consumers who fail to secure their personal network also play a salient role in successful hacks and exploitations by criminals.

In the arena of smart car apps, Hyundai is the latest company to succumb to loosely implemented encryption practices. The automaker's Blue Link smart phone app was recently plagued by a notorious flaw that allowed sensitive user data to leak out into the hands of hackers.

"Hyundai Motor America was made aware of a vulnerability in the Hyundai Blue Link mobile application by security researchers. Upon learning of this vulnerability, Hyundai promptly launched an investigation to validate the research and took immediate steps to remediate the issue," said the company in a statement.

Read on to learn about this crippling vulnerability and how Hyundai developers addressed and fixed the issue.

Failed Encryption

The vulnerability was discovered by Will Hatzer and Arjun Kumar from Rapid7, a company that specializes in enterprise security. The bug entered the app during the release of version 3.9.4 in December 8, 2016. Hyundai developers added a functionality that sends log files to a remote server. Unfortunately, the only thing keeping the log file secure was an encrypted static key that was shared by customers (the same key was being used by all of its users). Developers did not clarify why the server connection was not encrypted with HTTPS.

The hardcoded "password" for decryption (key) was 1986l12Ov09e, under a file named C1951e.java. This could not be changed by consumers using the Blue Link mobile service. Furthermore, the key could easily be extracted by downloading the app and sifting through its backend contents. In the event of a "man-in-the-middle" attack, a hacker could snoop or "intercept" data from the smartphone, capture the key and decrypt the log files.

What's in the Log Files?

A log file is a record of actions executed by the user and/or application. Developers use the file to analyze a customer's behavior when using the app. In Blue Link's case, the log file contains the customer's username, password, location data (GPS) and personal settings. With this information, a hacker could log into the app and exploit its features without limits. The app allows you to unlock the vehicle and remote start from a manageable distance.

Hyundai fixed this devastating flaw on March 6, 2017, roughly four months after it surfaced, via an app update to version 3.9.6 (version 3.9.5 was also vulnerable). The automaker opted to quietly patch up the bug, instead of publicly making a big deal out of it. The new version does not have the log feature. Security researchers from Rapid7 waited until the car manufacturer addressed the issue before releasing their findings to the public.

"What's changed is not just the presence of all that hackable software, but the volume and variety of remote attack surfaces added to more recent vehicles," said Josh Corman, director of the Atlantic Council's Cyber Statecraft Initiative.

Prev                  Next
Writer's other posts
Comments:
    Related Content