Hyundai Patches Vulnerable Blue Link Smart Car App
【Summary】In the event of a “man-in-the-middle” attack, a hacker could snoop or “intercept” data from the smartphone, capture the key and decrypt the log files. With this information, a hacker could log into the app and exploit its features without limits.
The Internet-of-Things (IoT) space has been the victim of numerous blunders, due businesses overlooking best security practices when releasing their products. But it's not always the developer's fault, as consumers who fail to secure their personal network also play a salient role in successful hacks and exploitations by criminals.
In the arena of smart car apps, Hyundai is the latest company to succumb to loosely implemented encryption practices. The automaker's Blue Link smart phone app was recently plagued by a notorious flaw that allowed sensitive user data to leak out into the hands of hackers.
"Hyundai Motor America was made aware of a vulnerability in the Hyundai Blue Link mobile application by security researchers. Upon learning of this vulnerability, Hyundai promptly launched an investigation to validate the research and took immediate steps to remediate the issue," said the company in a statement.
Read on to learn about this crippling vulnerability and how Hyundai developers addressed and fixed the issue.
The vulnerability was discovered by Will Hatzer and Arjun Kumar from Rapid7, a company that specializes in enterprise security. The bug entered the app during the release of version 3.9.4 in December 8, 2016. Hyundai developers added a functionality that sends log files to a remote server. Unfortunately, the only thing keeping the log file secure was an encrypted static key that was shared by customers (the same key was being used by all of its users). Developers did not clarify why the server connection was not encrypted with HTTPS.
The hardcoded "password" for decryption (key) was 1986l12Ov09e, under a file named C1951e.java. This could not be changed by consumers using the Blue Link mobile service. Furthermore, the key could easily be extracted by downloading the app and sifting through its backend contents. In the event of a "man-in-the-middle" attack, a hacker could snoop or "intercept" data from the smartphone, capture the key and decrypt the log files.
What's in the Log Files?
A log file is a record of actions executed by the user and/or application. Developers use the file to analyze a customer's behavior when using the app. In Blue Link's case, the log file contains the customer's username, password, location data (GPS) and personal settings. With this information, a hacker could log into the app and exploit its features without limits. The app allows you to unlock the vehicle and remote start from a manageable distance.
Hyundai fixed this devastating flaw on March 6, 2017, roughly four months after it surfaced, via an app update to version 3.9.6 (version 3.9.5 was also vulnerable). The automaker opted to quietly patch up the bug, instead of publicly making a big deal out of it. The new version does not have the log feature. Security researchers from Rapid7 waited until the car manufacturer addressed the issue before releasing their findings to the public.
"What's changed is not just the presence of all that hackable software, but the volume and variety of remote attack surfaces added to more recent vehicles," said Josh Corman, director of the Atlantic Council's Cyber Statecraft Initiative.
Michael Cheng is a legal editor and technical writer with publications for Blackberry ISHN Magazine Houzz and Payment Week. He specializes in technology business and digesting hard data. Outside of work Michael likes to train for marathons spend time with his daughter and explore new places.
Waymo Receives Permit to Participate in California’s Autonomous Vehicle Pilot
How Do Autonomous Cars Deal with Double-parked Vehicles?
Kitty Hawk and Boeing Form Partnership to Make Flying Cars Safer
Waymo to Bring Driverless Cars to France and Japan via Nissan-Renault Partnership
Porsche Forecasts EVs Going Mainstream
Zomato Tests Drones for Food Deliveries in India
Alibaba Brings Tmall Genie to Audi, Honda and Renault Vehicles
Driverless Sensor Startup Sense Photonics Raises $26 Million in Series A Funding
- General Motors & EVgo to Triple the Size of the Largest Public EV Charging Network in the U.S.
- General Motors is Developing an Electric Van for Business Customers to Stave Off Tesla
- Softbank Leads $500 Million Investment in Didi Chuxing’s Autonomous Driving Subsidiary
- Tesla Model Y Suffering From Quality Issues: Report
- Pre-orders for Tesla’s Made-in-China Model Y Are Officially Open
- Tesla's Long-Range Model 3 Will Soon Enter Production in China
- The New Polestar 2 EV Matches its Performance with Equally High Safety Standards
- Xpeng Motors Begins Deliveries of its Electric P7 ‘Smart Sedan’, Creates New Competition for Tesla in China
- Tesla is Cutting its Vehicle Prices in North America & China, Model 3 Now Starts at $37,990 in the U.S.
- Online Car Retailer Vroom Raises $467.5 Million in its U.S. IPO