Hyundai Patches Vulnerable Blue Link Smart Car App
【Summary】In the event of a “man-in-the-middle” attack, a hacker could snoop or “intercept” data from the smartphone, capture the key and decrypt the log files. With this information, a hacker could log into the app and exploit its features without limits.
The Internet-of-Things (IoT) space has been the victim of numerous blunders, due businesses overlooking best security practices when releasing their products. But it's not always the developer's fault, as consumers who fail to secure their personal network also play a salient role in successful hacks and exploitations by criminals.
In the arena of smart car apps, Hyundai is the latest company to succumb to loosely implemented encryption practices. The automaker's Blue Link smart phone app was recently plagued by a notorious flaw that allowed sensitive user data to leak out into the hands of hackers.
"Hyundai Motor America was made aware of a vulnerability in the Hyundai Blue Link mobile application by security researchers. Upon learning of this vulnerability, Hyundai promptly launched an investigation to validate the research and took immediate steps to remediate the issue," said the company in a statement.
Read on to learn about this crippling vulnerability and how Hyundai developers addressed and fixed the issue.
The vulnerability was discovered by Will Hatzer and Arjun Kumar from Rapid7, a company that specializes in enterprise security. The bug entered the app during the release of version 3.9.4 in December 8, 2016. Hyundai developers added a functionality that sends log files to a remote server. Unfortunately, the only thing keeping the log file secure was an encrypted static key that was shared by customers (the same key was being used by all of its users). Developers did not clarify why the server connection was not encrypted with HTTPS.
The hardcoded "password" for decryption (key) was 1986l12Ov09e, under a file named C1951e.java. This could not be changed by consumers using the Blue Link mobile service. Furthermore, the key could easily be extracted by downloading the app and sifting through its backend contents. In the event of a "man-in-the-middle" attack, a hacker could snoop or "intercept" data from the smartphone, capture the key and decrypt the log files.
What's in the Log Files?
A log file is a record of actions executed by the user and/or application. Developers use the file to analyze a customer's behavior when using the app. In Blue Link's case, the log file contains the customer's username, password, location data (GPS) and personal settings. With this information, a hacker could log into the app and exploit its features without limits. The app allows you to unlock the vehicle and remote start from a manageable distance.
Hyundai fixed this devastating flaw on March 6, 2017, roughly four months after it surfaced, via an app update to version 3.9.6 (version 3.9.5 was also vulnerable). The automaker opted to quietly patch up the bug, instead of publicly making a big deal out of it. The new version does not have the log feature. Security researchers from Rapid7 waited until the car manufacturer addressed the issue before releasing their findings to the public.
"What's changed is not just the presence of all that hackable software, but the volume and variety of remote attack surfaces added to more recent vehicles," said Josh Corman, director of the Atlantic Council's Cyber Statecraft Initiative.
Michael Cheng is a legal editor and technical writer with publications for Blackberry ISHN Magazine Houzz and Payment Week. He specializes in technology business and digesting hard data. Outside of work Michael likes to train for marathons spend time with his daughter and explore new places.
Waymo Receives Permit to Participate in California’s Autonomous Vehicle Pilot
How Do Autonomous Cars Deal with Double-parked Vehicles?
Kitty Hawk and Boeing Form Partnership to Make Flying Cars Safer
Waymo to Bring Driverless Cars to France and Japan via Nissan-Renault Partnership
Porsche Forecasts EVs Going Mainstream
Zomato Tests Drones for Food Deliveries in India
Alibaba Brings Tmall Genie to Audi, Honda and Renault Vehicles
Driverless Sensor Startup Sense Photonics Raises $26 Million in Series A Funding
- The Solterra SUV Will Be Subaru’s First Electric Model
- The Biden Administration Asks Automakers to Back its Pledge of 40% of New Car Sales Being Electric by 2030
- General Motors to Source Lithium for EV Batteries From the Salton Sea Region in California With New Strategic Partnership
- Quick Comparison: Tesla Model Y Performance vs Ford's Mach-E GT Performance
- China’s Tesla Rival NIO Produces its First C-Sample Silicon Carbide Drive Unit for the Upcoming ET7 Sedan
- Ford Receives Supply of Chips To Finish Producing its F-Series Trucks
- General Motors Accelerated the Development of the Cadillac LYRIQ Using Virtual Engineering Tools
- Volvo to Offer Preferred Charging Rates For its Electric Vehicle Customers in Europe Starting July 1
- Electric Truck Startup Lordstown Motors Now Claims it Has No Binding Truck Orders
- Volkswagen to Only Sell EVs by 2035 in Europe