Connected car woes continue to plague the automotive industry, as evidenced by the latest flaws, found in versions 3.9.4 and 3.9.5 of the Hyundai Blue Link mobile application, that would allow an attacker to remotely locate, unlock and start the car.
The Blue Link app is compatible with 2012 and newer Hyundai vehicles and allows drivers to use their phones for remote start, location services, unlocking and locking associated automobiles and other features. According to Rapid7 researchers Will Hatzer and Arjun Kumar, the issues also allow access to logs that contain personal information, including the user's username, password, PIN and historical GPS data about the vehicle's location.
“Due to a reliance on cleartext communications and the use of a hard-coded decryption password, two outdated versions…potentially expose sensitive information about registered users and their vehicles,” they explained in an analysis. “[These] versions of Hyundai Blue Link mobile application upload application logs to a static IP address over HTTP on port 8080. The log is encrypted using a symmetrical key…which is defined in the Blue Link application and cannot be modified by the user.”
The potential data exposure can be exploited one user at a time via passive listening on insecure Wi-Fi, or by standard man-in-the-middle (MitM) attack methods to trick a user into connecting to a Wi-Fi network controlled by an attacker on the same network as the user. The good news is that it would be difficult to conduct the attack at scale, since an attacker would typically need to first subvert physically local networks, or gain a privileged position on the network path from the app user to the vendor's service instance.
Upon learning of the vulnerability, Hyundai Motor America (HMA) launched an investigation to validate the research and took immediate steps to further secure the application. As of March, Hyundai has updated the software to the release of version 3.9.6, which fixes the problems. The update is in both the standard Android and Apple app stores.
“The privacy and security of our customers is of the utmost importance to HMA,” the company said in a statement. “HMA continuously seeks to improve its mobile application and system security. As a member of the Automotive Information Sharing Analysis Center (Auto-ISAC), HMA values security information sharing and thanks Rapid7 for its report.”