Hyundai has patched a security flaw in the Blue Link mobile application that exposed sensitive information, which hackers could have used to track down, unlock, and start Hyundai cars.
Rapid7 security researchers Will Hatzer and Arjun Kumar discovered the flaw in early February when they informed Hyundai about the catastrophic flaw the company introduced in version 3.9.4 of the Blue Link app.
The company issued a fix a month later, on March 6, with the release of Hyundai Blue Link v3.9.6. Researchers went public with their findings after they gave Hyundai customers enough time to update their mobile app.
The Department of Homeland Security’s ICS-CERT also issued an alert last week. If you’re one of the Hyundai car owners still using Blue Link versions 3.9.4 and 3.9.5, it’s advised you set time aside and update the app as soon as possible.
Hyundai used identical hardcoded encryption key
According to Hatzer and Kumar, the vulnerable versions of the Blue Link app upload application logs to a remote server at various times of the day.
This upload operation takes place via HTTP, but the log data is encrypted on the phone. The problem, researchers say, is that the app stores the encryption key in the app’s source code, in a file named C1951e.java. If this wasn’t bad enough, the password is the same for all Blue Link users: 1986l12Ov09e.
An attacker can extract this password and then use it to decrypt the logs updated to Hyundai’s servers. The data inside this logs includes details such as a user’s username, password, PIN, and historical GPS data.
An attacker could use the user’s username and password to break into the user’s account, and the PIN to link his app to the target’s Hyundai car. The attacker can then use the app to unlock the car’s doors and start its engine.
Hack is not as straightforward as it sounds
The only downside is that an attacker would first need to compromise the same WiFi network the user’s phone is on, in order to be able to sniff the local network for the log upload operation.
Nonetheless, car thieves can identify Hyundai car owners and follow them around until they connected to a public WiFi network, at which point they could wait for the app to upload its encrypted logs.