A Weakness Left Hyundai Vehicles Exposed to Tech-savvy Thieves

Matt Posky
by Matt Posky
a weakness left hyundai vehicles exposed to tech savvy thieves

The cyber security firm Rapid7 recently recently informed the Hyundai Motor Company that its Blue Link smartphone application might be exposing its customers to an unsavory element — serving up another reminder that convenience frequently comes at a cost.

Software vulnerabilities in the app allowed Blue Link-equipped vehicles to be unlocked and even started remotely, making them susceptible to theft from high-tech criminals for a period of three months until the company finally fixed the bug in March. Hyundai says that is is unaware of any mishaps stemming from the issue.

“The issue did not have a direct impact on vehicle safety,” said Jim Trainor, a spokesman for Hyundai Motor America. “Hyundai is not aware of any customers being impacted by this potential vulnerability.”

Before anyone flies off the handle to go on an anti-technology rant, remember that low-tech solutions remain the car thief’s primary weapons of choice. While some thieves are using key programmers and plugging into diagnostic ports before driving away, the $9 slim jim and screwdriver method still work just fine on plenty of vehicles. Computer-based crime is just one of many ways to accomplish the same goal.

Still, in the case of the Hyundai bug, the car isn’t the only thing that’s up for grabs. Personal information could also be accessed by thieves. Of course, this has less to do with the car and more to do with additional steps needed to exploit the Blue Link app. Would-be victims need to have accessed a corrupted Wi-Fi network via their phone.

“With the [decryption] key and an evil Wi-Fi hotspot, an attacker could wait for that log data to go through the network and get personal information on users, including name, address, log data, GPS data and get the PIN for the application,” explained Tod Beardsley, Rapid7 principal security research manager. “From there, they could download the app, register as the user, log in and remote start the vehicle, whatever they wanted.”

This mode of hacking is impractical in most parts of the country, though identity thieves in dense urban areas have frequently used the technique to pilfer sensitive information in the past. It would certainly be possible to steal a car in this manner, but it might not be worth the added effort.

That makes this less of a cautionary tale and more of a reminder that newer cars have a multitude of access points for potential thieves to exploit. In 2015 General Motors patched a bug that permitted remote access to some of its OnStar-equipped vehicles and Fiat Chrysler recalled 1.4 million units after two researchers, working with Wired, proved it was possible to gain remote control of a Jeep. Those researchers even managed to disable it as it drove down a highway.

Rapid7 privately disclosed the vulnerability to Hyundai in February, and it has since been fixed by removing the affected LogManager log transmission feature entirely. Hyundai also disabled the TCP service that received the encrypted log data and a file with the user’s email address. The update, Rapid7 said, was marked mandatory in both Google Play and the iPhone’s App Store.

“We talked to Hyundai and they have been great. They patched the software to remove the log dump functionality completely,” Beardsley explained. “We were expecting HTTPS with certificate pinning, something like that, but they ripped it out entirely and shut down the log service entirely. So if an app missed an update, it doesn’t matter because it fails to connect now.”

[Source: Reuters] [Image: Hyundai]

Comments
Join the conversation
4 of 7 comments
  • Newenthusiast Newenthusiast on Apr 25, 2017

    I have come to the conclusion that I must be a luddite or a curmudgeon or both. Between stories like this and the accident statistics that show the toll (in lives) that distracted driving takes, it only makes sense to continue to keep my phone off when I drive. Unless I'm expected an absolute emergency phone call, nothing is more important than road safety when I'm behind the wheel. So, help me out: Do that many people have the combination of work issued phones or work on the road and a terrible boss that they fear not answering a call or text? It seems like using a phone (and its associated tech needed to make it work with your car) while driving is all risk, and no reward.

    • See 1 previous
    • Newenthusiast Newenthusiast on Apr 26, 2017

      @Domestic Hearse Well, I don't want to receive calls and texts while I drive. I really don't. I realize that I am in the minority on this. My kid's don't have phones. I certainly wouldn't want a text displayed or read out loud either. If nothing else, it would interrupt my music. I am familiar with Bluetooth, as I always have to pair my wife's phone to rentals on vacation. It's not worth fighting with her over this issue. Although, to be fair, there have only been a handful of times in our marriage where she has HAD to take a call while she was driving, all work or family health related things. And even then, sometimes, she asks to call them back in the interest of discretion since I or the kids are in the car and, for work, it may be privileged info. Despite Bluetooth's best attempts, I still just feel that having a phone conversation while driving is one more thing taking your focus off of the road. I think a text would be even more difficult. But what I was REALLY criticizing here are the newer systems that link and display your actual phone on the screen, giving you access to apps and email and stuff, all with a touchscreen. Which means you are looking away from the road and taking your hands off of the wheel to operate what are, in most cases if I had to guess, non-emergency and non-essential things. So, I stand by my statement...increases risk with no reward. The world won't end if a driver misses a call or text.

  • Whisperquiet Whisperquiet on Apr 25, 2017

    This^^^^^^^^^^^........

  • Lou_BC ERay? A southern model will be the BillyRay.
  • Lou_BC I've never used a car buying plan service. My Costco membership did get me 1,000 cash back on my last truck.
  • Jeff S I can understand 8 cars is a bit much unless you are a serious collector. I always loved the Challenger when it first came out and now. I don't need a car like this but I am glad it exists at least for 1 more year. If I had a choice between a Mustang, a Camaro, and a Challenger I would opt for a Challenger but probably with a V-6 since it has more than enough power for most and I don't need to be burning rubber. Challenger has the classic muscle car looks, more cabin room, and a decent size trunk which makes it very livable for day to day driving and for traveling. The base models of the Dodge Challenger has a 3.6-liter V6 engine that gives you 305 horsepower with 268 lb-ft torque. The car attains 60 mph from a standstill within just 6 seconds, which is quite fast. Even with their base engines, the Challenger and Camaro are lightning-fast. The Camaro reaches 165 mph, while the Challenger can go up to 11 mph faster!
  • Inside Looking Out I would avoid American cities if I can. European cities are created for humans and Americans for cars.
  • Inside Looking Out I used True car once in 2014 and got a great deal. The difference is that you do nothing but dealers call you. No haggling but you can get the same deal browsing inventories on dealers websites. It just matter of convenience, Rich people delegate job to someone else because time costs more.
Next