By on April 25, 2017

Hyundai Blue Link Gen. 2 - Sonata

The cyber security firm Rapid7 recently recently informed the Hyundai Motor Company that its Blue Link smartphone application might be exposing its customers to an unsavory element — serving up another reminder that convenience frequently comes at a cost.

Software vulnerabilities in the app allowed Blue Link-equipped vehicles to be unlocked and even started remotely, making them susceptible to theft from high-tech criminals for a period of three months until the company finally fixed the bug in March. Hyundai says that is is unaware of any mishaps stemming from the issue.

“The issue did not have a direct impact on vehicle safety,” said Jim Trainor, a spokesman for Hyundai Motor America. “Hyundai is not aware of any customers being impacted by this potential vulnerability.”

Before anyone flies off the handle to go on an anti-technology rant, remember that low-tech solutions remain the car thief’s primary weapons of choice. While some thieves are using key programmers and plugging into diagnostic ports before driving away, the $9 slim jim and screwdriver method still work just fine on plenty of vehicles. Computer-based crime is just one of many ways to accomplish the same goal.

Still, in the case of the Hyundai bug, the car isn’t the only thing that’s up for grabs. Personal information could also be accessed by thieves. Of course, this has less to do with the car and more to do with additional steps needed to exploit the Blue Link app. Would-be victims need to have accessed a corrupted Wi-Fi network via their phone.

“With the [decryption] key and an evil Wi-Fi hotspot, an attacker could wait for that log data to go through the network and get personal information on users, including name, address, log data, GPS data and get the PIN for the application,” explained Tod Beardsley, Rapid7 principal security research manager. “From there, they could download the app, register as the user, log in and remote start the vehicle, whatever they wanted.”

This mode of hacking is impractical in most parts of the country, though identity thieves in dense urban areas have frequently used the technique to pilfer sensitive information in the past. It would certainly be possible to steal a car in this manner, but it might not be worth the added effort.

That makes this less of a cautionary tale and more of a reminder that newer cars have a multitude of access points for potential thieves to exploit. In 2015 General Motors patched a bug that permitted remote access to some of its OnStar-equipped vehicles and Fiat Chrysler recalled 1.4 million units after two researchers, working with Wired, proved it was possible to gain remote control of a Jeep. Those researchers even managed to disable it as it drove down a highway.

Rapid7 privately disclosed the vulnerability to Hyundai in February, and it has since been fixed by removing the affected LogManager log transmission feature entirely. Hyundai also disabled the TCP service that received the encrypted log data and a file with the user’s email address. The update, Rapid7 said, was marked mandatory in both Google Play and the iPhone’s App Store.

“We talked to Hyundai and they have been great. They patched the software to remove the log dump functionality completely,” Beardsley explained. “We were expecting HTTPS with certificate pinning, something like that, but they ripped it out entirely and shut down the log service entirely. So if an app missed an update, it doesn’t matter because it fails to connect now.”

[Source: Reuters] [Image: Hyundai]

Get the latest TTAC e-Newsletter!

7 Comments on “A Weakness Left Hyundai Vehicles Exposed to Tech-savvy Thieves...”

  • avatar

    As long as this is the unlock-my-doors kind of hacking, I’m not too worried about it. If someone wants to break in to your car, they’ll do it however they want. It’s the bring-my-car-to-a-halt-while-driving thing that terrifies me.

  • avatar

    Wait, the attacker needs the key AND have the user access a corrupted Wi-Fi network (and stay connected long enough for the vital information to cross)? If the attacker has the key, why would they mess around with any of this?

    Seems like a theoretical attack more than one that anybody would actually use.

    • 0 avatar
      Matt Posky

      In this instance, the “key” is a digital one and only exists as code. The fault allowed access to the vehicle, its ignition system, and personal information via the application. While hackers can duplicate physical electronic keys for newer vehicles software but the Blue Link vulnerability was entirely through the phone app.

  • avatar

    I have come to the conclusion that I must be a luddite or a curmudgeon or both. Between stories like this and the accident statistics that show the toll (in lives) that distracted driving takes, it only makes sense to continue to keep my phone off when I drive. Unless I’m expected an absolute emergency phone call, nothing is more important than road safety when I’m behind the wheel.

    So, help me out: Do that many people have the combination of work issued phones or work on the road and a terrible boss that they fear not answering a call or text?

    It seems like using a phone (and its associated tech needed to make it work with your car) while driving is all risk, and no reward.

    • 0 avatar
      Domestic Hearse

      The Bluetooth link allows your phone to stay in your pocket while you drive, yet still ring. When it does ring, you can hear the ring over the car’s sound system and you simultaneously can see the caller ID on your car’s display. You then elect to answer that call by touching the appropriate button on the steering wheel. If you elect to answer, the caller’s voice comes through the car’s sound system. Your hands stay at 10 and 2, and you simply have a conversation with your car’s mini microphones picking up your voice. Once your conversation is over, you hit the same little button on the steering wheel to hang up (the smartphone never leaves your pocket). In practice, this is no different than having a conversation with someone beside you in the car, and is legal in all no-texting/no-handheld-phone-call states and municipalities.

      Once you set it up (which must be done with the vehicle in park), the Bluetooth Smartphone app is easier to use than a toaster and more handy than a TV remote control. If you’ve made toast or turned up the volume of your TV from the comfort of your couch, you can handle the technical difficulty level of Bluetooth calls in your car.

      Texting works the same. With the phone still in your pocket, a new text pops up on your car’s display. Hit a button and Bluetooth will read it aloud for you over the car’s sound system.

      For fun and games, be sure to link your kids’ phones to your car’s Bluetooth. You’ll shortly be privy to a bevy of previously unknown people in your children’s lives and learn juicy new bits of information they probably don’t want you to know.

      • 0 avatar

        Well, I don’t want to receive calls and texts while I drive. I really don’t. I realize that I am in the minority on this. My kid’s don’t have phones. I certainly wouldn’t want a text displayed or read out loud either. If nothing else, it would interrupt my music.

        I am familiar with Bluetooth, as I always have to pair my wife’s phone to rentals on vacation. It’s not worth fighting with her over this issue. Although, to be fair, there have only been a handful of times in our marriage where she has HAD to take a call while she was driving, all work or family health related things. And even then, sometimes, she asks to call them back in the interest of discretion since I or the kids are in the car and, for work, it may be privileged info.

        Despite Bluetooth’s best attempts, I still just feel that having a phone conversation while driving is one more thing taking your focus off of the road. I think a text would be even more difficult.

        But what I was REALLY criticizing here are the newer systems that link and display your actual phone on the screen, giving you access to apps and email and stuff, all with a touchscreen.

        Which means you are looking away from the road and taking your hands off of the wheel to operate what are, in most cases if I had to guess, non-emergency and non-essential things.

        So, I stand by my statement…increases risk with no reward. The world won’t end if a driver misses a call or text.

  • avatar


Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • EBFlex: “Another thing is that I sneak up on deer all the time on my mountain bike.” No….you...
  • EBFlex: ORV is just off road vehicle. A more broad term than ATV or UTV. And again, those are not analogous. Those...
  • Kenn: When I walked by the open door of the GM’s office at a SoCal Toyota dealer, the day I took delivery of my...
  • slavuta: Before traveling to space he could take care of public transport. You should like this...
  • ToolGuy: I spend that $169/year on washer fluid and oil filters instead.

New Car Research

Get a Free Dealer Quote

Who We Are

  • Adam Tonge
  • Bozi Tatarevic
  • Corey Lewis
  • Jo Borras
  • Mark Baruth
  • Ronnie Schreiber