A Weakness Left Hyundai Vehicles Exposed to Tech-savvy Thieves

by Matt Posky

Published: April 25th, 2017

a weakness left hyundai vehicles exposed to tech savvy thieves

The cyber security firm Rapid7 recently recently informed the Hyundai Motor Company that its Blue Link smartphone application might be exposing its customers to an unsavory element — serving up another reminder that convenience frequently comes at a cost.

Software vulnerabilities in the app allowed Blue Link-equipped vehicles to be unlocked and even started remotely, making them susceptible to theft from high-tech criminals for a period of three months until the company finally fixed the bug in March. Hyundai says that is is unaware of any mishaps stemming from the issue.

“The issue did not have a direct impact on vehicle safety,” said Jim Trainor, a spokesman for Hyundai Motor America. “Hyundai is not aware of any customers being impacted by this potential vulnerability.”

Before anyone flies off the handle to go on an anti-technology rant, remember that low-tech solutions remain the car thief’s primary weapons of choice. While some thieves are using key programmers and plugging into diagnostic ports before driving away, the $9 slim jim and screwdriver method still work just fine on plenty of vehicles. Computer-based crime is just one of many ways to accomplish the same goal.

Still, in the case of the Hyundai bug, the car isn’t the only thing that’s up for grabs. Personal information could also be accessed by thieves. Of course, this has less to do with the car and more to do with additional steps needed to exploit the Blue Link app. Would-be victims need to have accessed a corrupted Wi-Fi network via their phone.

“With the [decryption] key and an evil Wi-Fi hotspot, an attacker could wait for that log data to go through the network and get personal information on users, including name, address, log data, GPS data and get the PIN for the application,” explained Tod Beardsley, Rapid7 principal security research manager. “From there, they could download the app, register as the user, log in and remote start the vehicle, whatever they wanted.”

This mode of hacking is impractical in most parts of the country, though identity thieves in dense urban areas have frequently used the technique to pilfer sensitive information in the past. It would certainly be possible to steal a car in this manner, but it might not be worth the added effort.

That makes this less of a cautionary tale and more of a reminder that newer cars have a multitude of access points for potential thieves to exploit. In 2015 General Motors patched a bug that permitted remote access to some of its OnStar-equipped vehicles and Fiat Chrysler recalled 1.4 million units after two researchers, working with Wired, proved it was possible to gain remote control of a Jeep. Those researchers even managed to disable it as it drove down a highway.

Rapid7 privately disclosed the vulnerability to Hyundai in February, and it has since been fixed by removing the affected LogManager log transmission feature entirely. Hyundai also disabled the TCP service that received the encrypted log data and a file with the user’s email address. The update, Rapid7 said, was marked mandatory in both Google Play and the iPhone’s App Store.

“We talked to Hyundai and they have been great. They patched the software to remove the log dump functionality completely,” Beardsley explained. “We were expecting HTTPS with certificate pinning, something like that, but they ripped it out entirely and shut down the log service entirely. So if an app missed an update, it doesn’t matter because it fails to connect now.”

[Source: Reuters] [Image: Hyundai]

#BlueLink #CarCrime #CarThieves #Hyundai #HyundaiMotorCompany #RemoteHacking #SmartphoneApps #VehicleHacking

Matt Posky

A staunch consumer advocate tracking industry trends and regulation. Before joining TTAC, Matt spent a decade working for marketing and research firms based in NYC. Clients included several of the world’s largest automakers, global tire brands, and aftermarket part suppliers. Dissatisfied with the corporate world and resentful of having to wear suits everyday, he pivoted to writing about cars. Since then, that man has become an ardent supporter of the right-to-repair movement, been interviewed on the auto industry by national radio broadcasts, driven more rental cars than anyone ever should, participated in amateur rallying events, and received the requisite minimum training as sanctioned by the SCCA. Handy with a wrench, Matt grew up surrounded by Detroit auto workers and managed to get a pizza delivery job before he was legally eligible. He later found himself driving box trucks through Manhattan, guaranteeing future sympathy for actual truckers. He continues to conduct research pertaining to the automotive sector as an independent contractor and has since moved back to his native Michigan, closer to where the cars are born. A contrarian, Matt claims to prefer understeer — stating that front and all-wheel drive vehicles cater best to his driving style.

More by Matt Posky

Comments

Join the conversation

4 of 7 comments

Newenthusiast on Apr 25, 2017

I have come to the conclusion that I must be a luddite or a curmudgeon or both. Between stories like this and the accident statistics that show the toll (in lives) that distracted driving takes, it only makes sense to continue to keep my phone off when I drive. Unless I'm expected an absolute emergency phone call, nothing is more important than road safety when I'm behind the wheel. So, help me out: Do that many people have the combination of work issued phones or work on the road and a terrible boss that they fear not answering a call or text? It seems like using a phone (and its associated tech needed to make it work with your car) while driving is all risk, and no reward.

Like Reply
- See 1 previous
- Domestic Hearse on Apr 26, 2017
  
  The Bluetooth link allows your phone to stay in your pocket while you drive, yet still ring. When it does ring, you can hear the ring over the car's sound system and you simultaneously can see the caller ID on your car's display. You then elect to answer that call by touching the appropriate button on the steering wheel. If you elect to answer, the caller's voice comes through the car's sound system. Your hands stay at 10 and 2, and you simply have a conversation with your car's mini microphones picking up your voice. Once your conversation is over, you hit the same little button on the steering wheel to hang up (the smartphone never leaves your pocket). In practice, this is no different than having a conversation with someone beside you in the car, and is legal in all no-texting/no-handheld-phone-call states and municipalities. Once you set it up (which must be done with the vehicle in park), the Bluetooth Smartphone app is easier to use than a toaster and more handy than a TV remote control. If you've made toast or turned up the volume of your TV from the comfort of your couch, you can handle the technical difficulty level of Bluetooth calls in your car. Texting works the same. With the phone still in your pocket, a new text pops up on your car's display. Hit a button and Bluetooth will read it aloud for you over the car's sound system. For fun and games, be sure to link your kids' phones to your car's Bluetooth. You'll shortly be privy to a bevy of previously unknown people in your children's lives and learn juicy new bits of information they probably don't want you to know.
  
  Like
- Newenthusiast on Apr 26, 2017
  
  @Domestic Hearse Well, I don't want to receive calls and texts while I drive. I really don't. I realize that I am in the minority on this. My kid's don't have phones. I certainly wouldn't want a text displayed or read out loud either. If nothing else, it would interrupt my music. I am familiar with Bluetooth, as I always have to pair my wife's phone to rentals on vacation. It's not worth fighting with her over this issue. Although, to be fair, there have only been a handful of times in our marriage where she has HAD to take a call while she was driving, all work or family health related things. And even then, sometimes, she asks to call them back in the interest of discretion since I or the kids are in the car and, for work, it may be privileged info. Despite Bluetooth's best attempts, I still just feel that having a phone conversation while driving is one more thing taking your focus off of the road. I think a text would be even more difficult. But what I was REALLY criticizing here are the newer systems that link and display your actual phone on the screen, giving you access to apps and email and stuff, all with a touchscreen. Which means you are looking away from the road and taking your hands off of the wheel to operate what are, in most cases if I had to guess, non-emergency and non-essential things. So, I stand by my statement...increases risk with no reward. The world won't end if a driver misses a call or text.
  
  Like
Whisperquiet on Apr 25, 2017

This^^^^^^^^^^^........

Like Reply

Recent Comments

28-Cars-Later I'm getting a Knight Rider vibe... or is it more Knightboat?
28-Cars-Later "the person would likely be involved in taking the Corvette to the next level with full electrification."Chevrolet sold 37,224 C8s in 2023 starting at $65,895 in North America (no word on other regions) while Porsche sold 40,629 Taycans worldwide starting at $99,400. I imagine per unit Porsche/VAG profit at $100K+ but was far as R&D payback and other sunk costs I cannot say. I remember reading the new C8 platform was designed for hybrids (or something to that effect) so I expect Chevrolet to experiment with different model types but I don't expect Corvette to become the Taycan. If that is the expectation, I think it will ride off into the sunset because GM is that incompetent/impotent. Additional: In ten years outside of wrecks I expect a majority of C8s to still be running and economically roadworthy, I do not expect that of Taycans.
Tassos Jong-iL Not all martyrs see divinity, but at least you tried.
ChristianWimmer My girlfriend has a BMW i3S. She has no garage. Her car parks on the street in front of her apartment throughout the year. The closest charging station in her neighborhood is about 1 kilometer away. She has no EV-charging at work.When her charge is low and she’s on the way home, she will visit that closest 1 km away charger (which can charge two cars) , park her car there (if it’s not occupied) and then she has two hours time to charge her car before she is by law required to move. After hooking up her car to the charger, she has to walk that 1 km home and go back in 2 hours. It’s not practical for sure and she does find it annoying.Her daily trip to work is about 8 km. The 225 km range of her BMW i3S will last her for a week or two and that’s fine for her. I would never be able to handle this “stress”. I prefer pulling up to a gas station, spend barely 2 minutes filling up my small 53 liter fuel tank, pay for the gas and then manage almost 720 km range in my 25-35% thermal efficient internal combustion engine vehicle.
Tassos Jong-iL Here in North Korea we are lucky to have any tires.