Researchers Will Hatzer and Arjun Kumar from enterprise security company Rapid7 uncovered a vulnerability in Hyundai’s “Blue Link” application that would have allowed car thieves to remotely start Hyundai vehicles.
Blue Link Application
Hyundai’s Blue Link mobile application allows customers to remotely lock, unlock, start, and stop the air conditioning, and even remotely start the car itself. Due to a recent bug, introduced in version 3.9.4 of the app on December 8, 2016, and a reliance on cleartext over encrypted communications, sensitive customer information such as usernames and passwords could have been stolen by malicious hackers.
The application would upload a log of the customer information to Hyundai’s servers over unencrypted HTTP. The log itself would be encrypted with symmetric encryption, using the string “1986l12Ov09e” as the hardcoded decryption password. The password could not be modified by the user.
Once the attackers could obtain the hardcoded password and the log, via man-in-the-middle attacks or non-secure Wi-Fi connections, they could use the information in it to remotely unlock and start Hyundai cars (2012 and newer).
The attack can’t be done at scale, because the local network that the vehicle owner is using would have to be infiltrated by the attacker. However, this could still be an effective enough attack for more sophisticated car thieves that set up malicious Wi-Fi hotspots next to parking places and wait for Hyundai car owners to take the bait and use their Wi-Fi hotspots.
As Hyundai has already been notified by the two security researchers, it said that it fixed the vulnerability in version 3.9.6 of the software by removing the log feature. Hyundai owners will need to update their Blue Link apps immediately to the latest version, which is available in both the Google Play Store and Apple’s App Store.
Non-Secure By Design?
In previous posts on car security, we’ve pointed out that modern “connected cars,” and even more so the self-driving cars of the future, need to treat security much more seriously. If possible, car security should be considered (or reconsidered) from the ground up.
Self-driving cars’ controls will essentially be “all software,” which means we can expect many of the same types of vulnerabilities we see on PCs and smartphones to affect future cars as well. A self-driving car is not a place where we can accept a compromise on security, due to the fact that a hack could also mean a loss of life.
Using hardcoded passwords and cleartext communications at the time when even small websites can use free HTTPS encryption tells us that Hyundai is one of the companies that doesn’t take security as seriously as it said it does in previous statements.
As we’ve seen before, Hyundai is not the only car company to have made embarrassing security blunders in the past few years. However, with self-driving cars already on the roadmap, and soon on roadways, there isn’t any time left to waste when it comes to strengthening the security of these cars. Cars makers need to design and develop every new software feature for a self-driving car in a way that promises maximum security with no compromises.
The post Hyundai ‘Blue Link’ Vulnerability Allows Thieves To Start Cars Remotely appeared first on Gigarefurb Refurbished Laptops News.
source https://news.gigarefurb.co.uk/hyundai-blue-link-vulnerability-allows-thieves-to-start-cars-remotely/
No comments:
Post a Comment