Hyundai corporation has just released updates for its Blue Link mobile application in order to fix some flaws which cybercriminals could have exploited to steal cars.
The Blue Link mobile app can be installed on Android and iOS devices, allowing users to remotely access and monitor their vehicles. The application features include remote engine start, stolen vehicle recovery, cabin temperature control, vehicle health reports, remote locking and unlocking, and automatic collision notifications.
Nevertheless, according to Rapid7 security, the Blue Link application had two potentially serious vulnerabilities related to a log transmission feature which was presented in December, last year.
Versions 3.9.4 and 3.9.5 of the application upload an encrypted log file to a pre-defined IP address over HTTP. The file name includes the user’s email address, and the file itself contains various pieces of information like username, password, PIN, and historical GPS data.
When the log file is encrypted, the encryption relies on a hardcoded key which cannot be modified. During that time, a man-in-the-middle (MitM) attacker — e.g. via a compromised or rogue Wi-Fi network — can intercept HTTP traffic associated with the Blue Link app and access the log file with all the data in it. The hacker can use this data to locate, unlock and start the targeted vehicle.
The Rapid7 company has released a blog post featuring all the Blue Link application flaws.
ICS-CERT has also published an advisory rating the MitM issue (CVE-2017-6052) as a medium severity flaw and the hardcoded cryptographic key weakness (CVE-2017-6054) as high severity.
Rapid7 discovered the app vulnerabilities in February, and Hyundai patched them in March with the release of Blue Link 3.9.6 for both Android and iOS.
The latest version of the app removes the log transmission feature and disables the TCP service located at the IP address where the log files were sent. Hyundai corporation made the update mandatory. Though, according to the car maker, there is no evidence that the flaws had been exploited for malicious purposes so far.
In addition, Hyundai and Rapid7 pointed out that it would have been “difficult to impossible to conduct this attack at scale,” due to the fact that the hacker needed privileged network access in order to exploit the security holes.
Meanwhile, security experts reported vulnerabilities in multiple car applications over the past months, and Tesla was among the affected ones.