The latest update for Hyundai’s Blue Link mobile vehicle management app fixes a couple of vulnerabilities that could have let a remote attacker track, unlock and start a car paired with the software. Versions affected by the issues are 3.9.4 and 3.9.5, which included a log transmission feature.
Remote services offered through the Blue Link app are subscription-based, and include door locking and unlocking, engine start and stop, car finder, stolen vehicle recovery, slowdown and immobilization, and tracking of the car in and out of a specified region, among others. The app also comes in a smartwatch version that supports most of these features.
Security researchers discovered that Blue Link sent the information collected from the car to a never-changing IP address over the insecure HTTP protocol. This data was encrypted before passing it on, but the app stored the decoding key, which could not be changed. Independent researchers William Hatzer and Arjun Kumar discovered the issues and worked with Rapid7 to disclose them responsibly to Hyundai.
An attacker could intercept the log forwarded by the mobile software to the server if the communication passed through an insecure WiFi connection, or via a man-in-the-middle attack – taking the role of the router used to communicate between the two endpoints. The details obtained could be used to locate the targeted vehicle, unlock its doors and start its engine.
A large attack would be close to impossible, though: it would entail either a physical compromise of the local network or gaining “a privileged position on the network path from the app user to the vendor’s service instance,” the researchers said in the Rapid7 advisory.
Hyundai has removed the problematic log transmission feature in the newest release of Blue Link (3.9.6), available to users since March 6. Researchers allowed more than a month to pass before disclosing the issues so that the update could reach many, if not all, users. The company is not aware of any customers affected by someone taking advantage of these vulnerabilities.
Credit: Hyundai Motor America
tags
November 14, 2024
September 06, 2024