Security vulnerabilities in the Hyundai Blue Link mobile apps could be exploited by hackers to locate, unlock and start vehicles of the carmaker.
The Blue Link application is available for both iOS and Android mobile OSs, it was developed to allow car owners to remotely access and monitor their vehicle.
The app implements many features including remote engine start, cabin temperature control, stolen vehicle recovery, remote locking and unlocking, vehicle health reports, and automatic collision notifications.
Researchers at security firm Rapid7 discovered two potentially serious vulnerabilities affecting the log transmission feature added in December 2016.
According to the experts, the versions 3.9.4 and 3.9.5 of the Blue Link mobile apps upload an encrypted log file to a static IP address over HTTP on port 8080. The file contains several pieces of information, including login credentials, PIN, and historical GPS data. The name of the file includes the user’s email address.
The experts also discovered that log file is encrypted with the hard coded key “1986l12Ov09e” that cannot be changed.
A hacker can power a man-in-the-middle (MitM) attack to intercept the HTTP traffic associated with the Blue Link mobile application and access the log file.
“Affected versions of Hyundai Blue Link mobile application upload application logs to a static IP address over HTTP on port 8080. The log is encrypted using a symmetrical key, “1986l12Ov09e”, which is defined in the Blue Link application (specifically, C1951e.java), and cannot be modified by the user.” states the analysis published by Rapid7.
Clearly, the information contained in the log file can be used by the attacker to locate, unlock and start the targeted vehicle.
The ICS-CERT released a security advisory on the flaws affecting the Hyundai Blue Link mobile app. The two flaws reported in the advisory are the MitM vulnerability tracked as CVE-2017-6052 and rated as a medium severity issue and the hardcoded cryptographic key weakness tracked as CVE-2017-6054 and rated as high severity.
“Successful exploitation of these vulnerabilities may allow a remote attacker to gain access to insecurely transmitted sensitive information, which could allow the attacker to locate, unlock, and start a vehicle associated with the affected application.” states the advisory.
According to Hyundai, there was no evidence that the vulnerabilities had been exploited by threat actors in the wild.
“Rapid7 working with Hyundai Motor America reports that it would be difficult to impossible to conduct this attack at scale, since an attacker would typically need to first subvert physically local networks, or gain a privileged position on the network path from the app user to their service instance.”
Both issued were reported by Rapid7 in February, Hyundai patched them in March with the release of Blue Link mobile app version 3.9.6 for both iOS and Android.
The Blue Link mobile app version 3.9.6 version disabled the log transmission and the TCP service located at the IP address where the log files were sent.
The update of the app is mandatory for all users.
(Security Affairs – car hacking, Hyundai Blue Link)