Skip to main content
banner image
venafi logo

Using Cryptographic Keys to Steal Cars Remotely: Uncovering Vulnerabilities in Hyundai’s Mobile App

Using Cryptographic Keys to Steal Cars Remotely: Uncovering Vulnerabilities in Hyundai’s Mobile App

May 2, 2017 | Eva Hanscom

In late April, Rapid7 revealed vulnerabilities impacting Hyundai’s Blue Link Mobile application. According to the researchers, previous versions of the app transmitted user information to Hyundai using a fixed cryptographic key, which may have been stolen by attackers.

According to Tod Beardsley, principal security research manager for Rapid7: “With the key and an evil Wi-Fi hotspot, an attacker could wait for that log data to go through the network and get personal information on users, including name, address, log data, GPS data and get the PIN for the application. From there, they could download the app, register as the user, log in and remote start the vehicle, whatever they wanted.”

Smartphone applications for cars have increased in popularity over the past several years. The Blue Link Mobile application is available for use with Hyundai vehicles from 2012 and beyond, and provides users with remote locking, location services and vehicle starting. Unfortunately, as vehicles become more connected, they will become more vulnerable to attack.

“This situation with Hyundai appears to be a minor slip-up, but it illustrates the challenges of protecting all machine communications—from app to car to cloud,” says Kevin Bocek, chief security strategist for Venafi.

Unfortunately, these kinds of incidents won’t be going away any time soon. “The real problem that these vulnerabilities represent isn’t an exception; past incidents have shown us that the automobile industry is struggling with many aspects of connected car security, especially encrypted communications,” says Bocek. “This shouldn’t be surprising—auto manufacturers face unique challenges. They must secure every step in the delivery and service of connected cars; development, dealer services and even recycling requires a whole new mindset.”

The vulnerability impacting Hyundai was swiftly corrected. A patched version of the application was released in the Google app store on March 6, and the iOS app was published on March 8. However, car makers, and other industry participants, must remain vigilant in identifying and correcting similar vulnerabilities.

“Connected car makers are going to have to adopt rigorous protection for machine communications to keep their customers safe,” concludes Bocek. “Imagine the difficulties an auto shop faces as they deal with the hundreds of certificates needed to protect the sensitive data connected with your car.” 

Do you think the auto industry is prepared to take on connected car vulnerabilities? 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

lawyer reading from legal books on a desk, with a scale in the foreground

Do We Trust Governments to Effectively Regulate Privacy? [Ask Security Professionals]

hands reaching out of laptop screen holding ballot box, another person's hand casting a vote
Encryption

Will Encryption Backdoors Hurt Election Infrastructure? Security Professionals Say Yes.

Man standing in front of a cyber-secured world.

What If You Could Guarantee Eliminating Outages in Your Organization?

About the author

Eva Hanscom
Eva Hanscom

Eva is Public Relations Manager at Venafi. She is passionate about educating the global marketplace about infosec and machine-identity issues, and in 2018 grew Venafi's global coverage by 45%.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat