Skip to main content
banner image
venafi logo

Using Cryptographic Keys to Steal Cars Remotely: Uncovering Vulnerabilities in Hyundai’s Mobile App

Using Cryptographic Keys to Steal Cars Remotely: Uncovering Vulnerabilities in Hyundai’s Mobile App

certificate vulnerability in Hyundai mobile app
May 2, 2017 | Emil Hanscom

In late April, Rapid7 revealed vulnerabilities impacting Hyundai’s Blue Link Mobile application. According to the researchers, previous versions of the app transmitted user information to Hyundai using a fixed cryptographic key, which may have been stolen by attackers.

According to Tod Beardsley, principal security research manager for Rapid7: “With the key and an evil Wi-Fi hotspot, an attacker could wait for that log data to go through the network and get personal information on users, including name, address, log data, GPS data and get the PIN for the application. From there, they could download the app, register as the user, log in and remote start the vehicle, whatever they wanted.”

Smartphone applications for cars have increased in popularity over the past several years. The Blue Link Mobile application is available for use with Hyundai vehicles from 2012 and beyond, and provides users with remote locking, location services and vehicle starting. Unfortunately, as vehicles become more connected, they will become more vulnerable to attack.

“This situation with Hyundai appears to be a minor slip-up, but it illustrates the challenges of effectively managing all machine communications—from app to car to cloud,” says Kevin Bocek, chief security strategist for Venafi.

Unfortunately, these kinds of incidents won’t be going away any time soon. “The real problem that these vulnerabilities represent isn’t an exception; past incidents have shown us that the automobile industry is struggling with many aspects of connected car security, especially encrypted communications,” says Bocek. “This shouldn’t be surprising—auto manufacturers face unique challenges. They must secure every step in the delivery and service of connected cars; development, dealer services and even recycling requires a whole new mindset.”

The vulnerability impacting Hyundai was swiftly corrected. A patched version of the application was released in the Google app store on March 6, and the iOS app was published on March 8. However, car makers, and other industry participants, must remain vigilant in identifying and correcting similar vulnerabilities.

“Connected car makers are going to have to adopt rigorous management for machine communications to keep their customers safe,” concludes Bocek. “Imagine the difficulties an auto shop faces as they deal with the hundreds of certificates needed to protect the sensitive data connected with your car.” 

Do you think the auto industry is prepared to take on connected car vulnerabilities? 

Like this blog? We think you will love this.
compromised android platform certificate
Featured Blog

Compromised Platform Certificates Used to Sign Android Malware for Samsung, LG and Others

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more