In late April, Rapid7 revealed vulnerabilities impacting Hyundai’s Blue Link Mobile application. According to the researchers, previous versions of the app transmitted user information to Hyundai using a fixed cryptographic key, which may have been stolen by attackers.
According to Tod Beardsley, principal security research manager for Rapid7: “With the key and an evil Wi-Fi hotspot, an attacker could wait for that log data to go through the network and get personal information on users, including name, address, log data, GPS data and get the PIN for the application. From there, they could download the app, register as the user, log in and remote start the vehicle, whatever they wanted.”
Smartphone applications for cars have increased in popularity over the past several years. The Blue Link Mobile application is available for use with Hyundai vehicles from 2012 and beyond, and provides users with remote locking, location services and vehicle starting. Unfortunately, as vehicles become more connected, they will become more vulnerable to attack.
“This situation with Hyundai appears to be a minor slip-up, but it illustrates the challenges of protecting all machine communications—from app to car to cloud,” says Kevin Bocek, chief security strategist for Venafi.
Unfortunately, these kinds of incidents won’t be going away any time soon. “The real problem that these vulnerabilities represent isn’t an exception; past incidents have shown us that the automobile industry is struggling with many aspects of connected car security, especially encrypted communications,” says Bocek. “This shouldn’t be surprising—auto manufacturers face unique challenges. They must secure every step in the delivery and service of connected cars; development, dealer services and even recycling requires a whole new mindset.”
The vulnerability impacting Hyundai was swiftly corrected. A patched version of the application was released in the Google app store on March 6, and the iOS app was published on March 8. However, car makers, and other industry participants, must remain vigilant in identifying and correcting similar vulnerabilities.
“Connected car makers are going to have to adopt rigorous protection for machine communications to keep their customers safe,” concludes Bocek. “Imagine the difficulties an auto shop faces as they deal with the hundreds of certificates needed to protect the sensitive data connected with your car.”
Do you think the auto industry is prepared to take on connected car vulnerabilities?