Hyundai Motor America has patched a vulnerability in its Blue Link mobile application that exposed personal and vehicle information to an attacker.
Updated versions of the app (3.9.6) were released to Google Play and the Apple App Store on March 8, a little more than one month after Rapid7 learned about the vulnerabilities from independent researchers Will Hatzer and Arjun Kumar.
Vehicle owners use the app to remotely start their car from a smartphone, as well as lock and unlock vehicles, produce vehicle health reports, get service alerts, and more. The app connects to Hyundai’s infrastructure in the cloud, which then communicates to the vehicle. Rapid7 says attacks against this vulnerability would be impossible to conduct at scale. It’s much more likely a victim would have to be tricked into connecting to an attacker-controlled Wi-Fi network, and the attacker could then intercept traffic.
Exacerbating the situation is the fact the app sends encrypted log data to Hyundai accompanied by a static, hard-coded decryption key that is sent in the clear. The key is the same for every user and cannot be modified.
“With the key and an evil Wi-Fi hotspot, an attacker could wait for that log data to go through the network and get personal information on users, including name, address, log data, GPS data and get the PIN for the application,” said Tod Beardsley, Rapid7 principal security research manager. “From there, they could download the app, register as the user, log in and remote start the vehicle, whatever they wanted.”
The vulnerability affects versions 3.9.4 and 3.9.5 of the application; Rapid7 said that Hyundai introduced the feature on Dec. 8.
Rapid7 privately disclosed the vulnerability on Feb. 21, which was fixed two weeks later by removing the affected LogManager log transmission feature altogether. Hyundai also disabled the TCP service that received the encrypted log files and a file with the user’s email address. The update, Rapid7 said, was marked mandatory in Google Play and the App Store.
“We talked to Hyundai and they have been great. They patched the software to remove the log dump functionality completely,” Beardsley said. “We were expecting HTTPS with certificate pinning, something like that, but they ripped it out entirely and shut down the log service entirely. So if an app missed an update, it doesn’t matter because it fails to connect now.
“I’m sure the log data was useful to them for normal QA things,” Beardsley said. “I imagine it will come back. They now know to do it in a secure way.”
Hatzer told Rapid7 that he found the vulnerability while researching the Blue Link app after buying a new Hyundai shortly after the feature was introduced. Beardsley said attacks against this vulnerability would have to be pretty opportunistic to succeed, and a likely scenario could be an attacker standing up their malicious hotspot nearby a Hyundai dealership for example where a victim running the app might connect to the network. Hyundai told Rapid7 it received no calls that might indicate a possible public exploit of this situation.
“Attacks are pretty limited in scope,” Beardsley said. “You would have to be nearby and pretty opportunistic.”