Many automakers now offer apps that let owners lock, unlock and even start vehicles remotely. As Hyundai learned, though, those apps can contain some big ol’ security concerns.
Hyundai released version 3.9.6 of its Blue Link connected-car mobile app in March to patch up vulnerabilities that could allow unscrupulous individuals to access certain vehicle functions. Both versions 3.9.5 and 3.9.4 of the app have these holes, so it’s imperative that owners update their apps immediately.
There are two vulnerabilities, which were discovered by researchers working with the cybersecurity firm Rapid7. The first hole, called a “man-in-the-middle” vulnerability, exists because the app did not verify communications channel endpoints. That means someone could slide into the middle of that communication stream and gain access and the app would be none the wiser.
The second such security issue involved the use of a hard-coded decryption password. Even though the app relies on encrypted passwords, when it sends those passwords to Hyundai’s cloud services, the key required to decrypt those passwords is coded directly into the transmission. Anyone who could see that transmission would be able to grab the decryption key and gain access to a user’s account.
Thankfully, these wouldn’t have been easy to pull off. According to ThreatPost, an attacker would need an owner to connect to the app via a malicious Wi-Fi hotspot, which isn’t always easy. Either way, owners using the updated app won’t have to worry about this.
And it’s not like there’d be much a hacker could do with access to Blue Link. Locking and unlocking a car could be used as a precursor for theft, and remote starting a vehicle may drain the gas tank or fill a garage with carbon monoxide, but that would be about it. Blue Link has no connection to the throttle, brakes or steering.