| Developers: | Hyundai Motor Company and Kia Motors Corporation |
| Last Release Date: | May, 2017 |
| Branches: | Transport |
2017: Uyavzimost
In May, 2017 the Hyundai company released correction for the mobile application in which error allowed malefactors to steal cars.
The Blue Link application allows to manage some key functions of the car from the mobile device — the smartphone or the smartwatch. In application versions 3.9.4 and 3.9.5 the "catastrophic" vulnerability allowing to intercept control over the application was detected. At the worst scenario malefactors could remove blocking from doors, start the engine of the car and commit stealing.
The gap was detected by experts of Rapid7 company Will Hatzer and Arjun Kumar. As they managed to find out, vulnerable application versions several times a day unload a log of operation of application on a remote server. Loading is performed through HTTP (i.e., unsafe connection), but all data are ciphered on the smartphone. The problem is that an encryption key — same for all users of Blue Link (1986l12Ov09e), it cannot be changed and besides it is sewn up in the source code of the application.
Using this password the malefactor can decrypt a log the applications loaded on servers of Hyundai and take from there a set of useful information, including a user name, the password, PIN and data of GPS.[1]
Using a user name and the password, the malefactor can log in the personal account of the car owner, change PIN for own, thereby having tied the car to the own application and then to steal the car.
However, there is one "but": for successful interception of the data going from mobile application on the server, the malefactor should be in one wireless network with future victim. It can be arranged using access point under control of the malefactor in WiFi-network. Blue Link allows to remove blocking from doors only at machines of Hyundai released after 2012.[2]
Hyundai already released the new application version (3.9.6). To all users of Blue Link it is strongly recommended to set it as soon as possible.
 | The fixed encryption key in the source code is one of those "children's" errors which responsible programmers will not afford — Ksenia Shilak considers, the sales director of the Russian company SEC-Consult — Unfortunately, existence of such error shows that the car maker still considers mobile applications as something deeply minor though shortcomings of these programs put "main product" under direct threat. |  |
Notes
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |