Hyundai Motor America is patching its Blue Link Mobile application for several vulnerabilities that could have potentially exposed vehicle owners to risk. The Blue Link Mobile application works with Hyundai vehicles from the 2012 model year and newer, providing remote locking and unlocking capabilities, as well as location services and vehicle starting.
The vulnerabilities were reported to Hyundai by security firm Rapid7 and involved the use of a hard-coded decryption password as well as the use of cleartext communication for the Blue Link mobile app.
“The potential data exposure can be exploited one user at a time via passive listening on insecure WiFi, or by standard man-in-the-middle (MitM),” Rapid7 wrote in its security advisory on the Hyundai Blue Link vulnerabilities.
Though Rapid7 is the organization that reported the issues to Hyundai, it was actually a pair of non-Rapid7 employees that first became aware of the vulnerabilities.
“William Hatzer noticed the behavior when he himself became a Hyundai Blue Link user, after buying a new Hyundai automobile,” Tod Beardsley, Director of Research at Rapid7, told eWEEK. “Hatzer came to Rapid7 based on our reputation and experience as vulnerability handlers and our ability to coordinate and mediate vulnerability disclosures.”
The vulnerabilities were not in the firmware located in the vehicle, but rather were found in the mobile apps. Beardsley said that the issue was present in both Android and iPhone versions of the application, but the investigation work was all performed on Android. The fixed Android app was published in Google’s app store on March 6, while the iOS version was updated on March 8.
Beardsley explained that there were two vulnerabilities in the Blue Link apps: the cleartext, eavesdroppable communication and the data encrypted with a discoverable pre-shared key. He noted that since the data is encrypted, an attacker cannot directly use it; an attacker needs both a mechanism to get a hold of the encrypted data (which is possible due to the lack of an HTTPS transport), and the symmetric encryption key used to encrypt the log data being transmitted.
“If the transport mechanism had used certificate-based encryption, such as HTTPS, rather than HTTP, the data would have been safe in transport even if the attacker knew the encryption key,” Beardsley said. “So, the attacker needs both vulnerabilities to actually do anything malicious.”
The Blue Link attack likely would be very difficult to scale, for several reasons. Beardsley said that in order to attack at scale, an attacker would have to compromise an ISP that services Hyundai’s data operations; this seems unlikely to have happened.
“Given that this is merely an information disclosure, it seems the best, most likely attack vector would have been the physically local malicious WiFi hotspot, targeting either specific Hyundai owners or Hyundai service centers,” Beardsley said.
At this point, neither Rapid7 nor Hyundai has any evidence that the information disclosure flaw has ever been used by attackers in the wild. The logging feature in the Blue Link apps, which is where the vulnerability was found, only became available on Dec. 8, 2016 in version 3.9.4 of the app. Beardsley suspects that given the limited time the vulnerability was shipping, the vulnerability wasn’t exploited in the wild before Hyundai effected a fix.
“It’s impossible to say for sure that Hatzer is the only person to have noticed this vulnerable behavior,” Beardsley said. “But it seems quite likely, to the point of near certainty, that the issue was discovered and remediated before criminal actors could make use of it.”