Mobile App Patch That Allow Hackers to Steal Cars

3May - by Dawood Khan - 0 - In News

Rapid7 security researchers Will Hatzer and Arjun Kumar discovered the flaw in early February when they informed Hyundai about the catastrophic flaw the company introduced in version 3.9.4 of the Blue Link app.

Linksys Wi-Fi Router Models Vulnerable to Multiple Flaws IOActive's senior security consultant Tao Sauvage and independent security researcher Antide Petit published a blog post on Wednesday, revealing that they discovered 10 bugs late last year in 25 different Linksys router models.According to the researchers, when exploited, the...

The company issued a fix a month later, on March 6, with the release of Hyundai Blue Link v3.9.6. Researchers went public with their findings after they gave Hyundai customers enough time to update their mobile app.

The Department of Homeland Security's ICS-CERT also issued an alert last week. If you're one of the Hyundai car owners still using Blue Link versions 3.9.4 and 3.9.5, it's advised you set time aside and update the app as soon as possible.

Hyundai used identical hardcoded encryption key

According to Hatzer and Kumar, the vulnerable versions of the Blue Link app upload application logs to a remote server at various times of the day.

This upload operation takes place via HTTP, but the log data is encrypted on the phone. The problem, researchers say, is that the app stores the encryption key in the app's source code, in a file named C1951e.java. If this wasn't bad enough, the password is the same for all Blue Link users: 1986l12Ov09e.

An attacker can extract this password and then use it to decrypt the logs updated to Hyundai's servers. The data inside this logs includes details such as a user's username, password, PIN, and historical GPS data.

40 CIA Hacking Tools Exposed by Wikileaks Security researchers have confirmed that the alleged CIA hacking tools recently exposed by WikiLeaks have been used against at least 40 governments and private organizations across 16 countries.Now, researchers at cybersecurity company Symantec reportedly managed to link thos...

An attacker could use the user's username and password to break into the user's account, and the PIN to link his app to the target's Hyundai car. The attacker can then use the app to unlock the car's doors and start its engine.

Hack is not as straightforward as it sounds

The only downside is that an attacker would first need to compromise the same WiFi network the user's phone is on, in order to be able to sniff the local network for the log upload operation.

Nonetheless, car thieves can identify Hyundai car owners and follow them around until they connected to a public WiFi network, at which point they could wait for the app to upload its encrypted logs.

The Hyundai Blue Link app can be used to unlock newer Hyundai models released after 2012.

Leave a Reply

Your email address will not be published. Required fields are marked *