Mobile App Patch That Allow Hackers to Steal Cars

3May - by Dawood Khan - 0 - In News

Rapid7 security researchers Will Hatzer and Arjun Kumar discovered the flaw in early February when they informed Hyundai about the catastrophic flaw the company introduced in version 3.9.4 of the Blue Link app.

More Stolen NSA Hacking Tools & Exploits Released by Shadow Brokers Group A hackers group that previously claimed to have stolen a bunch of hacking tools (malware, zero-day exploits, and implants) created by the NSA and gained popularity last year for leaking a portion of those tools is back.Besides dumping some NSA's hacking tools back in August 2...

The company issued a fix a month later, on March 6, with the release of Hyundai Blue Link v3.9.6. Researchers went public with their findings after they gave Hyundai customers enough time to update their mobile app.

The Department of Homeland Security's ICS-CERT also issued an alert last week. If you're one of the Hyundai car owners still using Blue Link versions 3.9.4 and 3.9.5, it's advised you set time aside and update the app as soon as possible.

Hyundai used identical hardcoded encryption key

According to Hatzer and Kumar, the vulnerable versions of the Blue Link app upload application logs to a remote server at various times of the day.

This upload operation takes place via HTTP, but the log data is encrypted on the phone. The problem, researchers say, is that the app stores the encryption key in the app's source code, in a file named C1951e.java. If this wasn't bad enough, the password is the same for all Blue Link users: 1986l12Ov09e.

An attacker can extract this password and then use it to decrypt the logs updated to Hyundai's servers. The data inside this logs includes details such as a user's username, password, PIN, and historical GPS data.

Hackers Stole Passwords Just by Monitoring SmartPhone Sensors Do you know how many kinds of sensors your smartphone has inbuilt? And what data they gather about your physical and digital activities?Now, according to a team of scientists from Newcastle University in the UK, hackers can potentially guess PINs and passwords – that you ente...

An attacker could use the user's username and password to break into the user's account, and the PIN to link his app to the target's Hyundai car. The attacker can then use the app to unlock the car's doors and start its engine.

Hack is not as straightforward as it sounds

The only downside is that an attacker would first need to compromise the same WiFi network the user's phone is on, in order to be able to sniff the local network for the log upload operation.

Nonetheless, car thieves can identify Hyundai car owners and follow them around until they connected to a public WiFi network, at which point they could wait for the app to upload its encrypted logs.

The Hyundai Blue Link app can be used to unlock newer Hyundai models released after 2012.

Leave a Reply

Your email address will not be published. Required fields are marked *