• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • April 11th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Hacking News

Hyundai Blue Link app vulnerable; login credentials and GPS data at risk

April 26th, 2017 Waqas Security, Hacking News 0 comments
Hyundai Blue Link app vulnerable; login credentials and GPS data at risk
Share on FacebookShare on Twitter

Hyundai Blue Link apps on Android and Apple app stores are vulnerable to cyber attacks which if exploited can allow attackers to steal personal as well as sensitive data of the user. The vulnerability exists in the apps’ software 3.9.4 and 3.9.5 which takes advantage of insecure WiFi spots or by the standard man-in-the-middle (MitM) attack to trick users into connecting to a WiFi network controlled by the attackers before stealing user data.

The vulnerability was discovered by Will Hatzer and Arjun Kumar of Rapid7 who wrote in a blog post that “The potential data exposure can be exploited one user at a time via passive listening on insecure WiFi, or by the standard man-in-the-middle (MitM) attack methods to trick a user into connecting to a WiFi network controlled by an attacker on the same network as the user. If this is achieved, an attacker would then watch for HTTP traffic directed at http://54.64.135.113:8080/LogManager/LogServlet, which includes the encrypted log file with a filename that includes the user’s email address.”

The data which can be stolen using this method is vehicle’s registration, PINs via a log transmission feature, app’s username, and password. But, since with the help of Hyundai Blue Link apps, users can remotely start their vehicle, remotely unlock or lock the door, remotely activate the horn and lights, access saved POI history and find their car, etc; this information could be used to locate, unlock and start the Hyundai remotely. However, the researchers noted that “It would be difficult to conduct this attack at scale since an attacker would typically need first to subvert physically local networks, or gain a privileged position on the network path from the app user to the vendor’s service instance.”

Hyundai Blue Link app

Hyundai Motor America (HMA) was informed about the issue who acknowledged that a vulnerability affected its users. The good news is that Hyundai was quick to fix the problem by releasing updates (Version 3.9.6) on both Google Play and the Apple App Store.

Update your Hyundai Blue Link app

According to an official statement from Hyundai, “The privacy and security of our customers are of the utmost importance to HMA. HMA continuously seeks to improve its mobile application and system security. As a member of the Automotive Information Sharing Analysis Center (Auto-ISAC), HMA values security information sharing and thanks Rapid7 for its report.”

The Hyundai Blue Link application was launched in December 2016 to give the user instant access to their vehicle but since Internet of Things (IoT) devices are vulnerable from the get-go it shouldn’t  surprise users that Hyundai’s apps were also vulnerable. 

Previously, security researchers discovered similar vulnerabilities in other apps dealing with the vehicles. For instance, one researcher hacked into the General Motors (GM) mobile app and demonstrated how one could locate, unlock and steal the targeted car. Recently, just a couple of weeks ago researchers exposed critical vulnerabilities in WIFI dongle leading them to hack into a car’s data transmitter with the help of Bluetooth.

[fullsquaread][/fullsquaread]

  • Tags
  • Android
  • Apple
  • hacking
  • internet
  • IoT
  • iPhone
  • Privacy
  • security
  • Smartphone
  • Vulnerability
Facebook Twitter LinkedIn Pinterest
Previous article Android Malware Posing as FIFA, Pokemon Go Guides Infected 600,000 Devices
Next article New Linux SSH Brute-force LUA Bot Shishiga Detected in the Wild
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
2 scraped LinkedIn databases with 500m and 827m records sold online

2 scraped LinkedIn databases with 500m and 827m records sold online

Hackers leak data, 600k card info from Swarmshop cybercrime forum

Hackers leak data, 600k card info from Swarmshop cybercrime forum

Unpatched vulnerable VPN servers hit by Cring ransomware

Unpatched vulnerable VPN servers hit by Cring ransomware

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
2 scraped LinkedIn databases with 500m and 827m records sold online
Cyber Crime

2 scraped LinkedIn databases with 500m and 827m records sold online

Facebook ads dropped malware posing as Clubhouse app for PC
News

Facebook ads dropped malware posing as Clubhouse app for PC

Hackers leak data, 600k card info from Swarmshop cybercrime forum
Cyber Crime

Hackers leak data, 600k card info from Swarmshop cybercrime forum

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us