The Hyundai Blue Link remote app that was launched in December contained a vulnerability that could allow hackers through insecure Wi-Fi to locate information about the user. Log reports were uploaded to a location that could be found with key information.
The log contained user’s username, password, PIN, and historical GPS data about the vehicle’s location. This information could be used to remotely locate, unlock and start the Hyundai. What the researchers didn’t note that the last time we tested the remote app, the phone had to be within a certain distance from the car in order to remotely start the vehicle. Sometimes if the network was busy, the app didn’t open the doors. There also good news is that now Hyundai offers the service for free for three years instead of free for the first year and about $100 a year thereafter.
On Tuesday, the U.S. Department of Homeland Security issued an advisory about the vulnerability which noted that there were no known public exploits specifically targeting these vulnerabilities and that a high skill level is needed to exploit.
Hyundai Blue Link application software, 3.9.4 and 3.9.5 could be open up sensitive information about registered users and their vehicles, including application usernames, passwords, and PINs via a log transmission feature. This feature was introduced in version 3.9.4 on December 8, 2016, and removed by Hyundai on March 6, 2017 with the release of version 3.9.6.
This vulnerability was discovered by independent researchers William Hatzer and Arjun Kumar at Rapid7, who wrote
“The potential data exposure can be exploited one user at a time via passive listening on insecure WiFi, or by standard man-in-the-middle (MitM) attack methods to trick a user into connecting to a WiFi network controlled by an attacker on the same network as the user. If this is achieved, an attacker would then watch for HTTP traffic directed at http://220.127.116.11:8080/LogManager/LogServlet, which includes the encrypted logfile with a filename that includes the user’s email address.”
Rapid7 noted that it would be difficult to impossible to conduct this attack at scale, since an attacker would typically need to first subvert physically local networks, or gain a privileged position on the network path from the app user to the vendor’s service instance.
Hyundai Motor America (HMA) was made aware of a vulnerability in the Hyundai Blue Link mobile application by researchers at Rapid7. Upon learning of this vulnerability, HMA launched an investigation to validate the research and took immediate steps to further secure the application. HMA is not aware of any customers being impacted by this potential vulnerability.
The privacy and security of our customers is of the utmost importance to HMA. HMA continuously seeks to improve its mobile application and system security. As a member of the Automotive Information Sharing Analysis Center (Auto-ISAC), HMA values security information sharing and thanks Rapid7 for its report.
On March 6, 2017, Hyundai updated the Hyundai Blue Link app to version 3.9.6, which removes the LogManager log transmission feature. In addition, the TCP service at 18.104.22.168:8000 has been disabled. The mandatory update to version 3.9.6 is available in both the standard Android and Apple app stores.