Hyundai's newly-patched security flaw shows how vulnerable smart cars can be

While the flaw was admittedly not grave, it is still alarming to see how smart technology can put our cars at risk.

Published Date
27 - Apr - 2017
| Last Updated
22 - May - 2017
 
Hyundai's newly-patched security flaw shows how vulnerable smart...

As cars keep getting smarter, many carmakers have started providing mobile apps that allow users to operate multiple car functions from the comfort of their phones. Hyundai’s Blue Link app is one such platform that allows users to lock/unlock the car, start/stop it, and even operate lights. However, with internet connectivity comes multiple safety threats, and that is exactly what Hyundai’s cars were exposed to via the Blue Link app.

The vulnerability in Hyundai Blue Link versions 3.9.4 and 3.9.5 exposed users to two risks, although none of which were easily executable or with extreme repercussions in case of an infringement. The first flaw allowed malicious users to connect to the app when it was being used and gain access to car controls, and the second gave hackers access to user accounts by seizing the decryption key when a user logs in to his account.

The first occurred because of unverified communication channel terminals. With that, hackers could easily gain access to an operation being performed, and take access of car operations. The second one occurs because the decryption key that reads encrypted passwords of user accounts was coded into the data transmission. With this, hackers could get access to the decryption key and gain access to user accounts

After being identified, Hyundai has since patched these vulnerabilities in the new Blue Link app version 3.9.6. The flaws were admittedly not fatal, because a hacker would have initially needed to make a user connect to a specific Internet hotspot programmed for the malicious intent. Secondly, the app itself only gives primary controls such as locking/unlocking the car and starting the engine or switching on car lights, and does not provide navigational abilities.

Nevertheless, this is still a sign of how vulnerable smart car applications can be, and points at grave threats that such applications pose. For more versatile applications, this could have led to deeper security flaws involving theft and other mishaps. This is also a sign of how Internet security needs to improve for the Internet of Things ecosystem, and there is a long way to go before connected vehicles would become a safe idea to possess.

As of now, though, everything seems to be back in order.

Souvik DasSouvik Das

Sentience.