Insecure communication strikes again
By DRP; Cybersecurity Lab Engineer
Consumers have spoken and the OEMs have listened. The consumers want increased connectivity not simply for productivity’s sake but also for convenience. It is by far easier to, for example, interact through the head unit and display an interactive map as the user drives the vehicle towards their destination, versus putting the address into the user’s cell phone’s app and trying to watch the map on the phone and drive. Some may tern this distracted driving, which is strictly frowned on. The response has been rather resounding from nearly all OEMs with the increase in apps, functionality, and ease of use. There is presently in use apps for the Android and iPhone devices, Android Auto and Apple CarPlay, that use the smartphone for the head unit (HU) display. Although this is a benefit for the user, there have been issues for the OEM, and their suppliers with their apps and functionality. One such occurrence was last year with Hyundai’s Blue Link.
The Blue Link is a mobile application for users to implement as they interact with their vehicle. With this in place, the users are able to lock, unlock, start and stop the air conditioning or heat, and start the vehicle from a remote location. An additional secondary benefit to the app is it allows for stolen vehicle recovery and vehicle health reports to be emailed to the user and other parties. These functions are not an anomaly in the market. These have been in use for some time with other OEMs. These are however well received by the users, as they are in their office in a cold January and they start their car from their desk located in a warm office.
Overall, the app is exceptionally useful and has improved the user experience with the vehicle. This app is available for the Android and iOS platforms.
With any product line, there are incremental versions, manifested by the improvements and enhancements. It is not conceivable to have every aspect included in the first initial versions. Each new version includes improvements, adjustments, and other modifications to improve its operations. In this case, Hyundai introduced version 3.9.4 on December 8, 2016.
Although this did download increased functionality, it likewise introduced a bug. The issue was detected and researched by Rapid7. The vulnerability indeed appeared with version 3.9.4, however, continued with 3.9.5. The Blue Link was intended to improve the user experience; however, the functionality did not fully incorporate cyber-security as it should have.
The app was coded to transmit the logs to a static IP over HTTP (port 8080). The logs contained login credentials, PIN, user’s email address, and GPS data. The logs themselves were encrypted with a simple static key, which was 1986I12Ov09e, which was symmetric. The passwords were hard-coded. Individually, these may not have been the optimal choice for the app. When combined, this was not implemented well or with significant security-oriented forethought.
Unfortunately, prior to the fix, this vulnerability could be exploited with a simple MitM attack. The attacker would be analyzing situations when the user is not on a secure Wi-Fi connection. This could be the office Wi-Fi. This may be for the employee’s use, however, it can be monitored by the Admin’s and others. The office may have a Guest Wi-Fi account, which the user would connect with. Other locations known for having issues are coffee shops, hotels, schools, and other retail operations. The scope for this attack would be rather narrow.
The attackers would have to target a user on the insecure Wi-Fi for this to be effective. If the user would not connect to one of these Wi-Fi locations, the enterprising attacker could always place a Wi-Fi hotspot, which they would completely control, near parking areas. The free Wi-Fi is a rather substantial bait.
The target at the time would have been the 2012 and newer model years without the patch and with versions 3.9.4 and 3.9.5. This could, in theory, be used to access and take control over certain operations of the subject vehicle (e.g. unlock the doors so anyone could have access).
The thief could start the car so it would be nice and warm when stolen, unlock the doors, and drive away in the already heated vehicle. Once the vehicle would be stolen, the attacker could then spoof the GPS, effectively bypassing the stolen vehicle recovery feature. It is important to note there were no reported malicious thefts reported from this vulnerability. This, however, could have been exploited to the user’s detriment.
This specific issue was from 2016 and was corrected with the app version 3.96. The updated version was released for Android devices on March 6, 2017, and for iOS March 8, 2017. This issue was also noted with the ICS-CERT CVE-2017-6052. The vulnerability was rated as a Medium Severity with the MitM vulnerability. The hardcoded cryptographic key issue was noted with CVE-2017-6054 with high severity.
Lessons Learned … Again
This is a continuing issue. The underlying problem of info- and cybersecurity not being applied at the beginning of the project is still alive and well. When there is an update, generally the process would re-test the update to ensure this did not create another vulnerability. These interfaces, while coded by professionals, may have issues unknown without further testing. These apps and associated functions take a significant amount of time to research, test, and report on.
The issue generated by the vulnerability is pertinent and timely. The user would not want an unauthorized person accessing the vehicle, the user’s private information is secured and distributed, and/or the other party being destructive with the vehicle.
This issue is only going to increase in importance. The new autonomous vehicles will primarily leave the user out of the driving loop. A vulnerability exploited here is much more dangerous for the vehicle, the individual driver and passenger, and anyone within 75 feet of the infected vehicle.
The future driver will be the computer. These systems will be as susceptible to attack, just as the user’s home and office PC are. The home PC, if thoroughly infected with malware and a rootkit, may be reformatted or scanned with anti-virus (AV) a few times to remove the threat, as much as possible. The factory reformat may be a necessity, however, either route takes time and is a significant inconvenience.
For comparison, how much of an inconvenience is it for a vehicle with an exploited vulnerability to have its operations removed from its processor’s controls at 75 mph on I-75 during rush hour. The vehicle is transformed from a simple tool to move from point A to point B to a weapon. The implications are rather significant and serious.
Now is the time to implement cybersecurity into the vehicles from the beginning of the project, new version, or modification. If the project has begun, the cybersecurity person should be present during the meetings and in the project flow as much as possible.
Bolting security on at or near the end of the project has not, does not, and will not work.
Armasu, L. (2017, April 26). Hyundai ‘blue link’ vulnerability allows thieves to start cars remotely. Retrieved from http://www.tomshardware.com/news/hyundai-blue-link-vulnerability-thieves.34248.html
Bisson, D. (2017, April 26). Flawed hyundai app could have helped hackers break into cars. Retrieved from https://www.grahamcluley.com/flawed-hyundai-app-could-have-helped-hackers-break-into-cars/
Dark Reading. (2017, April 25). Hyundai blue link vulnerability allows remote start of cars. Retrieved from http://www.darkreading.com/attacks-breaches/hyundai-blue-link-vulnerability-allows-remote-start-of-cars/d/d-id/1328719
Edelstein, S. (2017, April 25). Hyundai fixes blue link app after researchers identify vulnerabilities. Retrieved from http://www.thedrive.com/tech/9652/hyundai-fixes-blue-ink-app-after-researchers-identify-vulnerabilities
Hyundai Forums (2017, April 27). Bluelink vulnerabilities. Retrieved from http://www.hyundai-forums.com/lf-2015-sonata-:45/559530-bluelink-vulnerabilities-patched.html
ICS-CERT. (2017, April 25). Advisory (ICSA-17-115-03). Retrieved from https://ics-cert.us-cert.gov/advisories/ICSA-17-115-03
Information Security Newspaper. (2017, April 27). Retrieved from http://www.securitynewspaper.com/2017/05/27/security-vulnerabilities-hyundai-blue-link-mobile-app-allowed-hackers-steal-vehicles/
Kerner, S.M. (2017, April 25). Hyundai mobile app patched for car hacking vulnerabilities. Retrieved from http://www.eweek.com/security/hyundai-mobile-app-patched-for-car-hacking-vulnerabilities
Krok, A. (2017, April 26). Hyundai patches blue link app to remove vulnerabilities. Retrieved from https://www.cnet.com/roadshow/news/hyundai-patches-blue-link-app-to-remove-vulnerabilities/
Leyden, J. (2017, April 25). Hyundai app security blunder allowed crooks to ‘steal victims’ cars’. Retrieved from https://www.theregister.co.uk/2017/04/25/hyundai_blue_link_app_security/
Mimoso, M. (2017, April 25). Hyundai patches leaky blue link mobile app. Retrieved from https://threatpost.com/hyundai-patches-leaky-blue-link-mobile-app/125182
Puthran, N. (2017, April 26). Hyundai upgrades blue link app citing vulnerability to car theft. Retrieved from https://www.cartrade.com/car-bike-news/hyundai-upgrades-bluelink-app-citing-vulnerability-to-car-theft-134157.hmtl
Todb. (2017, April 25). R7-2017-02: Hyundai blue link potential info disclosed (FIXED). Retrieved from https://community.rapid7.com/community/infosec/blog/2017/04/25/r7-2017-02-hyundai-blue-link-potential-info-disclosure-fixed
Ullrich, J. (2017, April 26). SANS internet storm center daily network security and information security podcast. Retrieved from https://isc.sans.edu/podcast.html
About the Author
DRP began coding in the 1980s. Presently DRP is a Cybersecurity Lab Engineer at a Tier One supplier to the automobile industry. DRP is presently completing the PhD (Information Assurance and Security) with completing the dissertation. DRP’s interests include cryptography, SCADA, and securing communication channels. He has presented at regional InfoSec conferences.