Hyundai recently found out that the app technology which was developed to ease and enhance its car ownership experience, could also work in favour of car thieves. The Blue Link smartphone app which is available for iOS and Android leaked sensitive personal information about registered users and their vehicles. It included usernames, passwords, PINs, as well as GPS location records which were then used by thieves to steal the vehicle.
Reports reveal that the current versions 3.9.4 and 3.9.5 of the app transmitted the private information back to Hyundai via the old HTTP, but encrypted, using the fixed key “1986l12Ov09e”, which can be easily extracted from the application's code. Unsecured network allowed attackers to hack into the app's network connections by breaking-in on the Wi-Fi traffic to get hold of the data and decrypt it using the key. It is believed that Hyundai seemingly collected this information as telemetry for its app usage.
In order to fix the issue, the Hyundai Motors silently introduced a software upgrade to a new version, 3.9.6 on owner handsets. The update began sometime in early March and is now believed to be complete. The company had clarified that the Blue Link bug was not too risky as moving vehicles were not vulnerable to attacks and the hacker needs to be near the targeted vehicle with the owner using the mobile app over an insecure Wi-Fi connection.
The Blue Link app in Hyundai cars in India is not affected and with the upgraded version in place, the bug has been rectified for cars sold in the international market.