In an effort to enhance car ownership experience, Hyundai had introduced the Blue Link smartphone app for the iOS and Android devices. However, the technology has also worked in favour of car thieves as it leaked certain personal information pertaining to registered users and their vehicles. The leaked data included usernames, passwords, PINs, as well as GPS location records which were then used by thieves to steal the vehicle.
Reports reveal that the current versions 3.9.4 and 3.9.5 of the app transmitted the private information back to Hyundai via the old HTTP, but encrypted, using the fixed key “1986l12Ov09e”, which can be easily extracted from the application's code. Unsecured network allowed attackers to hack into the app's network connections by breaking-in on the Wi-Fi traffic to get hold of the data and decrypt it using the key. It is believed that Hyundai seemingly collected this information as telemetry for its app usage.
In order to fix the issue, the Hyundai Motors silentlyintroduced a software upgrade to a new version, 3.9.6 on owner handsets. The update began sometime in early March and is now believed to be complete. The company had clarified that the Blue Link bug was not too risky as moving vehicles were not vulnerable to attacks and the hacker needs to be near the targeted vehicle with the owner using the mobile app over an insecure Wi-Fi connection.
The Blue Link app in Hyundai cars that have been sold internationally have been upgraded, while the ones in India have not been majorly affected.
