Hyundai App Security Blunder Allowed Crooks to ‘Steal Victims’ Cars’

Hyundai has patched its Blue Link smartphone app to stop it blabbing private info that could, it is claimed, be used to break into and steal people’s cars. The now-updated software, available for iOS and Android, leaked sensitive personal information about registered users and their vehicles, including usernames, passwords, PINs, and GPS location records.

Essentially, versions 3.9.4 and 3.9.5 of the app transmitted this private information back to Hyundai using plain old HTTP albeit encrypted using the fixed key “1986l12Ov09e” – this key can be easily extracted from the application’s code. Any man-in-the-middle attacker eavesdropping on the app’s network connections – such as by snooping on Wi-Fi traffic – can grab this data and decrypt it using the key. Hyundai seemingly collected this information as telemetry for its app usage.