The issue was discovered in early February 2017 when Rapid7 security researchers informed Hyundai about the flaw the company introduced in version 3.9.4 of the Blue Link app. The company issued a fix in March 2017, with the release of Hyundai Blue Link v3.9.6.
The vulnerable versions of the Blue Link app log to a remote server at various times of the day, exposing sensitive information such as a users username, password, PIN, and historical GPS data, which hackers can use to track down, unlock, and start Hyundai cars.
Still, in order to be able to sniff the local network for the log upload operation an attacker would first need to compromise the same WiFi network the users phone is on. Nonetheless, car thieves can identify Hyundai car owners and follow them around until they connected to a public WiFi network, at which point they could wait for the app to upload its encrypted logs.
The Hyundai Blue Link app can be used to unlock newer Hyundai models released after 2012.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now