Car infotainment system
The app flaws could expose usernames, passwords, Pins and more Reuters

Security flaws in a smartphone application from Hyundai Motor America (HMA) that let customers use their devices as a remote control could, until recently, be exploited by hackers to access sensitive data and even "locate, unlock and start" connected vehicles.

Disclosed this week (25 April) by researchers from Rapid7, the bugs were uncovered in the firm's "Blue Link" application, available on iOS and Android. According to Hyundai's website, it can be used to remotely start the engine, set timers, temperatures, lock the car and more.

The app, it was found, stored key user data in clear-text and used hard-coded decryption passwords.

By intercepting traffic on the network, the flaws could expose usernames, passwords, and PINs via a log transmission feature, Rapid7 experts said in a blog post.

Affected versions of Blue Link application (3.9.4 and 3.9.5) were uploading logs to a static IP address over HTTP on port 8080, explained researchers Will Hatzer and Arjun Kumar in the advisory.

Once decoded, the logs contained everything from passwords to GPS locations.

"This information can be used to remotely locate, unlock and start the associated vehicle," the blog post asserted. The issues with the application, which currently works on vehicles released after 2012, were first disclosed to Hyundai on 2 February this year.

By early March, updates (3.9.6) started to roll out to users via the official Google Play and Apple stores. It was this week (25 April) when ICS-Cert, a fork of the US Department of Homeland Security, officially issued guidance for the problem.

"Communication channel endpoints are not verified, which may allow a remote attacker to access or influence communications between the identified endpoints," Cert warned in its advisory. However, luckily for Hyundai customers at large, the issues could not translate to a full-scale attack.

"It would be difficult-to-impossible to conduct this attack at scale, since an attacker would typically need to first subvert physically local networks, or gain a privileged position on the network path from the app user to the vendor's service instance," Rapid7 said.

"Hyundai Motor America was made aware of a vulnerability in the Hyundai Blue Link mobile application by researchers at Rapid7," the car maker said in a statement.

It continued: "Upon learning of this vulnerability, HMA launched an investigation to validate the research and took immediate steps to further secure the application. HMA is not aware of any customers being impacted by this potential vulnerability.

"The security of our customers is of the utmost importance to Hyundai. HMA continuously seeks to improve its mobile application and system security. As a member of the Automotive Information Sharing Analysis Centre, HMA values security information sharing."

In 2015, Fiat Chrysler was forced to recall 1.4 million vehicles in the US after security researchers showed how its Jeep Cherokee range could be hacked. Experts Charlie Millier and Chris Valasek said dashboard functionality, locks, brakes and much more were all vulnerable.