Hyundai patches Blue Link app to remove vulnerabilities

Previous versions were subject to man-in-the-middle attacks to gain access to certain vehicle functions.

Andrew Krok Reviews Editor / Cars
Cars are Andrew's jam, as is strawberry. After spending years as a regular ol' car fanatic, he started working his way through the echelons of the automotive industry, starting out as social-media director of a small European-focused garage outside of Chicago. From there, he moved to the editorial side, penning several written features in Total 911 Magazine before becoming a full-time auto writer, first for a local Chicago outlet and then for CNET Cars.
Andrew Krok
2 min read

Many automakers now offer apps that let owners lock, unlock and even start vehicles remotely. As Hyundai learned, though, those apps can contain some big ol' security concerns.

Hyundai released version 3.9.6 of its Blue Link connected-car mobile app in March to patch up vulnerabilities that could allow unscrupulous individuals to access certain vehicle functions. Both versions 3.9.5 and 3.9.4 of the app have these holes, so it's imperative that owners update their apps immediately.

Hyundai Blue Link
Enlarge Image
Hyundai Blue Link

Those pesky kids, always tryin' to hack into your car.


There are two vulnerabilities, which were discovered by researchers working with the cybersecurity firm Rapid7. The first hole, called a "man-in-the-middle" vulnerability, exists because the app did not verify communications channel endpoints. That means someone could slide into the middle of that communication stream and gain access and the app would be none the wiser.

The second such security issue involved the use of a hard-coded decryption password. Even though the app relies on encrypted passwords, when it sends those passwords to Hyundai's cloud services, the key required to decrypt those passwords is coded directly into the transmission. Anyone who could see that transmission would be able to grab the decryption key and gain access to a user's account.

Thankfully, these wouldn't have been easy to pull off. According to ThreatPost, an attacker would need an owner to connect to the app via a malicious Wi-Fi hotspot, which isn't always easy. Either way, owners using the updated app won't have to worry about this.

And it's not like there'd be much a hacker could do with access to Blue Link. Locking and unlocking a car could be used as a precursor for theft, and remote starting a vehicle may drain the gas tank or fill a garage with carbon monoxide, but that would be about it. Blue Link has no connection to the throttle, brakes or steering.

2017 Hyundai Santa Fe: A few improvements go a long way

See all photos