Hyundai patches vulnerability in remote ignition app

Hyundai vehicles were left susceptible to theft from high-tech thieves for three months before the company fixed a bug in its remote ignition app, a cyber security firm has found. 

Hyundai introduced a flaw in a December 2016 update to the mobile app for its Blue Link connected car software that made it possible for car thieves to locate vulnerable vehicles, unlock, and start them, said Tod Beardsley, research director with cyber security firm Rapid7.

Hyundai confirmed the bug's existence and said it moved quickly to fix the problem.

The US Department of Homeland Security issued an advisory about the vulnerability on Tuesday.

"No known public exploits specifically target these vulnerabilities," the advisory read.

"High skill level is needed to exploit it."

The company and Beardsley agreed there were no known cases of car thieves exploiting the vulnerability before Hyundai pushed out the fix to Android and iPhone users in early March.

"The issue did not have a direct impact on vehicle safety," said Jim Trainor, a spokesman for Hyundai Motor America.

The bug surfaced as the auto industry bolsters efforts to secure vehicles from cyber attacks, following a high-profile recall of Fiat Chrysler vehicles in 2015 and government warnings about the potential for car hacks.

Risks have multiplied in recent years as vehicles have grown more complex, adding features like mobile apps that can locate, unlock, and start them.

"What's changed is not just the presence of all that hackable software, but the volume and variety of remote attack surfaces added to more recent vehicles," said Josh Corman, director of the Atlantic Council's Cyber Statecraft Initiative.

Fiat Chrysler recalled 1.4 million US vehicles in 2015 after two security researchers demonstrated that they could gain remote control of a Jeep traveling at high speeds.

Moving vehicles are not vulnerable to attacks using the Blue Link app, and a hacker would have to be near the owner of a targeted vehicle who is using the mobile app via an insecure wi-fi connection, Beardsley said.

General Motors patched a similar bug in its OnStar vehicle communication system in 2015 that had the potential to let hackers break into cars.