back to article Hyundai app security blunder allowed crooks to 'steal victims' cars'

Hyundai has patched its Blue Link smartphone app to stop it blabbing private info that could, it is claimed, be used to break into and steal people's cars. The now-updated software, available for iOS and Android, leaked sensitive personal information about registered users and their vehicles, including usernames, passwords, …

Hyundai says...

..."Hyundai is not aware of any customers being impacted by this potential vulnerability."

Which is like saying that people have potential vulnerabilities to falling pianos, hand grenades, or the vacuum of space.

What gets me is that these are REAL vulnerabilities to everyone. It won't matter if they are ever exposed to them or not. They are still vulnerable to them.

So:

-10 points to Hyundai for bad security.

+5 points to Hyundai for fixing the issue before it was exploited.

-5 Points to Hyundai for illogical press releases.

5
0
Silver badge
Pint

Steal a Hyundai?

Crikey. Their ambition is rubbish.

7
1
Silver badge

Re: Steal a Hyundai?

Fair point. My primary 'anti-theft device' is living between drives, one of which holds a shiny new Mustang and the other a fully tricked out M3. I doubt anyone would target my boring SUV.

1
1

Past and present

In the past you were locked out of your car because the lock was frozen and the de-frosting spray was in the car.

Nowadays you are locked out because your smartphone has no battery any more and the charger is in the car.

6
1
Silver badge
Holmes

Re: Past and present

... and your other charger is inside the house, the door of which is controlled via Bluetooth.

3
0
Silver badge

Re: Past and present

Must be this "progress"-thingy I keep hearing about so much.

1
0
Anonymous Coward

Car Makers think privacy / security doesn't matter...

Well It does... I've money to spend but holding off because of stuff like this...

0
0
Gold badge
Facepalm

Yes....but....

Now imagine a similar vulnerability being discovered in about eight years' time.

Is it fixable on the older kit? Probably not.

Is the manufacturer going to bother trying to fix it on something that old? Definitely not.

Does that make it any less serious? No.

With it not being fixed, does that make it more likely that someone will build on it to find a way of compromising the vehicle's controls? Yes.

And there you have it. The reason why the concept of the "connected car" needs to be banned. Now. It won't be of course. Government surveillance and data harvesting opportunities trump a mind-numbingly obvious lethal risk every time.

Anyone buying a car with these features needs their bumps felt.

3
0

Next car I buy

Next car I purchase will depend on the manufacturer giving me a declaration in writing that all this crap can be turned off on request. I just want a car with enough electronics to move and play music from CD/USB stick

1
0
Silver badge
Big Brother

Re: Next car I buy

Well good luck with that, alternatively choose something old without an ECU. If enough people did, the place would end up looking like Havana.

0
0
Silver badge

Re: Next car I buy

a car with enough electronics to ... play music from CD/USB stick

I think I'd prefer wiring for power, speakers and aerial(s) and a DIN-sized hole for the rest.

1
0
Bronze badge

Re: Next car I buy

the place would end up looking like Havana.

But would we get Cuban music from the sound systems?

If I had a Hyundai, I would probably avoid the update in the hope of it being stolen - assuming I could afford the insurance premiums.

0
0
Silver badge

Re: Next car I buy

If enough people did, the place would end up looking like Havana.

And the problem is? I'd have no issue having a nice '55-57 Bel Air or Nomad as a daily driver. Or maybe a '58 Bonneville.

1
0
Silver badge

Transport Security

Unfortunately still not mandatory for iOS on the app store.

What Transport Security does: 1. Requires everything to be https. 2. Requires all servers to use software with no known insecurities.

Since you cannot always enforce this with third party servers, you can register exceptions for this (like access site xxx.yyy.com with software version 1.2 instead of the required 1.3).

This was supposed to be required for all new applications, with exceptions to the checking only allowed for good reasons. No exceptions for your own servers obviously.

Unfortunately it isn't enforced yet. Would have made any hacking impossible on iOS.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018