(Adds comment from U.S. Department of Homeland Security)
By Alastair Sharp
TORONTO, April 25 Software vulnerabilities in a
Hyundai Motor Co app that lets a car be started
remotely made the company's vehicles susceptible to theft from
high-tech thieves for three months before the company fixed the
bug in March, a cyber security firm said on Tuesday.
Hyundai introduced a flaw in a Dec. 8, 2016 update to the
mobile app for its Blue Link connected car software that made it
possible for car thieves to locate vulnerable vehicles, unlock
and start the vehicles, said Tod Beardsley, research director
with cyber security firm Rapid7 Inc.
Hyundai confirmed the bug's existence and said it moved
quickly to fix the problem.
The U.S. Deparment of Homeland Security issued an advisory
about the vulnerability on Tuesday.
"No known public exploits specifically target these
vulnerabilities," the advisory read. "High skill level is needed
to exploit."
Both the company and Beardsley said they did not know of any
cases of car thieves exploiting the vulnerability before Hyundai
pushed out the fix to Android and iPhone users in early March.
"The issue did not have a direct impact on vehicle safety,"
said Jim Trainor, a spokesman for Hyundai Motor America.
"Hyundai is not aware of any customers being impacted by this
potential vulnerability."
The bug surfaced as the auto industry bolsters efforts to
secure vehicles from cyber attacks, following a high-profile
recall of Fiat Chrysler vehicles in 2015 and
government warnings about the potential for car hacks.
Risks have multiplied in recent years as vehicles have grown
more complex, adding features like mobile apps that can locate,
unlock and start them.
"What's changed is not just the presence of all that
hackable software, but the volume and variety of remote attack
surfaces added to more recent vehicles," said Josh Corman,
director of the Atlantic Council's Cyber Statecraft Initiative.
Fiat Chrysler recalled 1.4 million U.S. vehicles in 2015
after two security researchers demonstrated that they could get
remote control of a Jeep traveling at high speeds.
The Blue Link bug is not as frightening as the ones
uncovered in the Fiat Chrysler vehicles. Moving vehicles are not
vulnerable to attacks using the Blue Link app, and a hacker
would have to be near the owner of a targeted vehicle who is
using the mobile app via an insecure WiFi connection, Beardsley
said.
General Motors Co patched a similar bug in its OnStar
vehicle communication system in 2015 that had the potential to
let hackers break into cars.
(Reporting by Alastair Sharp in Toronto; Editing by Jim Finkle,
Leslie Adler and Jeffrey Benkoe)