Security Bug in Hyundai’s Mobile App Made Cars Susceptible to Theft

Cyber security firm Rapid7 has claimed in a report that a security flaw in Hyundai’s mobile app, that allows a car to be started remotely, made vehicles susceptible to theft from high-tech thieves for three months before the company fixed the bug in March. Hyundai has acknowledged the bug’s existence and said it moved quickly to fix the problem, Reuters is reporting.

Tod Beardsley, research director with Rapid7, explained that Hyundai introduced a flaw in a Dec. 8 update to the mobile app for its Blue Link connected car software that made it possible for car thieves to locate vulnerable vehicles, unlock and start them. Both the company and Beardsley however confirmed that no cases of car thieves exploiting the vulnerability were reported, before Hyundai pushed out a fix to iOS and Android users in early March.

“The issue did not have a direct impact on vehicle safety,” said Jim Trainor, a spokesman for Hyundai Motor America. “Hyundai is not aware of any customers being impacted by this potential vulnerability.”

The bug surfaced as the auto industry bolsters efforts to secure vehicles from cyber attacks, following a high-profile recall of Fiat Chrysler vehicles in 2015 and government warnings about the potential for car hacks. “What’s changed is not just the presence of all that hackable software, but the volume and variety of remote attack surfaces added to more recent vehicles,” said Josh Corman, director of the Atlantic Council’s Cyber Statecraft Initiative.

Back in 2015, a similar bug was patched by General Motors in its OnStar vehicle communication system, which potentially allowed hackers to break into cars.