[German]Software security in cars – a hot topic. On platforms such as TikTok, a trend known as the Kia Challenge or Kia Boys is celebrating a happy new era – the aim is to steal vehicles from Kia or Hyundai using a USB stick. And I came across the next sloppiness: A blogger searching the web found the private keys for software updates on Hyundai vehicles.
Kia Challenge, stole a car
In the US, police got on the trail of a strange occurrence: in St. Petersburg in Florida, 56 cars were stolen in July, according to this tweet. 23 of them belonged to the brands Kia and Hyundai. 41 percent of car thefts to two brands belonging to the same group? In Milwaukee, it was as high as 66 percent, as you can read here.
Apparently, the current Kias can be broken into through the rear window without setting off an alarm. After that, the thieves, who are usually underage, simply break into the vehicle using a USB cable, which is plugged into a socket in the steering column after the trim has been torn off, and go on joyrides. These are then filmed and shared on platforms such as YouTube and Tiktok.
It looks like the vehicle can be started and used for joyrides by simple means. According to this article, Kia models from 2011 to 2012 and Hyundai models from 2015 to 2021 in particular have vulnerabilities that allow thieves to turn on the ignition and thus bypass the lock through the car key. In the U.S., vehicle owners try to protect themselves from these thefts by using a steering wheel lock (rod that is jammed into the steering wheel and can be locked). This prevents thieves from stealing the vehicles for larger joyrides with turns. This is not an issue in Germany, where vehicles have been required to have an thieve control (immobilizer) since January 1, 1998.
Private key from Hyunday found on the Internet
Access to the vehicle software of passenger cars, e.g. for updates, is protected by a digital signature to prevent unauthorized persons from tampering. The private key for signing is kept well protected by the manufacturers – no one can get at it. Because anyone who has the private key can sign software with the public key. A password provides maximum protection against misuse.
So that interested parties can understand this and developers can familiarize themselves with the situation, there are various articles on the Internet – the above article shows that private keys are also published there for demonstration purposes. Actually, this is not a problem, unless a software developer finds it ingenious to already find a publicly accessible private key on the Internet like this and decides to use it in his product right away.einen öffentlich zugänglichen privaten Schlüssel so im Internet zu finden und beschließt, diesen gleich in seinem Produkt zu verwenden.
One software developer bought a 2021 Hyundai Ioniq SE in the summer of 2021, a fuel-efficient hybrid vehicle with features like wireless Android Auto/Apple CarPlay, wireless phone charging, heated seats and a sunroof. As interested developers should, he began playing and experimenting with the infotainment system. In this blog post, he describes how he was able to crack the firmware of the infotainment system. In the process, he also came across a private key in files he had downloaded from the Internet (from this Hyundai MOBIS open source site), and was able to extract by brute-force cracked password.
It turned out that the encryption key in a script is the first AES 128bit CBC example key listed in NIST document SP800-38A. The assumption that such an example key could never find its way into production proved to be a fallacy. The paper is a bit lengthy, as I understand it, the developer was able to find out all the information he needed via the Internet and hacking tools. By the end of April 2022, he was then able to use an update for his vehicle for testing. In this post, he then describes how he was able to backdoor his car with the knowledge he gained and use it for his own purposes. Brave new world of car software.
Cookies helps to fund this blog: Cookie settings