back to article Software developer cracks Hyundai car security with Google search

A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicle's manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples. An unidentified developer posting under the name "greenluigi1" wanted to …

  1. threenub

    But can it run doom?

    1. diodesign (Written by Reg staff) Silver badge

      Probably!

      You can run whatever app you want on it.

      C.

      1. b0llchit Silver badge
        Coat

        Yes, yes, but "whatever app" does not compare to Doom!

        ;-)

        1. spireite Silver badge
          Coat

          If you could run Doom on it........

          ...... that would be Iconic

          1. GreggS

            re: that would be Iconic

            It would certainly be Ioniq.

          2. Will Godfrey Silver badge
            Facepalm

            It could also become ironic

        2. Someone Else Silver badge

          You could run the John Deere version of Doom that was hacked into the Deere "infotainment" (?) console. Take your Ioniq down to the farm and do a paired session!

    2. Paul Herber Silver badge
      Pint

      How about Doom Bar?

      <Obvious icon>

      1. Anonymous Coward
        Anonymous Coward

        Running Doom Bar is fine as long as it's not an AV

        Even the car must not drink and drive.

    3. sabroni Silver badge
      Unhappy

      Signed up just to derail a thread?

      Sad

    4. AndrueC Silver badge
      Joke

      I'm getting sick of all these Doom and zoom stories :)

      Redux

  2. OhForF'

    Looks like somebody took the common advice a bit too far.

    "Don't create your own algorithm - use something the experts developed and checked" does apply to the algorithm - not the keys.

    I wonder what the password for zip file was, "password" or "secret"?

    1. that one in the corner Silver badge

      I wonder what the password for zip file was

      12345, the same as my atmosphere shield

      1. Anonymous Coward
        Anonymous Coward

        Re: I wonder what the password for zip file was

        That's amazing, I've got the same combination on my luggage.

        1. Will Godfrey Silver badge
          Angel

          Re: I wonder what the password for zip file was

          You have five digit luggage?

          Us poor folk can only manage three digit...

          And we have to write the numbers ourselves in crayon.

    2. WonkoTheSane
      Joke

      It's "password123" - They're not noobs!

      1. Loyal Commenter

        Don't be silly. It's a strong password: Password.1

        1. EnviableOne Silver badge

          nah, they read all the password research,

          it has to be CorrectHorseBateryStaple

          1. Trigonoceps occipitalis

            Surely hitting the infotainment hardware with a five dollar wrench would suffice?

            1. stiine Silver badge

              Or a pedestrian?

  3. Howard Sway Silver badge

    Hyundai used a public-private key pair from a tutorial, and placed the public key in its code

    Classic. There's following the steps in a tutorial EXACTLY, and then there's actually bothering to try and understand what it's really telling you by also applying your brain when reading it. I wonder if this tutorial example made its way onto Stack Overflow, and if so how many other systems have been "secured" the same way...........

    1. NATTtrash Silver badge
      Trollface

      Re: Hyundai used a public-private key pair from a tutorial, and placed the public key in its code

      Indeed. And then don't forget... In the modern world we live in, you do have to pay a monthly subscription fee, otherwise the whole thing stops functioning to begin with...

      1. John Miles

        Re: pay a monthly subscription fee, otherwise the whole thing stops functioning

        I think some companies/developers haven't paid the subscription fee in a long time

    2. Anonymous Coward
      Anonymous Coward

      Re: Hyundai used a public-private key pair from a tutorial, and placed the public key in its code

      and then there's actually bothering to try and understand what it's really telling you

      But the whole point of using cut&paste is it saves you the bother of having to actually understand what you're doing.

    3. druck Silver badge
      FAIL

      Re: Hyundai used a public-private key pair from a tutorial, and placed the public key in its code

      They probably just typed into co-pilot:-

      //Generate a function to use AES encryption

    4. Someone Else Silver badge

      Re: Hyundai used a public-private key pair from a tutorial, and placed the public key in its code

      The pinochle pinnacle of copy-pasta programming!

  4. AlanSh

    Hyundai won't comment

    I've got a Hyundai wihich has some basic issues with the infotainment system. I (and others) have tried to make Hyundai respond to this - but there's a great silence.

    It'll be another head in the sand job with this issue too.

    1. zuckzuckgo Bronze badge
      Linux

      Re: Hyundai won't comment

      The upside is now you may be able to fix it yourself!

  5. JDPower666 Silver badge
    Joke

    Don't publicise it, these are the security holes we all want left in our cars so we can easily crack the firmware after manufacturers decide to lock every function of the car if you don't give them money every month!

    1. YetAnotherLocksmith

      Sorry, you forgot to add the joke, you only added the icon for it.

  6. david 12 Silver badge

    Outsourced

    Some contractor built the code and handed it over, with the documentation: just change the keys and it's good to go.

    1. Anonymous Coward
      Anonymous Coward

      Re: Outsourced

      I have known several contractors and employees who have provided solutions like this (without the documentation to change anything). All have since left the company with glowing references for finding such a "quick, brilliant solution", and you can guess who fixed it, with little to no recognition. :-|

      1. YetAnotherLocksmith

        Re: Outsourced

        > and you can guess who fixed it

        Not Hyundai.

      2. zuckzuckgo Bronze badge

        Re: Outsourced

        >you can guess who fixed it,

        Only if you don't post anonymously.

      3. Anonymous Coward
        Anonymous Coward

        Re: Outsourced

        Non-technical IT management always like people who do a quick job. Then they give them big pay rises to try to keep them when they threaten to go elsewhere. In the meantime the same management want to know why Muggins takes so long fixing problems - that were created by the quick fix merchant's bodges.

  7. gnasher729 Silver badge

    One company probably 30 years ago managed to use an RSA private key that I cracked with pen and paper. The key was of the form 2^123 - a * 2^60 - b with rather small a and b.

    It turned out both primes had been taken from a table from “The Art of Computer Programming”.

    1. Adrian 4 Silver badge

      Are you suggesting those aren't random ?

      https://xkcd.com/221/

    2. Michael Wojcik Silver badge

      The number of published exploits for weak RSA key pairs is impressive. People re-use key pairs across lots of devices. They use pairs where the primes are too close, so the product can be efficiently factored using Fermat's algorithm. They use pairs where one (or both) of the "primes" is actually composite. There was the Debian broken OpenSSL (a Debian maintainer "fixed" a compiler warning that resulted in low entropy in the CPRNG pool) that, for two years, produced predictable RSA pairs. People use small "export-grade" keys long after that's been required for anything. And so on.

      Or people bungle RSA in other ways, such as using a message that's too small or too large; or encrypting the same message multiple times with different keys (using the same exponent), leaving it vulnerable to the CRT. They don't pad properly. They use the same key pair for signing and encryption. And so on.

      Cryptography is hard. I've studied it for a couple of decades, and I read a lot of articles about it, but I still don't roll my own implementations – not just of primitives, but of higher-level protocols. And where I need to use it (through a vetted library), I always review authoritative sources on proper use and pitfalls, just to make sure I haven't forgotten something.

      The problem in this case seems to be that Hyundai couldn't be bothered to find someone who knew at least enough to be aware of the dangers, or care about them.

      1. gnasher729 Silver badge

        There was a case where the RSA private keys in routers had one of their two primes in common. In that case the common factor is calculated as a gcd, and we get the other factor of each key with one division.

        And then someone wrote an algorithm that given a billion private keys with primes reused occasionally can find them all in reasonable time.

      2. Anonymous Coward
        Anonymous Coward

        They probably recruited someone who said they were an expert in the subject - and without getting a technical vet by someone who was an expert.

        The problem with expertise is it is often self-assessed. Those who confidently think they know it all - get the jobs. Unlike those who know that the more you know - the more you know you don't know.

  8. anothercynic Silver badge
    Facepalm

    Criminy

    That sounds just... so fascinatingly typical!

    People learn/do by rote, and this just absolutely reinforces that... Someone's silly mistake will now allow people like 'GreenLuigi' to do fun stuff with their cars... until Hyundai fix that problem.

    1. Oglethorpe

      Re: Criminy

      If there's a way for Hyundai to update the keys, there's a way for bad guys to update the keys, if they can spoof an OTA update. We may be about to see the first vehicular ransomware.

      1. Loyal Commenter

        Re: Criminy

        My guess is that the updates are not OTA, but are applied via a wired interface. Probably USB.

        1. zuckzuckgo Bronze badge

          Re: Criminy

          Maybe the the developer was an advocate of right-to-repair. So long as OTA updates are not supported - this is a feature not a problem.

          1. anothercynic Silver badge

            Re: Criminy

            That would be great, wouldn't it. But chances are that this is not the case...

  9. StrangerHereMyself Bronze badge

    Too difficult

    This just shows security and cryptography are too difficult for the mediocre programmer to grasp and to implement properly. Companies need to spend more money on competent individuals to secure their stuff, not just letting any programmer touch that kind of stuff.

    1. Pascal Monett Silver badge

      Re: Companies need to spend more money on competent individuals

      Yeah they do.

      But they won't.

      1. Mike 137 Silver badge

        Re: Companies need to spend more money on competent individuals

        This is an ancient problem. Way back in the early '90s I attended a presentation by the CEO of one of the largest tech recruitment groups. At question time I asked him: "do clients ever ask you to identify individual excellence in candidates?"

        He responded "No, they never ask for that".

        They still don't. What's wanted is low cost labour that doesn't rock the corporate boat, and the result is reduction to the lowest common denominator, which is why 'Dilbert' is funny in a rather sad kind of way.

    2. sabroni Silver badge

      Re: Companies need to spend more money on competent individuals

      Sorry, there's nothing left for that bollocks after the management bonuses.

    3. Tom 38 Silver badge

      Re: Too difficult

      It's actually really difficult to hire competent engineers. The best engineers on the planet get paid enormobucks for working with ad slingers, social networks, tat stores, and iGear. The next best work on robotaxis, food delivery and crypto. By the time you get down to "building infotainment for Hyundai", its people who can google and just about follow along.

      Yes Hyundai could pay more and get better, but they can't compete with Meta paying $350k.

      1. Anonymous Coward
        Anonymous Coward

        Re: Too difficult

        Ain't that the truth? :'(

      2. Michael Wojcik Silver badge

        Re: Too difficult

        I don't think that's true. I work with plenty of good developers, and I've seen plenty of crap come out of the FAANGs. The reputation of Big Tech for hoovering up all the talent is undeserved.

        The problem is that many organizations don't want to pay for decent people.

    4. Mike 137 Silver badge

      Re: Too difficult

      "This just shows security and cryptography are too difficult for the mediocre programmer"

      Not just security and cryptography, nor just 'mediocre programmers'

      "keys that were not only publicly known but had been lifted from programming examples"

      As silicon becomes ever more dependent on soft configuration, it's become amazingly and frustratingly common to find release code containing fragments directly copied and pasted from the example code in chip manufacturers' device data sheets. This is of course not programming' in the true sense - it's 'mashing' - and it often goes horribly wrong. But it seems to be the 'way forward' judging by the evidence, despite the accidents it can precipitate..

    5. Boris the Cockroach Silver badge
      FAIL

      Re: Too difficult

      Too difficult?

      How difficult is it to follow

      Generate key pair

      Load private key into decryption module.

      Upload module to ECU.

      Then when the time comes.... Zip file to memory with public key

      Call decrypt, check signing.

      Even if I do use stack overflow to copy the code from, I do know to generate my own keypair rather than use the example pair

      All this says to me is that Hyundai outsourced the programming to the cheapest job shop they could find and took their word for it that the code was right.

      1. Michael Wojcik Silver badge

        Re: Too difficult

        Zip file to memory with public key

        If you're encrypting your entire firmware image with an asymmetric algorithm, You're Doing It Wrong. If you're using the same key pair for signing and encryption, You're Doing It Wrong.

        If you're decrypting before checking the verifier (signature, MAC, whatever), You're Doing It Wrong (per Moxie Marlinspike's Cryptography Doom Principle).

        In other words: it's pretty difficult. True, copying keys from public sources is either extremely dumb, or a sign that the developer didn't give a damn, or that someone was supposed to change them and didn't. But actually implementing cryptographic protocols correctly on top of primitives, even if those primitives themselves are used correctly, is not easy.

    6. anonymous boring coward Silver badge

      Re: Too difficult

      I’m mediocre, but would not have made this mistake.

  10. Potemkine! Silver badge

    I wonder if this developer could get into legal troubles for kreaking a secured device... I hope not, but everything is possible in the MegaCorps World.

  11. Zippy´s Sausage Factory
    Devil

    Hyundai is a Korean company. Right now, in Seoul, a scriptwriter is working on episode 55 of a 100-episode Korean soap about chaebols, wondering whether they can use this as a plot device...

    1. Loyal Commenter

      If I could up-vote that more than once, I would.

      1. Anonymous Coward
        Anonymous Coward

        If I could up-vote that more than once, I would.

        Done it for you :)

  12. Anonymous Coward
    Anonymous Coward

    Uninsured in the UK ?

    I suspect this might count as fiddling with a cars type approval, which is needed for motor vehicles to be legally used on UK roads.

    That in turn could mean no insurance.

    Just thinking aloud.

    1. Anonymous Coward
      Anonymous Coward

      Re: Uninsured in the UK ?

      Not at all.

      There is a large aftermarket tuning industry that uses exactly these kind of security holes to allow car owners to repair, modify and customize their own vehicles.

      Bizarrely, official car importers even employ these companies to tune engines for local emissions compliance because the vehicle manufacturers won't hand over the encryption keys.

      Every time some "security expert" cracks a vehicle and makes a lot of fuss about some imaginary hacker threat, the manufacturers have a crack down and it becomes a lot harder for those of us who work in this industry.

      Make no mistake, the far bigger threat to car owners is that the manufacturers will improve their security to the point where they can prevent independent garages from working on your car and lock you into high servicing costs.

      1. Potty Professor Bronze badge
        Flame

        Re: Uninsured in the UK ?

        Which is probably why the prices of second hand and older cars is currently heading through the roof. Many people are fed up with the unreliability of the electronics in modern cars, and are turning to older models with little or no electronics. Just seen an advert for a 1970 Ford Escort Mexico for £55,000 on ebay.

        1. khjohansen

          Re: *Ford Escort Mexico*

          - it's not about the electronics - although "european muscle car" is an oxymoron!

          1. MrRimmerSIR!

            Re: *Ford Escort Mexico*

            AC Cobra

      2. Anonymous Coward
        Anonymous Coward

        Re: Uninsured in the UK ?

        Then the official repairer chain goes bust - and all the cars are likely to be bricked when their next mandatory service is due.

        Of course - that couldn't happen.....could it?

    2. Loyal Commenter

      Re: Uninsured in the UK ?

      I don't think the entertainment system could be considered to be part of the actual "vehicle" part of the vehicle for regulatory purposes any more than an old-fashioned car radio is, or the floor mats.

      1. usbac

        Re: Uninsured in the UK ?

        Don't discount floor mats as a safety problem:

        https://www.edmunds.com/car-news/sudden-acceleration.html

        There have been some accidents due to accelerator pedals getting stuck under the edge of floor mats.

  13. Plest Silver badge
    Facepalm

    I think we know how this happened!

    So someone basically pulled the sample code and keys, whacked it in and due to staff cuts and cost cutting at the dev and QA teams, what few QA team people were left or not out sick with COVID, no one checked the code properly! Classic!

    Always do a key search on Google, Github and especially Pastebin just to at least try to make an effort to be sure your keys have not been plastered everywhere OR some numpty didn't rush the code through dev, uat and then prod without proper checks. That would solve 80% of these stupid problems in just 5 mins of quick searches before you even do a more thorough check by asking the infosec team to help you out.

    1. zuckzuckgo Bronze badge

      Re: I think we know how this happened!

      If you search for your key then Google now has a record of your key. Who is to say a Google employee is not compiling a list of all key searches? Or maybe Google will even suggest it to someone else searching for similarly formatted keys?

      1. Michael Wojcik Silver badge

        Re: I think we know how this happened!

        This is not a problem if you search for the public key of an asymmetric key pair.

        Though, frankly, I don't see this as necessary. If you have some person in a gatekeeping role who's supposed to check to see if the keys are already "known", just replace that step in the process with generating new keys. The odds of generating already-used keys are vanishingly small, assuming a correct and uncompromised key-generation system and adequate entropy pool – and if you don't have those, you're probably already in bigger trouble.

      2. Richocet

        Re: I think we know how this happened!

        Google has analytics where you can check how often a term is searched. Not to mention your browser plugins that have access to read the URLs you visit There is definitely some risk in searching for your private key on the internet. It is called private for a reason.

    2. Usually 1027309

      Re: I think we know how this happened!

      This is not solved by googling, searching for a key literally gives you nothing. It's solved by an upfront x-functional discussion of risk and (as boring as this sounds) a robust policy and technical controls to protect secrets.

  14. Anonymous Coward
    Anonymous Coward

    Hyundai has not responded to a request for comment.

    If I were Hyundai I'd be too embarrassed to respond too.

  15. sniperpaddy

    So it was a Public-Public key then :)

    1. Francis Boyle Silver badge

      Or public-pubic

      as in cock up.

  16. russmichaels

    thats what happens when you use freelancers

    I bet they hired some freelancer to do the job, probably cheap and based in india.

    this is a common problem i'm afrid.

    I do a lot of website work on freelance sites and I find security issues on almost every single website I work on.

  17. wsm

    Good News/Bad News

    Good news: Hooray! You can customize your entertainment system.

    Bad News: You are still driving a Hyundai.

    1. Richocet

      Re: Good News/Bad News

      ... worse news: hackers are driving your Hyundai

      1. breakfast Silver badge
        Terminator

        Re: Good News/Bad News

        Ah well, them's the brakes.

        I mean they were the brakes?

        Now they seem to be changing the volume on the radio...

        How do we stop this thing???

  18. ChadF

    Triple check everything

    You know you're having a bad day if you brick your car due to making a mistake installing custom firmware.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like