|2017-04-25||Other||Hyundai Motor America||These vulnerabilities were discovered by Will Hatzer and Arjun Kumar working with Rapid7.
||N/A||CVE-2017-6052 CVE-2017-6054 ||N/A||N/A||N/A|
# Hyundai Motor America Blue Link
### VULNERABLE VENDOR
Hyundai Motor America
### VULNERABLE PRODUCT
These vulnerabilities were discovered by Will Hatzer and Arjun Kumar working with Rapid7.
### AFFECTED PRODUCTS
The following versions of Blue Link, a mobile application for Hyundai vehicle management, are affected:
Blue Link Version 3.9.5, and
Blue Link Version 3.9.4.
Successful exploitation of these vulnerabilities may allow a remote attacker to gain access to insecurely transmitted sensitive information, which could allow the attacker to locate, unlock, and start a vehicle associated with the affected application.
Rapid7 working with Hyundai Motor America reports that it would be difficult to impossible to conduct this attack at scale, since an attacker would typically need to first subvert physically local networks, or gain a privileged position on the network path from the app user to their service instance.
### VULNERABILITY OVERVIEW
Communication channel endpoints are not verified, which may allow a remote attacker to access or influence communications between the identified endpoints.
CVE-2017-6052 has been assigned to this vulnerability.
A CVSS v3 base score of 4.6 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321
The application uses a hard-coded decryption password to protect sensitive user information.
CVE-2017-6054 has been assigned to this vulnerability.
A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Critical Infrastructure Sector(s): Transportation Systems
Countries/Areas Deployed: United States
Company Headquarters Location: Fountain Valley, California
Hyundai Motor America released Blue Link, Version 3.9.6, a mandatory update to the application, which mitigates the aforementioned vulnerabilities on March 6, 2017, for Android devices and March 8, 2017, for iOS devices.
Rapid7 has released a security advisory that can be found at https://community.rapid7.com/community/infosec/blog/2017/04/25/r7-2017-02-hyundai-blue-link-potential-info-disclosure-fixed