A flaw in a December update to Hyundai's Blue Link mobile app doubled as an opportunity for tech-savvy vehicle thieves to track down, unlock and start connected vehicles, according to the cybersecurity firm Rapid7 Inc. and as reported by Reuters in U.S. News & World Report. The bug existed for three months before being squashed in March, though no reports of actual vehicle theft are apparent at this time.
- Blue Link is Hyundai's connected car software that gathers information and reports on a car's health and also has the ability to remote start, stop and unlock vehicles. It can be linked with a vehicle through the mobile app, smartwatches and even an Amazon Alexa skill.
- Hyundai confirmed the bug's existence and the U.S. Department of Homeland Security sent out an advisory about it on Tuesday. "The issue did not have a direct impact on vehicle safety," Jim Trainor, a spokesman for Hyundai Motor America, told Reuters in a statement. "Hyundai is not aware of any customers being impacted by this potential vulnerability."
It's easy to forget that, amid waves of hype for a more connected world, the "connected" half of the equation means the internet is involved and the risk factor for cybersecurity attacks remains high. The Blue Link bug follows a mass Fiat Chrysler recall in 2015, where 1.4 million cars were pulled from the market after researchers demonstrated they could take remote control of a fast-moving Jeep, per Reuters.
Hyundai might actually come out of the situation relatively unscathed, as there are no notable reports of the Blue Link bug being exploited, but the fact that the issue wasn't addressed for three months suggests a pretty big PR and security disaster bullet was dodged.
More automakers are turning to branded mobile apps like Blue Link and other third-party connected technologies in order to enhance the driver experience and build more robust infotainment systems. Earlier this week, Mercedes-Benz partnered with both Google and Amazon to bring the companies' respective voice-activated digital assistants to its 2016 and 2017 models.
The Blue Link news might give others eager to dive into the IoT car space a measure of pause, however. It could also encourage automakers to partner more with Apple or Android, which have their own in-car software services and also are more experienced in addressing internet security issues.