/* ---- Google Analytics Code Below */

Monday, August 22, 2022

More on Car Security Issues

Schneier points to other vehicle encryption issues, here just a snippit, more at the link. in the 

Software developer cracks Hyundai car security with Google search   in IheRegister

Top tip: Your RSA private key should not be copied from a public code tutorial

Thomas Claburn Wed 17 Aug 2022 // 20:19 UTC...

A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicle's manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples.

An unidentified developer posting under the name "greenluigi1" wanted to modify the in-vehicle infotainment (IVI) system in his 2021 Hyundai Ioniq SEL.

To do so, he would have to figure out how to connect to the device and bypass its security.

After trying to figure out how to customize firmware updates for the IVI's D-Audio2 system, made by the car company's mobility platform subsidiary Hyundai Mobis, and have them accepted by the IVI, the unidentified car hacker found an unexpected way – through Google.

The IVI accepts firmware updates in the form of password-protected ZIP archives. This led to downloading an update ZIP from Hyundai's website and was able to bypass the simple password protection on the archive to access its contents, which included encrypted firmware images for various parts of the IVI.

The goal then became creating his own firmware images and encrypt them in a way within a ZIP that the car would accept, install, and run, thus allowing control of the hardware from the hacker's own supplied code.

As luck would have it, "greenluigi1" found on Mobis's website a Linux setup script that created a suitable ZIP file for performing a system update.   .... '

No comments: