Hyundai signed their car firmware using the sample key from a software code tutorial

[Dr.Kamiya]

Youtube link from a tech podcast explaining the issue on more or less layman's terms:
https://www.youtube.com/watch?v=Iog7TpJFls4&t=2608s

News link:
Software developer cracks Hyundai car security with Google search | TheRegister

Top tip: Your RSA private key should not be copied from a public code tutorial:

A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicle’s manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples.

[…]

“Turns out the [AES] encryption key in that script is the first AES 128-bit CBC example key listed in the NIST document SP800-38A [PDF]”.

[…]

Luck held out, in a way. “Greenluigi1” found within the firmware image the RSA public key used by the updater, and searched online for a portion of that key. The search results pointed to a common public key that shows up in online tutorials like “RSA Encryption & Decryption Example with OpenSSL in C.“

Guess this means open-source community will soon have a way to roll out signed Hyundai firmware!


Another article:
Hyundai devs used sample code signing keys, making updates vulnerable

It’s only the entertainment unit, right? But it’s a Linux computer with full access to the car’s critical CAN bus. In this week’s Secure Software Blogwatch, we’re frightened by the implications.