New and Used Car Talk Reviews Hot Cars Comparison Automotive Community

The Largest Car Forum in the Philippines



Results 1 to 1 of 1
  1. Join Date
    Jan 2007
    Posts
    1,830
    #1


    Youtube link from a tech podcast explaining the issue on more or less layman's terms:
    https://www.youtube.com/watch?v=Iog7TpJFls4&t=2608s

    News link:
    Software developer cracks Hyundai car security with Google search | TheRegister

    Top tip: Your RSA private key should not be copied from a public code tutorial:

    A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicle’s manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples.

    […]

    “Turns out the [AES] encryption key in that script is the first AES 128-bit CBC example key listed in the NIST document SP800-38A [PDF]”.

    […]

    Luck held out, in a way. “Greenluigi1” found within the firmware image the RSA public key used by the updater, and searched online for a portion of that key. The search results pointed to a common public key that shows up in online tutorials like “RSA Encryption & Decryption Example with OpenSSL in C.“
    Guess this means open-source community will soon have a way to roll out signed Hyundai firmware!


    Another article:
    Hyundai devs used sample code signing keys, making updates vulnerable
    It’s only the entertainment unit, right? But it’s a Linux computer with full access to the car’s critical CAN bus. In this week’s Secure Software Blogwatch, we’re frightened by the implications.
    Last edited by Dr.Kamiya; August 28th, 2022 at 12:13 PM.

Tags for this Thread

Hyundai signed their car firmware using the sample key from a software code tutorial