l+f: Crypto Facepalm for Hyundai

The programmers of Hyundai’s infotainment system obviously don’t know what a secret is.

In a report, the car owner writes that he first analyzed the firmware from the official Hyundai website. According to his own statements, he was able to circumvent the password protection of the zip archive without any major problems and found, among other things, a public key (AES symmetric CBC) and other components for encrypting the firmware.

The only thing missing was the private key to sign some data so that the car would accept and install the firmware image. Armed with the information from the public key, he started an internet search and fairly quickly came across the private key. This is an example key from online tutorials on the subject of encryption. Among other things, it appears in a NIST document (SP800-38A PDF).

Equipped with this, he could modify, sign, encrypt and then install the firmware. It is not yet known whether Hyundai has taken countermeasures in the meantime.

SEE ALSO  OPPO's most recent mid-range comes with a surprise: the company gives away headphones with your purchase