Hacking into Hyundai car’s entertainment system using simple google search

A researcher claims that after learning that the maker of his car’s entertainment system had encrypted the system using keys that were not only universally known but had also been taken from programming tutorials, he was able to execute his own program on the hardware.

In his 2021 Hyundai Ioniq SEL, software developer Daniel Feldman from Minneapolis, Minnesota, desired to modify the in-vehicle infotainment (IVI) system.

He would need to figure out how to link to the unit and get past its security in order to accomplish that.

Feldman struggled to find a means to adapt firmware upgrades for the Hyundai Mobis mobility platform subsidiary’s D-Audio2 system for the IVI and have them accepted by the IVI. Eventually, Feldman discovered a solution using Google.

Firmware upgrades are accepted by the IVI in the format of password-protected ZIP files. Feldman was able to view the update ZIP’s contents, which contained encrypted firmware images for various IVI components, by getting through the archive’s basic password protection. Feldman obtained the update ZIP from Hyundai’s website.

His objective then changed to developing his own firmware images and encrypting them in a way that the automobile would accept, install, and execute. This would enable him to manipulate the hardware using code that he had provided.

By chance, Feldman discovered a Linux setup script that produced an appropriate ZIP file for carrying out a system upgrade on Mobis’s website.

The script contained the required ZIP password for the system update archives, the IV (initialization vector) value to encrypt the firmware images, and an AES symmetric Cipher-Block-Chaining (CBC) encryption key (a single key as opposed to an RSA asymmetric public/private key pair).

Additionally, the photos might be unlocked using this knowledge.

The firmware images could then be modified using the AES key, and the script could then be used to re-encrypt the images using the AES key and package everything into a password-protected ZIP file for Hyundai’s IVI update system to receive.

But it wouldn’t be that simple; at the very least, some of the given data would have to be cryptographically signed using an RSA private key, and Feldman lacked it. The updater would verify that the data was signed using the proper secret private key using the RSA public key that corresponds to the private key.

To proceed, he thus needed to locate the RSA private key.

Feldman stated in a blog post, “The script hinted to RSA signature being utilized, but regrettably the key used for that was not in the source code.”

Hyundai’s mistake, however, is not misusing AES CBC; it is employing another key that was made public online and treated as a secret.

Feldman was able to open one of the encrypted firmware image files contained in the update ZIP package using that symmetric key to extract its contents.

He also discovered a binary named updateAgent, which is used by the IVI updater, among the extracted files.

In other words, Feldman now had a chance to overcome the code he needed to defeat — the update tool in his IVI — since he was looking at it directly.

Feldman explains, “I chose to hunt for the signature key because I already knew the zip password and the encryption key. Hopefully, they also left the private key along with the public key.

In a sense, his good fortune held. Feldman looked online for a piece of the RSA public key that the firmware updater had used after locating it in the firmware image. In online tutorials like “RSA Encryption & Decryption Example using OpenSSL in C,” the search results referred to a shared public key.

That tutorial’s public key and the accompanying RSA private key are both contained in the source code of other OpenSSL projects and this tutorial.

Accordingly, the register utilized a public-private key pair from a tutorial and embedded the public key in its code, enabling Feldman to locate the private key. As a result, the updater recognized his signature on Hyundai’s files.