It was possible because the automotive manufacturer used encryption codes given as examples in a tutorial on the subject!
Before you get rid of your own Ioniq in fear some black hat hacker is about to hack your car while you’re driving, we’re pleased to say this won’t be the case. According to his detailed blog on the matter, ‘greenluigi1’ had to hunt around to get the right ethernet cable to connect his laptop to his car.
Given that he had to go to those lengths, it is highly unlikely that hackers will be able to go in ‘over-the-air’ in the same way that Hyundai’s own geeks will be able to. That said, what he found does take the Mickey out of Hyundai who will have a few red faces in their own developer team now.
Greenluigi1 said that he wanted to see if he could hack his own infotainment system so he could put in stuff of his own. This required a fair bit of investigation and he was defeated several times as he tried brute force attacks and research. Ultimately, where he always failed by using software designed to crack passwords, he found snippets of the code required to hack his car in different places on the internet.
According to The Register, he discovered the final codes to hack his car in an RSA tutorial. It seems that Hyundai’s developers had simply lifted their encryption keys from the tutorial and put them in the car’s security system unchanged.
Reading through the blog (that admittedly goes well above our heads) the hack wasn’t done in just five minutes of fiddling about. The investigation took several days of solid work and a little investment too.
He published his work to show that it could be done. In making it public, we’ve no doubt that the car makers will have closed the back door in the intervening time.
As a final thought, hackers (white hat and black hat alike) will have been trying every which way to hack cars’ cruise control systems for years. Though it wouldn’t have a pleasant ending, imagine the news if someone managed to hack a Tesla while it was driving and take full control? As such, the boffins working on these things will be very mindful of security, and it’s extremely unlikely that will happen.