On December 1 2022, security researchers discovered cyberattackers could take over post-2012 Hyundai and Genesis car models due to a shared vulnerability within MyHyundai and MyGenesis mobile apps. The security issue gave hackers control over many core components of these connected vehicles, including the engine, horn, car locks and navigation system. Thankfully Hyundai reports that no one took advantage of the vulnerability outside of independent research.
We should be grateful that researchers discovered and fixed the issue before a serious incident occurred, but Hyundai and other major automakers should also take the discovery as a warning to prioritize mobile application security and safeguard IoT mobile apps. With digitization accelerating across the auto industry and electric vehicles (EVs) growing more popular by the day, it's just a matter of time before an automotive mobile app falls victim to a major cyberattack.
Connected Car Security Issues on the Rise
Recent issues in modern vehicles and their accessories highlight the need for increased focus on security within the automotive industry:
Concerns over connected vehicle hacks have grown so much that the The Office of the National Cyber Director (ONCD) recently hosted a meeting with government officials and business leaders about the security issues of EVs and the tech used to support them.
Mobile Apps for Cars: Luxury or Liability?
As a Tesla owner, I can personally attest to the benefits of controlling my car via mobile app. Like most traditional car controls, I can use the Tesla mobile app to lock/unlock the car, operate the trunk and remotely open/close the windows. But, I also have access to many ultramodern features that go far beyond the capabilities of traditional vehicles. I can summon the car to meet me hundreds of yards away with no one in it. I can remotely view my car’s estimated range, operate media settings, track the car via navigation, schedule maintenance, enable security controls, start/stop charging and upgrade software.
The Tesla mobile app provides owners with absolute control over their vehicles with a wide range of convenient and luxurious features. My prior BMW also had first-generation mobile connected features, like remote start, remote lock/unlock and autoload navigation that I relied on all the time. Yet, as a veteran of the mobile app industry I can’t help but wonder what could go wrong if hackers exploited my car or another connected car.
For starters, a mobile app security breach would be able to unveil a great amount of personal information, such as financial data, driving location and destination history, all of which threat actors could use for nefarious purposes. Beyond information gathering, a connected car mobile app breach could grant threat actors physical control of the vehicle, putting me and others at risk. It’s easy to get caught up in the high-tech features of connected cars. But, digital components like mobile apps, connected cars and all IoT devices can increase risk if developers fail to secure them.
Secure Mobile Apps = Safer Connected Vehicles
Both gas-powered and electric car companies will continue to add advanced software and IoT capabilities to create better and safer customer driving experiences. But, adding more digital technology to support these vehicles makes their systems complex and difficult to manage, increasing the potential for a security breach or data leak that puts users, the public and businesses at risk. Because customers control their connected vehicles through mobile apps, automakers should go above and beyond to ensure they build their apps with security in mind.
Automotive business leaders should encourage devs teams to participate in mobile AppSec training courses to learn the fundamentals of secure mobile app development. Investing in continuous automated security testing helps dev teams find and remediate issues as they build mobile apps before they escape into the wild. And for areas that security automation cannot test, businesses can conduct regular full-scope pen tests with a human expert security analyst to independently validate mobile app releases and updates, working with pen testing teams that have specific automotive industry experience.
The MyHyundai and MyGenesis mobile app vulnerabilities shed light on the importance of digital security issues in the automotive industry. Automakers should prioritize the security of connected vehicle mobile apps to improve driver experiences while paving the way for safer roads ahead.
About the author: As NowSecure Chief Mobility Officer, Brian Reed brings decades of experience in mobile, apps, security, dev and operations management including NowSecure, Good Technology, BlackBerry, ZeroFOX, BoxTone, MicroFocus and INTERSOLV working with Fortune 2000 global customers, mobile trailblazers and government agencies. At NowSecure, Brian drives the overall go-to-market strategy, solutions portfolio, marketing programs and industry ecosystem. With more than 25 years building innovative products and transforming businesses, Brian has a proven track record in early and mid-stage companies across multiple technology markets and regions. As a noted speaker and thought leader, Brian is a dynamic speaker and compelling storyteller who brings unique insights and global experience. Brian is a graduate of Duke University.
Edited by Erik Linask