Klaus Zimmermann's Corner

When your Encryption keys can be found in a Google search

I've seen bad things happening from clueless devs copying shit verbatim from StackOverflow before, but this? Nope, this is another whole new level of fail: Hyundai Infotainment systems use verbatim encryption keys taken from programming examples available publicly on the internet.

I'm speechless until now about how much of a security fail this case is. Kerchoff's principle is all over this and you know it: people will put their hands in your car's system and you fail to protect the only thing that was supposed to be kept a secret, the key? Talk about some DRM done really bad!

Adding insult to the injury, this is one of the cases where it's very, very hard to issue a patch or fix because once these cars roll out of the factory, very few people will even think the software can be updated, let so much think of doing the update themselves.

(That is, unless the car itself is a spook and updates can roll in over the air without user consent or intervention)

On the bright side, however, I think this will be a great opportuinity for clever Hyundai owners to customize their infotainment systems. After all, they are General Purpose computers, right? I guess knowing this insteresting "vulnerability" of these systems can be the first step to a myriad of new jailbreaking mods in cars. Who knows, maybe we'll even see some fellas play Doom in them.