Hyundai Uses Example Keys For Encryption System
"Hyundai predictably fails in attempting to secure their car infotainment system with a default key lifted from programming examples," writes Slashdot reader sinij. "This level of security is unfortunately expected from auto manufacturers, who also would like to sell you always-connected Car2Car self-driving automobiles." Cryptographer and security experience Bruce Schneier writes: "Turns out the [AES] encryption key in that script is the first AES 128-bit CBC example key listed in the NIST document SP800-38A [PDF]," writes an unidentified developer under the name "greenluigi1." Luck held out, in a way. "Greenluigi1" found within the firmware image the RSA public key used by the updater, and searched online for a portion of that key. The search results pointed to a common public key that shows up in online tutorials like "RSA Encryption & Decryption Example with OpenSSL in C." Two questions remain:1.) How did the test key get left behind? 2) Was it by accident or design?
Read more of this story at Slashdot.