Security News > 2022 > August > Software developer cracks Hyundai car security with Google search

A developer says he was able to run his own software on his car infotainment hardware after discovering the vehicle's manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples.
Turns out the encryption key in that script is the first AES 128-bit CBC example key listed in a NIST document.
The script included the necessary ZIP password for the system update archives, along with an AES symmetric Cipher-Block-Chaining encryption key and the IV value to encrypt the firmware images.
"Turns out the [AES] encryption key in that script is the first AES 128-bit CBC example key listed in the NIST document SP800-38A [PDF]," he added.
The search results pointed to a common public key that shows up in online tutorials like "RSA Encryption & Decryption Example with OpenSSL in C.".
This means Hyundai used a public-private key pair from a tutorial, and placed the public key in its code, allowing Feldman to track down the private key.
News URL
Related news
- Google Patches 47 Android Security Flaws, Including Actively Exploited CVE-2024-53104 (source)
- Google patches odd Android kernel security bug amid signs of targeted exploitation (source)
- Google Chrome's AI-powered security feature rolls out to everyone (source)
- Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities (source)
- Why The Modern Google Workspace Needs Unified Security (source)
- Google paid $12 million in bug bounties last year to security researchers (source)
- Google Acquires Wiz for $32 Billion in Its Biggest Deal Ever to Boost Cloud Security (source)
- Google to purchase Wiz for $32 billion in cloud security play (source)
- Review: The Developer’s Playbook for Large Language Model Security (source)