Hyundai IVI Firmware Signed with Key from OpenSSL Manual

A Hyundai Ioniq SEL owner has published a series of articles detailing how he managed to modify the firmware used in the in-vehicle infotainment (IVI) system based on the D-Audio2V operating system, which is used in Hyundai and Kia vehicles. It turned out that all the data needed for decryption and verification were publicly available online and could be found with just a few Google searches.

The manufacturer’s firmware update for the IVI system was distributed as a password-protected zip file, and the firmware itself was encrypted using the AES-CBC algorithm and signed with a digital signature based on RSA keys. The password for the zip archive and the AES key for decrypting the updateboot.img image were found in the linux_envsetup.sh script, which was openly included in the system_package containing open-source components of the D-Audio2V OS, available on the IVI system manufacturer’s website.

However, to modify the firmware, the private key used for the digital signature was still needed. Interestingly, Google helped the researcher find the RSA key. After searching for the previously discovered AES key, he found that it was not unique and was mentioned in the NIST SP800-38A document. Reasoning that the RSA key might have been borrowed in a similar way, the researcher found the public key in the firmware’s accompanying code and searched for it on Google. The search revealed that the public key was referenced in an example from the OpenSSL manual, which also included the corresponding private key.

With the necessary keys in hand, the researcher was able to modify the firmware, add a backdoor allowing remote access to the IVI device’s system shell, and integrate additional applications into the firmware.