During the last few years, cars have started actively connecting to the internet.
Connectivity includes not only their infotainment systems but also critical vehicle systems, such as door locks and ignition, which are now accessible online.
With the help of mobile applications, it is now possible to obtain the location coordinates of the vehicle as well as its route, and to open doors, start the engine and control additional in-car devices.
On the one hand, these are extremely useful functions. On the other hand, how do manufacturers secure these apps from the risk of cyber attacks?
In order to find this out, Kaspersky Lab researchers have tested seven remote car control applications developed by major car manufacturers which, according to Google Play statistics, have been downloaded tens of thousands, and in some cases, up to five million times.
The research discovered that each of the examined apps contained several security issues.
It was discovered that there was no defence against application reverse engineering. As a result, malicious users can understand how the app works and find a vulnerability that would allow them to obtain access to server-side infrastructure or to the car’s multimedia system.
There was no code integrity check, which is important because it enables criminals to incorporate their own code in the app and replace the original program with a fake one.
It was also discovered that there was no rooting detection techniques. Root rights provide Trojans with almost endless capabilities and leave the app defenceless.
The discovery of a lack of protection against app overlaying techniques helps malicious apps to show phishing windows and steal users’ credentials.
And finally, the storage of logins and passwords was in plain text. Using this weakness, a criminal can steal users’ data relatively easily.
Upon successful exploitation, an attacker can gain control over the car, unlock the doors, turn off the security alarm and, theoretically, steal the vehicle. Or perhaps, even crash it.
In each case the attack vector would require some additional preparations, like luring owners of applications to install specially-crafted malicious apps that would then root the device and get access to the car application.
However, as Kaspersky Lab experts have concluded from research into multiple other malicious applications which target online banking credentials and other important information, this is unlikely to be a problem for criminals experienced in social engineering techniques, should they decide to hunt for owners of connected cars.
“The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks,” said Victor Chebyshev, security expert at Kaspersky Lab.
“Thinking about the security of the connected car, one should not only consider the security of server-side infrastructure. We expect that car manufacturers will have to go down the same road that banks have already gone down with their applications. Initially, apps for online banking did not have all the security features listed in our research. Now, after multiple cases of attacks against banking apps, many banks have improved the security of their products.”
“Modern Trojans are very flexible – one day they can act like normal adware, and the next day they can easily download a new configuration making it possible to target new apps. The attack surface is really vast here.”
Kaspersky Lab researchers advise users of connected car apps to follow these measures in order to protect their cars and private data from possible cyberattacks:
- Don’t root your Android device as this will open almost unlimited capabilities to malicious apps
- Disable the ability to install applications from sources other than official app stores
- Keep the OS version of your device up to date in order to reduce vulnerabilities in the software and lower the risk of attack
- Install a proven security solution in order to protect your device from cyber attacks.