Connected Car App Security Flaws Uncovered By Kaspersky Lab

freescale smart car IoT

Hackers could unlock your car or start its ignition via car app flaws discovered by Kaspersky Lab researchers

Connected cars are not yet ready to deal with malware attacks, warned security researcher Kaspersky Lab.

It evaluated and tested the security of applications for the remote control of cars from seven well-known car manufacturers, and found they are lacking.

Kaspersky Lab warned that flaws are so serious that hackers could gain control of critical car systems such as its ignition system and door locks.

Connected Car (c) Rashevskyi Viacheslav, Shutterstock 2014Unsafe Apps

Until fairly recently it had been presumed that the major security weakness with cars that were actively connecting to the Internet would come from the vehicle’s infotainment systems.

But as cars become more sophisticated, critical car functions are now accessible online.

This is because these functions are controlled by a remote car control app, typically developed by the major car manufacturers themselves. These apps for example can allow the car owner to track the location of their vehicle, turn off the alarm, open doors, and start the engine.

But it seems that while car makers maybe good at making cars, their capability to design to robust and secure car apps may be somewhat lacking.

At least that the conclusion of Kaspersky Lab researchers who discovered that all seven apps from different car makers contained a number of security issues that could potentially allow criminals to cause significant damage.

Kaspersky Lab did not reveal which car maker apps it tested, but said that some of these had been downloaded up to five million times, according to Google Play statistics, which points the finger at certain Android apps from car makers.

The Flaws

The researchers uncovered multiple security issues with the apps, including the fact that they had no defence against application reverse engineering. This means that attackers could familiarise themselves with the app to discover potential vulnerabilities to allow them to obtain access to server-side infrastructure or the car’s multimedia system.

The apps also had no code integrity check, which is important as it allows criminals to incorporate their own code in the app and replace the original program with a fake one.

Kaspersky Lab also found there were no rooting detection techniques for the apps, and a lack of protection against app overlaying techniques (which would help malicious apps to show phishing windows and steal users’ credentials).

But perhaps more serious was the discovery that the apps stored the logins and passwords in plain text, which would allow an attacker to steal a users’ data relatively easily.

Kaspersky Lab warned that upon successful exploitation of these apps, an attacker could gain control over the car, unlock the doors, turn off the security alarm and, theoretically, steal the vehicle.

Not Ready

Or the attacker could trick car owners to install specially-crafted malicious apps that would then root the device and get access to the car application. Connected car owners are also at risk from  criminals experienced in social engineering techniques.

And Kaspersky Lab warned that the car industry needed to toughen their car apps, as they are not yet ready to withstand a malware attack.

“The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks,” said Victor Chebyshev, security expert at Kaspersky Lab.

“Thinking about the security of the connected car, one should not only consider the security of server-side infrastructure,” he said. “We expect that car manufacturers will have to go down the same road that banks have already gone down with their applications. Initially, apps for online banking did not have all the security features listed in our research. Now, after multiple cases of attacks against banking apps, many banks have improved the security of their products.”

“Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right,” said Chebyshev. “How much time they have exactly is unknown. Modern Trojans are very flexible – one day they can act like normal adware, and the next day they can easily download a new configuration making it possible to target new apps. The attack surface is really vast here.”

Best Advice

The best advice for users of connected car apps from Kaspersky Lab, is not to root their Android device, as this will open almost unlimited capabilities to malicious apps.

Users should also disable the ability to install applications from sources other than official app stores, and keep the OS version up to date.

Finally, they should a “proven security solution” in order to protect their device from cyberattacks.

This is not the first time that warnings have been issued about car security.

In September 2015 Intel launched a new security board to ensure that smart vehicles remain safe from the threat of hackers.

Researchers from Security Innovation meanwhile were able to hack the radar scanner built in to some smart vehicles using a homemade tool made up of components costing less than £50, making it think that obstacles or pedestrians are in the road, which could lead to the car to swerve without warning.

And Fiat Chrysler has previously recalled 7,810 of its Jeep Renegade vehicles in the United States after they were found to be affected by a serious software vulnerability which put them at risk of attack by cybercriminals.

And in February 2015, BMW confirmed it had patched a serious security flaw that could have allowed hackers to seize control of some of its cars’ systems. That flaw could have allowed hackers to the open doors of 2.2 million Rolls-Royce, Mini and BMW vehicles.

Quiz: What do you know about transport technology?