How secure are connected cars? Kaspersky Lab official blog
Daily
Gives you the power to protect your family – on PC, Mac, iPhone, iPad & Android
Protects you when you surf, socialise & shop – on PC & Mac, plus Android devices
Safeguards your PC and all the precious things you store on it
Protects you when you surf, socialise & shop – on your Mac
Protects you when you surf and socialise – on your Android phones & tablets
Protects your communications, location, privacy & data – whenever you’re online
Free Contraptions
- Solutions for:
- Home Users
- Products
- KasperskyTotal Security
- KasperskyInternet Security
- KasperskyAnti-Virus
- KasperskyInternet Security for Mac
- Kaspersky Internet Security for Android
- KasperskySecure Connection
Free Instruments
TARGETED SECURITY SOLUTIONS
Industries
Android for cars: Secure connection?
In the movie Dude, Where’s My Car? (2000), viewers go after the humorous tale of two guys who partied a bit too hard attempting to recall where they parked their car. We’ve all been there — well, not to the extent of the movie characters, but raise your arm if you have ever forgotten where you parked at a concert, shopping center, or grocery store.
Fast-forward seventeen years and there are apps for everything — even your car. Chances are, if an app might make part of your life lighter, someone will develop it and slew of people will use it.
Over the past few years, the concept of the connected car has continued to evolve — and become reality. At this year’s RSA Conference in San Francisco, our anti-malware researchers Victor Chebyshev and Mikhail Kuzin introduced research that they conducted on seven popular apps for vehicles.
The apps seem to make users’ lives lighter by linking their Android devices to their automobiles, but we have ask: Are we trading security for convenience? And as with many IoT connected devices, the response is, security needs to become more of a priority for developers and manufacturers.
The primary functions of these apps are to open doors and in many instances begin the car. Unluckily, flaws in the apps could be exploited by attackers:
No protection against application switch roles engineering. As a result, malefactors can dig in and find vulnerabilities that give them access to server-side infrastructure or to the car’s multimedia system.
No code integrity check. This permits criminals to incorporate their own code in the app, adding malicious capabilities and substituting the original program with a fake one on user’s device.
No rooting detection technologies. Root rights provide Trojans with almost endless capabilities and leave the app defenseless.
Lack of protection against overlaying technologies. This permits malicious apps to demonstrate phishing windows on top of original apps’ windows, tricking users into injecting login credentials in windows that send the info to criminals.
Storage of logins and passwords in plain text. Using this weakness, a criminal can steal users’ data relatively lightly.
Upon successful exploitation, an attacker can build up control over the car, unlock the doors, turn off the security alarm and, theoretically, even steal the vehicle.
The researchers disclosed their findings to the developers (they did not disclose names of the apps publicly) and also told them that no exploitations had been seen in the wild. A total, detailed report on this can be found over on Securelist, where each of the apps is evaluated.
It’s effortless to bury your head in the sand, thinking you won’t be hacked or that this is the stuff of science fiction, but the truth is, ever since its invention, the automobile has been a target for criminals. And if there is a hack to make things lighter, just imagine the possibilities.
Another thing to keep in mind is that we’ve already seen vulnerabilities permit wise white-hat hackers to make the hop from “benign vulnerability” to controlling a car. Two of the fatter automotive stories of the past two years were about how Charlie Miller and Chris Valasek took control of a Jeep via vulnerabilities.
Ultimately, individual security and app usage comes down to private preference. Who we share our data with or entrust our convenience to is truly up to us. With IoT devices and apps, convenience is too often considered before security.
In closing, Chebyshev notes:
“Applications for connected cars are not ready to withstand malware attacks. We expect that car manufacturers will have to go down the same road that banks have already taken with their applications… After numerous cases of attacks against banking apps, many banks have improved the security of their products.
“Fortunately, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right. How much time they have exactly is unknown. Modern Trojans are very nimble — one day they can act like normal adware, and the next day they can lightly download a fresh configuration, making it possible to target fresh apps. The attack surface is indeed vast here.”