After testing seven Android apps from seven popular car makers, security experts from Kaspersky Lab concluded that many of these mobile applications contain basic security flaws that could facilitate the theft of modern, connected cars.
Their research shows that despite cars being a very expensive product, car makers don't value the security of their apps the same way banks put a primer on the safety for a customer's bank account.
This lack of attention from car makers has now led to a situation where car thieves can simply hire a coder with experience in developing Android applications, and ask him to analyze a car maker's Android app for security holes.
According to Kaspersky Lab experts, thieves won't be disappointed, as all of the apps they've analyzed contained gaping security flaws, which even if they didn't result in the car's immediate theft, it made breaking into the car a lot easier.
Following their analysis, experts found a series of recurring issues that affected a large part of their test pool.
The biggest problem was the lack of any app protection measures against reverse engineering. No car maker had packed or obfuscated their code to protect against prying eyes.
The lack of these basic security measures meant that even low-skilled attackers could take a look at the app's source code and identify basic flaws with automated code auditing tools.
Another security measure missing from all of the tested apps was "code integrity check," a feature that would have warned the user or the car maker that someone tampered with an app's source code, and potentially added something new.
|App||App features||App code obfuscation||Unencrypted username and password||Overlay protection for app window||Detection of root permissions||App integrity check|
|App #1||Door unlock||No||Yes (login)||No||No||No|
|App #2||Door unlock||No||Yes (login & password)||No||No||No|
|App #3||Door unlock; engine start||No||–||No||No||No|
|App #4||Door unlock||No||Yes (login)||No||No||No|
|App #5||Door unlock; engine start||No||Yes (login)||No||No||No|
|App #6||Door unlock; engine start||No||Yes (login)||No||No||No|
|App #7||Door unlock; engine start||No||Yes (login & password)||No||No||No|
Two protection measures lacking from many mobile banking apps, which are also lacking from most connected car apps, are the ability to warn the user when his device is rooted, or protect the app against fake (overlay) screens shown on top of the car app's window, usually used to phish for user credentials.
These two protection measures can also serve as an early warning indicator of future attacks. These last two features are a little bit harder to implement at the code level but are included with many security products.
And if that wasn't bad enough, imagine that many apps also stored logins, passwords, and configuration files in cleartext.
All of these weaknesses can be combined in a series of attacks. The simplest one to orchestrate would be to create a malicious app that takes control of the user's phone and sends rogue commands to the victim's car, or at least steals the car app's credentials and configuration files.
While relying on a user's carelessness to install a rogue app seems a long shot, the amount of users who still install apps from outside the Play Store and then fall victims to Android banking trojans is quite staggering.
This attack scenario isn't such a stretch as most people would think, being already proven in the wild, and still reliable even today, after so many years.
Similarly, rogue access points and man-in-the-middle attacks are still a solid alternative for recording and then replaying commands to a victim's car.
The good news is that very few of the analyzed apps contained the ability to start the car's engine. For most apps, the worst case scenario would be that thieves would gain access to their car, but nothing more, as they'd still need to find a way to spoof the digital car key, or add their own custom key to the car's computer.
Nevertheless, most of us would prefer that thieves never gain access to the inside of our car, to begin with.
"Also, the risks should not be limited to mere car theft," Kaspersky's Mikhail Kuzin and Victor Chebyshev said. "Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death."
Additionally, the two researchers have also sounded the alarm on a series of terrible ideas they've seen car makers starting to implement, such as the ability to control a car via SMS messages, and voice commands.
Both voice commands and SMS messages are known to be terribly insecure and incredibly easy to spoof. The proliferation of such smart car control mechanisms is just a very bad idea that will have catastrophic consequences for car owners.
Even the Android apps, with their lack of some basic security features are more secure than SMS and voice commands.
"The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks," said Chebyshev.
"We expect that car manufacturers will have to go down the same road that banks have already gone down with their applications. Initially, apps for online banking did not have all the security features listed in our research," the expert added. "Now, after multiple cases of attacks against banking apps, many banks have improved the security of their products."
"Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right," Chebyshev noted. "The attack surface is really vast here."
The researcher team presented their findings yesterday, at the RSA 2017 security conference in San Francisco, USA, and have published a summary of each of the seven apps they've analyzed on the SecureList blog.
They said they also reported all the issues they've discovered to the affected car makers, who've taken notice of their findings.