Researchers detect security problems under the spandex hood of automobile apps, Ars Technica
Biz & IT / Information Technology
Kaspersky researchers find Android apps for connected cars soft targets for hackers.
by Sean Gallagher – Feb 17, two thousand seventeen 6:29 pm UTC
In a presentation at this week’s RSA security conference in San Francisco, researchers from Kaspersky Labs exposed more bad news for the Internet of drivable things—connected cars. Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the injection of malware into apps.
The security vulnerabilities of connected cars have been a hot topic at security conferences for the past few years—particularly after researchers Charlie Miller and Chris Valasek demonstrated that they could control many of the functions of a Jeep Grand Cherokee (including its brakes and steering) remotely through the vehicle’s built-in cellular data connection. There have also been repeated demonstrations of vulnerabilities in how the mobile applications from various connected vehicle services connect to vehicles, such as Sammy Kamkar’s demonstration of intercepting data from the mobile app for GM’s OnStar.
The vulnerabilities looked at by the Kaspersky researchers focused not on vehicle communication, but on the Android apps associated with the services and the potential for their credentials to be hijacked by malware if a car proprietor’s smartphone is compromised. Chebyshev and Kuzin wrote:
Theoretically, after stealing credentials, an evildoer will be able to build up control of the car, but this does not mean that the criminal is capable of simply driving off with it. The thing is, a key is needed for a car in order for it to begin moving. Therefore, after accessing the inwards of a car, car thieves use a programming unit to write a fresh key into the car’s on-board system. Now, let us recall that almost all of the described apps permit for the doors to be unlocked, that is, deactivation of the car’s alarm system. Thus, an evildoer can covertly and quickly perform all of the deeds in order to steal a car without cracking or drilling anything.
All seven of the applications permitted the user to remotely unlock their vehicle; six made remote engine begin possible (tho’ whether it’s possible for someone to drive off with the vehicle without having a key or RFID-equipped key fob present is unclear). Two of the seven apps used unencrypted user logins and passwords, making theft of credentials much lighter. And none of the applications performed any sort of integrity check or detection of root permissions to the app’s data and events—making it much lighter for someone to create an “evil” version of the app to provide an avenue for attack.
While malware versions of these apps would require getting a car holder to install them on their device in order to succeed, Chebyshev and Kuzin suggested that would be possible through a spear-phishing attack warning the proprietor of a need to do an emergency app update. Other malware might also be able to perform the installation.
While no such malware has yet been reported, the researchers noted,
Contemporary Trojans are fairly nimble: if one of these Trojans shows a persistent ad today (which cannot be eliminated by the user himself), then tomorrow it can upload a configuration file from a car app to a command-and-control server at the request of criminals. The Trojan could also delete the configuration file and override it with a modified one.