Her researchers Kaspersky Lab have examined the safety of applications for remote car control by many famous car manufacturers. As a result, the company's experts have discovered that all applications contain a number of security issues that could potentially allow criminals to cause significant damage to owners of connected cars.
Over the last few years, the active connection of cars to the Internet has begun. Connectivity includes not only their information and entertainment systems, but also critical vehicle systems, such as door locks and ignition systems, which are now accessible on the Internet.
With the help of mobile applications, it is now possible to obtain the coordinates of the vehicle's position as well as its path, but also the opening of the doors, the engine startup and the control of additional devices inside the car. On the one hand, these functions are extremely useful. On the other hand, how manufacturers have secured these applications against the risk of digital attacks?
In order to find out, Kaspersky Lab researchers looked at seven remote auto-control applications developed by the largest automakers, which, according to Google Play statistics, have downloaded tens of thousands of users, and in some cases, up to five million times. The survey found that each of the applications under consideration contained several security issues.
The list of security issues that have been discovered includes:
- Absence of defense against inverse engineering. As a result, malicious users can understand how the application works and detect a vulnerability that will allow them to gain access to server-side or multimedia media infrastructure.
- No code integrity check, which is important because it allows criminals to integrate their own code into the application and replace the original program with a fake.
- Absence of rooting techniques. "Root" privileges provide Trojans with almost unlimited capabilities and leave the application defenseless.
- Lack of protection against application overlay techniques. This helps malicious applications run phishing windows and steal user login information.
- Save logins and passwords in plain text. Using this weakness, a criminal can steal user data relatively easily.
After the successful violation, an intruder can gain control of the car, unlock the doors, deactivate the security alarm and, in theory, steal the vehicle.
In any case, the attacker will have to make some extra preparations, such as enticing the users of the applications to install specially designed malicious applications, which will then invade the device and gain access to the car application. However, as Kaspersky Lab experts have concluded from research into many other malicious applications targeting online banking and other important information, this is unlikely to be a problem for criminals with experience in social engineering techniques if they decide to turn. against owners of connected cars.
"The main conclusion of our research is that, in their current state, connected car applications are not ready to deal with malware attacks. If one is considering the security of a connected car, one should not only look at the security of the infrastructure on the server side. We expect carmakers to follow the same path that banks have taken with their applications. Initially, online banking applications did not have all the security features mentioned in our research. Today, after multiple cases of attacks on banking applications, many banks have improved the security of their products. Fortunately, we have not yet detected any cases of attacks against car applications, which means that car dealers still have time to get things right. Exactly how long they have is unknown. Modern Trojans are very flexible - one day they can act like regular adware, and the next day they can easily download a new setting that will allow them to target new applications. "The attack area in this case is really large." said Victor Chebyshev, Kaspersky Lab security expert.
Her researchers Kaspersky Lab advise users of connected car applications to follow the tips below to protect their cars and personal data from possible digital attacks:
- Avoid "root" on your Android device as it will open almost unlimited possibilities for malicious applications
- Disable the ability to install apps from sources other than official app stores.
- Upgrade your device's operating system to the latest version in order to reduce software vulnerabilities and reduce the risk of attack.
- Install a proven security solution to protect your device from digital attacks.
For more information on threats of connected cars, visit the dedicated website Securelist.com.