Her researchers Kaspersky Lab have examined the safety of applications for remote car control by many famous car manufacturers. As a result, the company's experts have discovered that all applications contain a number of security issues that could potentially allow criminals to cause significant damage to owners of connected cars.
Over the last few years, the active connection of cars to the Internet has begun. Connectivity includes not only their information and entertainment systems, but also critical vehicle systems, such as door locks and ignition systems, which are now accessible on the Internet. 
With the help of mobile applications, it is now possible to obtain the coordinates of the vehicle's location, as well as its route, as well as opening the doors, starting the engine and controlling additional devices inside the car. On the one hand, these functions they are extremely useful. On the other hand, how have manufacturers secured these applications against the risk of digital attacks?
In order to find out, Kaspersky Lab researchers looked at seven remote auto-control applications developed by the largest automakers, which, according to Google Play statistics, have downloaded tens of thousands of users, and in some cases, up to five million times. The survey found that each of the applications under consideration contained several security issues.
The list of security issues that have been discovered includes:
- Absence of defense against reverse applications engineerings. As a result, malicious users can understand how the application works and find a vulnerability that will allow them to gain access to server-side infrastructure or a car's multimedia system.
- No code integrity check, which is important because it allows criminals to integrate their own code into the application and replace the original program with a fake.
- Absence of rooting techniques. "Root" privileges provide Trojans with almost unlimited capabilities and leave the application defenseless.
- Lack of protection against application overlay techniques. This helps malicious applications run phishing windows and steal user login information.
- Save logins and passwords in plain text. Using this weakness, a criminal can steal user data relatively easily.
After the successful violation, an intruder can gain control of the car, unlock the doors, deactivate the security alarm and, in theory, steal the vehicle.
In any case, the attacker will have to make some extra preparations, such as tricking app users into installing specially crafted malicious apps, which will then invade the device and gain access to the car app. However, as Kaspersky Lab experts have concluded from research into many other malicious applications that target online banking and other important information, this is unlikely to be a problem for criminals with experience in social engineering techniques if they decide to turn against the owners of the connected cars.
«Το κύριο συμπέρασμα της έρευνάς μας είναι ότι, στη σημερινή τους κατάσταση, οι εφαρμογές για τα συνδεδεμένα αυτοκίνητα δεν είναι έτοιμες να αντιμετωπίσουν τις επιθέσεις κακόβουλου λογισμικού. Εάν κάποιος σκεφτεί την ασφάλεια ενός συνδεδεμένου αυτοκινήτου, δεν θα πρέπει να εξετάσει μόνο την ασφάλεια των υποδομών από πλευράς του server. Αναμένουμε ότι οι κατασκευαστές αυτοκινήτων θα πρέπει να ακολουθήσουν τον ίδιο δρόμο που έχουν χαράξει οι τράπεζες με τις εφαρμογές τους. Αρχικά, οι εφαρμογές για online τραπεζικές συναλλαγές, δεν είχαν όλα τα χαρακτηριστικά ασφαλείας που αναφέρονται στην έρευνα μας. Σήμερα, μετά από πολλαπλές περιπτώσεις επιθέσεων εναντίον τραπεζικών εφαρμογών, πολλές τράπεζες έχουν βελτιώσει την ασφάλεια των προϊόντων τους. Ευτυχώς, δεν έχουμε ακόμη εντοπίσει κανένα κρούσμα επιθέσεων ενάντια σε εφαρμογές αυτοκινήτων, πράγμα που σημαίνει ότι οι πωλητές αυτοκινήτων εξακολουθούν να έχουν χρόνο για να ρυθμίσουν τα πράγματα σωστά. Πόσο χρόνο έχουν ακριβώς είναι άγνωστο. Τα σύγχρονα Trojans είναι πολύ ευέλικτα – τη μια μέρα μπορούν να λειτουργούν σαν κανονικό adware, και την επόμενη μέρα μπορούν εύκολα να κατεβάσουν μια νέα ρύθμιση που θα τους δώσει τη δυνατότητα να στοχεύουν σε νέες εφαρμογές. Η surface of attack in this case is really big", said Victor Chebyshev, Kaspersky Lab security expert.
Her researchers Kaspersky Lab advise users of connected car applications to follow the tips below to protect their cars and personal data from possible digital attacks:
- Avoid "root" on your Android device as it will open almost unlimited possibilities for malicious applications
- Disable the ability to install apps from sources other than official app stores.
- Upgrade your device's operating system to the latest version in order to reduce software vulnerabilities and reduce the risk of attack.
- Install a proven security solution to protect your device from digital attacks.
For more information on threats of connected cars, visit the dedicated website Securelist.com.
