Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Insecure Android Apps Expose Connected Cars

Researchers at Kaspersky Lab have analyzed several Android applications for connected cars and determined that most of them lack important security features, making it easier for hackers to unlock the vehicles.

Researchers at Kaspersky Lab have analyzed several Android applications for connected cars and determined that most of them lack important security features, making it easier for hackers to unlock the vehicles.

Carmakers often provide mobile applications that allow owners to control various functions remotely, including locking and unlocking doors, starting the engine, locating the vehicle, obtaining service information, and controlling air conditioning.

Kaspersky has analyzed seven of the most popular connected car Android applications, which have been installed by millions of users. The applications have not been named, but the security firm has reported its findings to their developers.

Researchers tested the apps to determine if they can be abused to steal a car or incapacitate its systems. They also looked for various security mechanisms, such as the use of obfuscation to prevent reverse engineering, checking if the device is rooted, checking the integrity of the code, and ensuring that the legitimate GUI is displayed to the user (i.e. overlay protection).

All the tested applications can be used to unlock a vehicle’s door and some of them also allow the user to start the engine. However, the aforementioned security features are mostly missing from the apps – only one encrypts the username and password, and none of them use obfuscation, overlay protection, root detection or code integrity checks.

The lack of security mechanisms makes it easier for a piece of malware that has infected the Android device to take control of the smart car app. And while hijacking the application does not allow an attacker to drive away with the car, it does allow them to unlock it and disable its alarm, which can make it easier to steal.

Researchers said car apps should be as secure as online banking apps, but they believe these applications currently represent the weakest link.

In November, researchers at Norway-based security firm Promon demonstrated how thieves with the necessary hacking skills can track and steal Tesla vehicles through the carmaker’s Android app. At the time, Tesla said the vulnerabilities exploited by the researchers were not specific to its products, and argued that once a smartphone is hacked, all the apps stored on it are compromised.

Advertisement. Scroll to continue reading.

Kaspersky researchers agree, but they told SecurityWeek that certain security mechanisms can make exploitation more difficult, even if the attacker has root access to the device.

“If you store users’ data in an encrypted storage (in addition to default Android secure storage which can be accessed by root-rights owner), if your app has a root-detection feature, if the code of the app is obfuscated and if it does a self-integrity check, it would be much-much harder for an attacker to break it and steal your users’ private data or even get access to their cars’ control,” the researchers said.

Related: Millions of Cars Vulnerable to Remote Unlocking Hack

Related: Researchers Hack Mitsubishi Outlander PHEV

Related: Cars Plagued by Many Serious Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...