Beeps, roots and leaves: Car-controlling Android apps create theft risk
Haven't named and shamed car-makers though
Insecure car-controlling Android apps create a heightened car theft risk, security researchers at Kaspersky Lab warn.
Boffins at the security software maker made the warning after putting Android apps from seven (unnamed) car makers through their paces, uncovering a raft of basic security flaws in the process.
During recent years, cars have started actively connecting to the internet. Connectivity includes not only their "infotainment" systems but also critical vehicle systems, such as door locks and ignition, which are now accessible online.
The list of the security issues discovered by Kaspersky Lab's boffins includes:
- No defence against application reverse-engineering.
- No code integrity check - important because it enables criminals to incorporate their own code in the app and replace the original program with a fake one.
- No rooting detection techniques. Root rights provide Trojans with almost endless capabilities and leave the app defenceless.
- Lack of protection against app overlaying techniques. This helps malicious apps to show phishing windows and steal users’ credentials.
- Storage of logins and passwords in plain text.
Upon successful exploitation, a hacker could gain control over the car, unlock the doors, turn off the security alarm and, theoretically, steal the vehicle. In each case the attack vector would require some additional preparations, like luring owners of applications to install specially-crafted malicious apps that would then root the device and get access to the car application.
“The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks," said said Victor Chebyshev, security expert at Kaspersky Lab. "Thinking about the security of the connected car, one should not only consider the security of server-side infrastructure."
"We expect that car manufacturers will have to go down the same road that banks have already gone down with their applications. Initially, apps for online banking did not have all the security features listed in our research. Now, after multiple cases of attacks against banking apps, many banks have improved the security of their products. Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right," he added.
More details on the research can be found in a post on Kaspersky Lab's Securelist blog here.
The security of the apps compared unfavourably to comparable banking apps, according to third party experts.
Mike Ahmadi, global director of critical systems security at Synopsys, commented: "Banks are indeed more mature in their general approach to security, including the hundreds and often thousands of applications they must interface with on a daily basis. They have faced the [problem] of being a target for a much longer time than the automotive community has, and they take a very proactive approach, generally speaking, in addressing ongoing security issues.
"The automotive industry is still relatively new to both application management and security issues, comparatively speaking, and is certainly working hard to address issues as they arise. While the banking industry may be better prepared to address security issues, the automotive industry continues to learn how to manage the many security challenges it faces as their connected vehicles continue to proliferate," he added. ®