Car Makers Haven’t Learned: Insecure Apps Expose Millions Of Connected Cars To Theft, Risks

Kaspersky's hidden list of car makers' applicationsKaspersky's hidden list of car makers' applicationsEven as most car manufacturers want to deliver autonomous cars in the next few years, they still seem to be far behind in adopting security best practices to keep cars and drivers safe. According to Kaspersky, the Android apps of well-known car makers could now expose millions of cars to theft or other risks. The manufacturers still don't seem to be treating security as the life-and-death issue that it is when it comes to smart cars and autonomous vehicles.

Connected Cars

The idea of a “connected car” started becoming popular a few years ago, as manufacturers wanted to give users more “smart features” that would set their cars apart from those of the competitors.

The smart features, which you can enable through smartphone applications, include finding out the GPS coordinates of a car, tracing its route, opening its doors, starting its engine, and turning on its auxiliary devices. The issue with these features is that if you give smartphone applications the ability to control a car’s engine over the internet, that means it would be roughly as easy for an attacker to take control over that car’s engine over the internet as well.

One of the most important security principles is reducing the attack surface. Car makers seem to be doing the exact opposite right now, by implementing over-the-internet remote control for cars’ most critical systems. Components, such as the engine, brakes, wheels, or anything that if taken by bad actors over would jeopardize the driver’s life, should never be controlled directly over the internet.

This is really the same principle that IoT makers should abide by as well, except in this case it’s not just your privacy that’s at stake, but your actual car (if it’s stolen), or even your life.

Kaspersky’s App Report

Kaspersky reviewed seven of the most popular applications from well-known car manufacturers to see if they can be used to gain access to the car’s infrastructure. Kaspersky has decided to keep the names of the manufacturers hidden for now, although it would’ve probably served the public’s interest much more if it had made them all public, at least after they all announce that they’ve fixed their apps.

Car makers haven’t shown a willingness to significantly improve their systems’ security so far. It’s likely that this isn’t going to change much if such reports hide their names so the car manufacturers don’t have to suffer any of the consequences for it.

The security company reviewed the following aspects in the apps:

  • Availability of potentially dangerous features that would make it possible for someone to steal the car
  • Whether the app employs obfuscation techniques to make it hard to reverse engineer it
  • Whether the app checks for root permissions on the car owner’s Android device. Rooted devices allow malware to infect other apps much more easily
  • Availability of GUI overlay protection to stop bad actors from stealing credentials
  • Availability of an integrity check that verifies whether the app’s code has been changed

As we can see from Kaspersky’s table below, all of the apps failed all of Kaspersky’s test. Perhaps the most incredible one is that none of these well-known car makers seem to encrypting users’ credentials. These are the same car makers that we’ll have to trust in a few years with their autonomous cars to safely drive us around, yet they can’t even implement 1990s-era internet security guidelines for their cars and related systems.

Car Theft And More

According to Kaspersky, the primary risk for these vulnerabilities is that car thieves could unlock the doors more easily, and then use programming units to “write a new key into the car’s on-board system”--another consequence, if you will, of making cars "smarter." The thieves can steal the cars without ever having to break any physical part. However, according to Kaspersky, car stealing is not the only thing that should scare you, if you’re an owner of one of these cars:

“Also, the risks should not be limited to mere car theft. Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death,” said Kaspersky in its report.

Autonomous Cars

Car makers don’t seem to have figured out a solid plan for protecting their connected cars against hackers yet, or even design their smart features in a secure way. However, they’re already moving full steam ahead to ship autonomous vehicles over which a driver (or rather a passenger) has no control.

Autonomous vehicles, or vehicles with autonomous driving systems that still allow the driver to take control when needed, will likely end up saving millions of lives because of their increased safety on the road. However, they could also expose their owners to other types of dangers, from hacking while on the road to ransomware that locks the car until the owner pays a significant sum of money.

All of this could be mostly avoided if car makers start treating security as seriously as they do developing self-driving systems and electric vehicle platforms. The digital security of these future cars will be just as important for their businesses, especially if makers of autonomous vehicles end up liable for accidents (as it would be their systems controlling the cars at all times, rather than the drivers).

Time For Car Makers To Be Responsible

The real crux of the problem here is that car makers should already know that Android devices, or even iPhones, can be vulnerable to all sorts of security vulnerabilities. That’s why they shouldn’t be trusting them with control over the cars’ door locks, let alone giving them remote control over the cars’ engines.

This is less of a technological issue, such as whether the car makers enabled integrity and root checks for their apps, and more of a responsibility issue. Allowing remote access through apps to car doors and the car engines just to slightly one-up the competition doesn’t seem like a responsible thing to do from these well-known car brands, and that needs to change.

This thread is closed for comments
    Your comment
  • __thatguy__
    "Allowing remote access through apps to car doors and the car engines just to slightly one-up the competition doesn’t seem like a responsible thing to do from these well-known car brands, and that needs to change."

    Entire article was good until the above. It's not only responsible - it's wanted. You don't impede progress, but automobile manufacturers have to implement effective security measures.
  • matmat9v
    It's not irresponsible, it is unwanted unless you want your car stolen. I would prefer to have a car unlock by at least PIN entered on keypad on my car door. After all car keys are easy to loose. If I were a security analyst in any insurance company I would refuse honoring any "stolen car" claim for such a vehicle citing insufficient protection and gross negligence on user part.
  • anbello262
    It IS wanted. If it wasn't, those cars wouldn't be selling in the first point. And it brings a lot of convenience. As long as they improve the security enough to be as safe as driving itself can be (which is not much, with man-driven cars), it is completely acceptable. Having the ability to pre-start your engine to warm it up was one of the biggest revolutions of remotely controlled cars, for example.

    I understand not wanting this progress while it brings so much risk, but just saying "it shouldn't be done, it will never be safe" is looking away from a more convenient future (and sounds a lot like the same stuff that was said about cars when they were first invented).
    The solution is not to just ignore it and forbid it. It should just be closely regulated and made secure.