Kaspersky's hidden list of car makers' applicationsEven as most car manufacturers want to deliver autonomous cars in the next few years, they still seem to be far behind in adopting security best practices to keep cars and drivers safe. According to Kaspersky, the Android apps of well-known car makers could now expose millions of cars to theft or other risks. The manufacturers still don't seem to be treating security as the life-and-death issue that it is when it comes to smart cars and autonomous vehicles.
The idea of a “connected car” started becoming popular a few years ago, as manufacturers wanted to give users more “smart features” that would set their cars apart from those of the competitors.
The smart features, which you can enable through smartphone applications, include finding out the GPS coordinates of a car, tracing its route, opening its doors, starting its engine, and turning on its auxiliary devices. The issue with these features is that if you give smartphone applications the ability to control a car’s engine over the internet, that means it would be roughly as easy for an attacker to take control over that car’s engine over the internet as well.
One of the most important security principles is reducing the attack surface. Car makers seem to be doing the exact opposite right now, by implementing over-the-internet remote control for cars’ most critical systems. Components, such as the engine, brakes, wheels, or anything that if taken by bad actors over would jeopardize the driver’s life, should never be controlled directly over the internet.
This is really the same principle that IoT makers should abide by as well, except in this case it’s not just your privacy that’s at stake, but your actual car (if it’s stolen), or even your life.
Kaspersky’s App Report
Kaspersky reviewed seven of the most popular applications from well-known car manufacturers to see if they can be used to gain access to the car’s infrastructure. Kaspersky has decided to keep the names of the manufacturers hidden for now, although it would’ve probably served the public’s interest much more if it had made them all public, at least after they all announce that they’ve fixed their apps.
Car makers haven’t shown a willingness to significantly improve their systems’ security so far. It’s likely that this isn’t going to change much if such reports hide their names so the car manufacturers don’t have to suffer any of the consequences for it.
The security company reviewed the following aspects in the apps:
- Availability of potentially dangerous features that would make it possible for someone to steal the car
- Whether the app employs obfuscation techniques to make it hard to reverse engineer it
- Whether the app checks for root permissions on the car owner’s Android device. Rooted devices allow malware to infect other apps much more easily
- Availability of GUI overlay protection to stop bad actors from stealing credentials
- Availability of an integrity check that verifies whether the app’s code has been changed
As we can see from Kaspersky’s table below, all of the apps failed all of Kaspersky’s test. Perhaps the most incredible one is that none of these well-known car makers seem to encrypting users’ credentials. These are the same car makers that we’ll have to trust in a few years with their autonomous cars to safely drive us around, yet they can’t even implement 1990s-era internet security guidelines for their cars and related systems.
Car Theft And More
According to Kaspersky, the primary risk for these vulnerabilities is that car thieves could unlock the doors more easily, and then use programming units to “write a new key into the car’s on-board system”--another consequence, if you will, of making cars "smarter." The thieves can steal the cars without ever having to break any physical part. However, according to Kaspersky, car stealing is not the only thing that should scare you, if you’re an owner of one of these cars:
“Also, the risks should not be limited to mere car theft. Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death,” said Kaspersky in its report.
Car makers don’t seem to have figured out a solid plan for protecting their connected cars against hackers yet, or even design their smart features in a secure way. However, they’re already moving full steam ahead to ship autonomous vehicles over which a driver (or rather a passenger) has no control.
Autonomous vehicles, or vehicles with autonomous driving systems that still allow the driver to take control when needed, will likely end up saving millions of lives because of their increased safety on the road. However, they could also expose their owners to other types of dangers, from hacking while on the road to ransomware that locks the car until the owner pays a significant sum of money.
All of this could be mostly avoided if car makers start treating security as seriously as they do developing self-driving systems and electric vehicle platforms. The digital security of these future cars will be just as important for their businesses, especially if makers of autonomous vehicles end up liable for accidents (as it would be their systems controlling the cars at all times, rather than the drivers).
Time For Car Makers To Be Responsible
The real crux of the problem here is that car makers should already know that Android devices, or even iPhones, can be vulnerable to all sorts of security vulnerabilities. That’s why they shouldn’t be trusting them with control over the cars’ door locks, let alone giving them remote control over the cars’ engines.
This is less of a technological issue, such as whether the car makers enabled integrity and root checks for their apps, and more of a responsibility issue. Allowing remote access through apps to car doors and the car engines just to slightly one-up the competition doesn’t seem like a responsible thing to do from these well-known car brands, and that needs to change.