Earlier this year, Kaspersky’s security researchers tested nine applications offered by some of the major carmakers (still no names mentioned yet by Kaspersky) and found that the apps failed all of its security tests.
The Kaspersky researchers wanted to see if the carmakers’ apps were protected mainly from three typical kinds of attacks that mobile users may experience: gaining root permissions on the device (rooting), overlaying the app interface with a fake window, and injecting malicious code into a legitimate connected car app.
Malicious actors could use these types of attacks to steal user credentials or PIN codes, as well as a vehicle’s unique vehicle identification number (VIN), which is all that’s required to authenticate in the application. Once this data is obtained, the attackers can install the same app on their devices, use the stolen credentials to track a car’s owner, or even unlock a car’s doors and steal it.
According to Kaspersky’s security researchers, this threat is no longer theoretical. Darknet forums now feature ads selling and buying such user credentials, which typically sell for more than someone’s credit card information would cost. This could mean that such information is quite valuable for those looking to buy it.
The researchers believe that because this type of attack seems so profitable, it may be just a matter of time before more widespread attacks begin.
Previously Tested Apps Still Vulnerable
Even though Kaspersky had already warned the nine unnamed carmakers about their apps’ flaws, the apps still seemed to be vulnerable to the same type of attacks about half a year later. Not only that, but some of them haven’t received any update during all of this time.
In the second part of its analysis, Kaspersky also added four more applications from four more carmakers. It found that only one of the newly added apps was protected, but even that was only against a single attack vector. That is, the app would refuse to operate if the phone was rooted.
Kaspersky believes that the carmakers have yet to build enough digital security expertise to deal with these sort of issues properly.
However, it also seems to show that carmakers don’t take the issue seriously enough to invest more money into developing that much-needed expertise. As more of their cars become “connected” or even gain self-driving features, the need for better software security seems imperative.
“This problem is typical of manufacturers of other smart and connected electronics,” said Kaspersky in a recent post. “With cars, though, the issue feels more urgent and serious; hacks could cause losses in the tens of thousands of dollars, or even put someone’s life at risk,” added the company.
OnStar (Opel / Vauxhall)
Porsche Car Connect
Volvo On Call
KiaMy BMW Remote
It's no different to having doors that are extremely easy to pick without causing a scratch. I'd be very weary about buying one of these cars, and if I already owned one I'd remove the app ASAP.
The loss is small to owner, and even the insurance company needs a certain level of losses to keep everyone making monthly payments. The incentives are just all pushing against making costly changes.