Skip to main content

Car Makers Haven’t Learned, Part 2: Same App Security Issues, 6 Months Hence

Earlier this year, Kaspersky’s security researchers tested nine applications offered by some of the major carmakers (still no names mentioned yet by Kaspersky) and found that the apps failed all of its security tests.

The Kaspersky researchers wanted to see if the carmakers’ apps were protected mainly from three typical kinds of attacks that mobile users may experience: gaining root permissions on the device (rooting), overlaying the app interface with a fake window, and injecting malicious code into a legitimate connected car app.

Malicious actors could use these types of attacks to steal user credentials or PIN codes, as well as a vehicle’s unique vehicle identification number (VIN), which is all that’s required to authenticate in the application. Once this data is obtained, the attackers can install the same app on their devices, use the stolen credentials to track a car’s owner, or even unlock a car’s doors and steal it.

According to Kaspersky’s security researchers, this threat is no longer theoretical. Darknet forums now feature ads selling and buying such user credentials, which typically sell for more than someone’s credit card information would cost. This could mean that such information is quite valuable for those looking to buy it.

The researchers believe that because this type of attack seems so profitable, it may be just a matter of time before more widespread attacks begin.

Previously Tested Apps Still Vulnerable

Even though Kaspersky had already warned the nine unnamed carmakers about their apps’ flaws, the apps still seemed to be vulnerable to the same type of attacks about half a year later. Not only that, but some of them haven’t received any update during all of this time.

In the second part of its analysis, Kaspersky also added four more applications from four more carmakers. It found that only one of the newly added apps was protected, but even that was only against a single attack vector. That is, the app would refuse to operate if the phone was rooted.

Kaspersky believes that the carmakers have yet to build enough digital security expertise to deal with these sort of issues properly.

However, it also seems to show that carmakers don’t take the issue seriously enough to invest more money into developing that much-needed expertise. As more of their cars become “connected” or even gain self-driving features, the need for better software security seems imperative.

“This problem is typical of manufacturers of other smart and connected electronics,” said Kaspersky in a recent post. “With cars, though, the issue feels more urgent and serious; hacks could cause losses in the tens of thousands of dollars, or even put someone’s life at risk,” added the company.

  • 3ogdy
    Left Column:
    _________
    OnStar (Opel / Vauxhall)
    Porsche Car Connect

    Right Column:
    Volvo On Call
    KiaMy BMW Remote

    Reply
  • falchard
    But the only car maker who moved to secure their vehicles infotainment system was FCA. All the rest pretty much swept it under the rug.
    Reply
  • Olle P
    What does the insurance companies say about this?
    It's no different to having doors that are extremely easy to pick without causing a scratch. I'd be very weary about buying one of these cars, and if I already owned one I'd remove the app ASAP.
    Reply
  • Sveg
    This is getting beyond ridiculous. There needs to be a new fine for a company bluntly ignoring a well known issue, and only addressing it when it becomes a national issue
    Reply
  • Co BIY
    My would the car companies want their car more secure than the competition ? When it's stolen, the owner gets reimbursed by insurance and promptly buys a new model.

    The loss is small to owner, and even the insurance company needs a certain level of losses to keep everyone making monthly payments. The incentives are just all pushing against making costly changes.
    Reply
  • Olle P
    20196654 said:
    ... When it's stolen, the owner gets reimbursed by insurance...
    That's just it. If the car gets stolen this way, or by the use of (illegal) duplicate keys, the insurance company cry "fraud" and give the owner nothing!

    Reply