Car Makers Haven’t Learned: Insecure Apps Expose Millions Of Connected Cars To Theft, Risks

News
By Lucian Armasu
published

Kaspersky's hidden list of car makers' applications

Even as most car manufacturers want to deliver autonomous cars in the next few years, they still seem to be far behind in adopting security best practices to keep cars and drivers safe. According to Kaspersky, the Android apps of well-known car makers could now expose millions of cars to theft or other risks. The manufacturers still don't seem to be treating security as the life-and-death issue that it is when it comes to smart cars and autonomous vehicles.

Connected Cars

The idea of a “connected car” started becoming popular a few years ago, as manufacturers wanted to give users more “smart features” that would set their cars apart from those of the competitors.

The smart features, which you can enable through smartphone applications, include finding out the GPS coordinates of a car, tracing its route, opening its doors, starting its engine, and turning on its auxiliary devices. The issue with these features is that if you give smartphone applications the ability to control a car’s engine over the internet, that means it would be roughly as easy for an attacker to take control over that car’s engine over the internet as well.

One of the most important security principles is reducing the attack surface. Car makers seem to be doing the exact opposite right now, by implementing over-the-internet remote control for cars’ most critical systems. Components, such as the engine, brakes, wheels, or anything that if taken by bad actors over would jeopardize the driver’s life, should never be controlled directly over the internet.

This is really the same principle that IoT makers should abide by as well, except in this case it’s not just your privacy that’s at stake, but your actual car (if it’s stolen), or even your life.

Kaspersky’s App Report

Kaspersky reviewed seven of the most popular applications from well-known car manufacturers to see if they can be used to gain access to the car’s infrastructure. Kaspersky has decided to keep the names of the manufacturers hidden for now, although it would’ve probably served the public’s interest much more if it had made them all public, at least after they all announce that they’ve fixed their apps.

Car makers haven’t shown a willingness to significantly improve their systems’ security so far. It’s likely that this isn’t going to change much if such reports hide their names so the car manufacturers don’t have to suffer any of the consequences for it.

The security company reviewed the following aspects in the apps:

Availability of potentially dangerous features that would make it possible for someone to steal the carWhether the app employs obfuscation techniques to make it hard to reverse engineer itWhether the app checks for root permissions on the car owner’s Android device. Rooted devices allow malware to infect other apps much more easilyAvailability of GUI overlay protection to stop bad actors from stealing credentialsAvailability of an integrity check that verifies whether the app’s code has been changed

As we can see from Kaspersky’s table below, all of the apps failed all of Kaspersky’s test. Perhaps the most incredible one is that none of these well-known car makers seem to encrypting users’ credentials. These are the same car makers that we’ll have to trust in a few years with their autonomous cars to safely drive us around, yet they can’t even implement 1990s-era internet security guidelines for their cars and related systems.

Car Theft And More

According to Kaspersky, the primary risk for these vulnerabilities is that car thieves could unlock the doors more easily, and then use programming units to “write a new key into the car’s on-board system”--another consequence, if you will, of making cars "smarter." The thieves can steal the cars without ever having to break any physical part. However, according to Kaspersky, car stealing is not the only thing that should scare you, if you’re an owner of one of these cars:

“Also, the risks should not be limited to mere car theft. Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death,” said Kaspersky in its report.

Autonomous Cars

Car makers don’t seem to have figured out a solid plan for protecting their connected cars against hackers yet, or even design their smart features in a secure way. However, they’re already moving full steam ahead to ship autonomous vehicles over which a driver (or rather a passenger) has no control.

Autonomous vehicles, or vehicles with autonomous driving systems that still allow the driver to take control when needed, will likely end up saving millions of lives because of their increased safety on the road. However, they could also expose their owners to other types of dangers, from hacking while on the road to ransomware that locks the car until the owner pays a significant sum of money.

All of this could be mostly avoided if car makers start treating security as seriously as they do developing self-driving systems and electric vehicle platforms. The digital security of these future cars will be just as important for their businesses, especially if makers of autonomous vehicles end up liable for accidents (as it would be their systems controlling the cars at all times, rather than the drivers).

Time For Car Makers To Be Responsible

The real crux of the problem here is that car makers should already know that Android devices, or even iPhones, can be vulnerable to all sorts of security vulnerabilities. That’s why they shouldn’t be trusting them with control over the cars’ door locks, let alone giving them remote control over the cars’ engines.

This is less of a technological issue, such as whether the car makers enabled integrity and root checks for their apps, and more of a responsibility issue. Allowing remote access through apps to car doors and the car engines just to slightly one-up the competition doesn’t seem like a responsible thing to do from these well-known car brands, and that needs to change.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
15 Comments Comment from the forums
  • __thatguy__
    "Allowing remote access through apps to car doors and the car engines just to slightly one-up the competition doesn’t seem like a responsible thing to do from these well-known car brands, and that needs to change."

    Entire article was good until the above. It's not only responsible - it's wanted. You don't impede progress, but automobile manufacturers have to implement effective security measures.
    Reply
  • matmat9v
    It's not irresponsible, it is unwanted unless you want your car stolen. I would prefer to have a car unlock by at least PIN entered on keypad on my car door. After all car keys are easy to loose. If I were a security analyst in any insurance company I would refuse honoring any "stolen car" claim for such a vehicle citing insufficient protection and gross negligence on user part.
    Reply
  • anbello262
    It IS wanted. If it wasn't, those cars wouldn't be selling in the first point. And it brings a lot of convenience. As long as they improve the security enough to be as safe as driving itself can be (which is not much, with man-driven cars), it is completely acceptable. Having the ability to pre-start your engine to warm it up was one of the biggest revolutions of remotely controlled cars, for example.

    I understand not wanting this progress while it brings so much risk, but just saying "it shouldn't be done, it will never be safe" is looking away from a more convenient future (and sounds a lot like the same stuff that was said about cars when they were first invented).
    The solution is not to just ignore it and forbid it. It should just be closely regulated and made secure.
    Reply
  • chile7236
    why are these apps lacking confidence in themselves?
    Reply
  • nukemaster
    19311325 said:
    It IS wanted. If it wasn't, those cars wouldn't be selling in the first point. And it brings a lot of convenience. As long as they improve the security enough to be as safe as driving itself can be (which is not much, with man-driven cars), it is completely acceptable. Having the ability to pre-start your engine to warm it up was one of the biggest revolutions of remotely controlled cars, for example.

    I understand not wanting this progress while it brings so much risk, but just saying "it shouldn't be done, it will never be safe" is looking away from a more convenient future (and sounds a lot like the same stuff that was said about cars when they were first invented).
    The solution is not to just ignore it and forbid it. It should just be closely regulated and made secure.
    I have to agree. People determine what THEY want. The connected world is simply something more and more users want. As long as they can secure it better, I do not see a problem with it.

    People generally love everything being connected to a cellular phone. I see routers you can hardly configure on a computer via web browser any more(this trend is kind of disturbing because a web based interface or other multi-platform one will work even with new operating systems while these Apps may or may not be ported in the future to your device of choice.).

    I personally have no use for such things.

    I do not need my living room/bathroom/bedroom/kitchen connected to the internet. I the fridge that tracks food with all kinds of cameras is kind of cool. It would be nice to be at the store and say "Do I need milk? Check the fridge remotely and see that I do."(not much loss if a hacker knows I need milk as well). I do NOT want anything important linked to the internet(says the online shopper), but I am a minority in that.

    Even government computers seem to have more connection that they need and users of some offices even bring flash drives from home to work(big NO NO in my books).
    Reply
  • SheriffMoose
    I wholeheartedly agree with the concept of this article - car manufacturers need to be practicing standard security measures when implementing this level of connectedness. However, I would say the current risk of thieves using this technology to steal your car is less likely. The average criminal interested in stealing your car isn't going to have the know how or take the time to learn how to hack into your car to unlock the doors when you can use fairly inexpensive tools to unlock the car. If you can still call a locksmith to unlock the car in less than 10 minutes with a physical tool, then its unlikely that your car will be stolen using high-tech hacking methods.

    That's just my 2 cents. They need to be implementing security measures as is best practice with any internet connected technology, but I won't be losing sleep over the idea of a street criminal stealing my car by hacking the internet functions when they could use a Door Jimmy or other locksmith tool.
    Reply
  • anbello262
    19323651 said:
    I wholeheartedly agree with the concept of this article - car manufacturers need to be practicing standard security measures when implementing this level of connectedness. However, I would say the current risk of thieves using this technology to steal your car is less likely. The average criminal interested in stealing your car isn't going to have the know how or take the time to learn how to hack into your car to unlock the doors when you can use fairly inexpensive tools to unlock the car. If you can still call a locksmith to unlock the car in less than 10 minutes with a physical tool, then its unlikely that your car will be stolen using high-tech hacking methods.

    That's just my 2 cents. They need to be implementing security measures as is best practice with any internet connected technology, but I won't be losing sleep over the idea of a street criminal stealing my car by hacking the internet functions when they could use a Door Jimmy or other locksmith tool.

    I actually believe the biggest danger is not in the car-theft area (and that's even covered by insurance).
    I believe that the big risk comes from causing crashes or kidnapping people by disabling some car functions (forcing a stop, for example), which would be a big concern for 'interesting' targets (people with more money than average, or political/social significance). No need to be the president, just being 'a bit bigger' than the average people can make you a good target.
    I agree that it is quite hard to achieve, but for the right target (or just random attacks, or even cyber terrorism) this probably could be done.

    Reply
  • Kaspersky is full of it. Cars are insured against theft. Insurance companies would not insure cars that had these systems had vulnerabilities. 6 months ago I submitted a virus report to Kaspersky, including the binaries. Their software still does not detect it. This is complete bogus marketing by Kaspersky.
    Reply
  • junkeymonkey
    '' Car Makers Haven’t Learned ''

    no its you haven't learned and support these things that cam allow a 3ed party as much control over your personal stuff , come on

    if it aint got it that you don't worry about it , right ???
    Reply
  • wiyosaya
    19311325 said:
    It IS wanted. If it wasn't, those cars wouldn't be selling in the first point. And it brings a lot of convenience. As long as they improve the security enough to be as safe as driving itself can be (which is not much, with man-driven cars), it is completely acceptable. Having the ability to pre-start your engine to warm it up was one of the biggest revolutions of remotely controlled cars, for example.

    I understand not wanting this progress while it brings so much risk, but just saying "it shouldn't be done, it will never be safe" is looking away from a more convenient future (and sounds a lot like the same stuff that was said about cars when they were first invented).
    The solution is not to just ignore it and forbid it. It should just be closely regulated and made secure.
    Personally, I think it is a stretch to say that the cars would not sell if they did not have an app that could remotely control the things talked about in the article. As I see it, we really cannot say why the cars are selling.

    This is a tech site, and in the real world, the number of tech illiterate people are likely much more of a proportion than they are on this site. Many of my own family members would have no clue about something like this, and I suspect that everyone who responded to this thread knows at least one such technically illiterate person, too. If the purchaser of a car does not ask about these options, do you think the dealer is going to tell them that the car they are considering has it? Dealers just want to sell cars, and in my experience, will do almost anything that they can to sell a car.

    The author of the article is not saying it should not be done, what he is saying is that it should not be done if it cannot be done securely.

    Right now, car manufs seem to not care at all about whether these apps make the car less secure. Blowing if off as "the insurance company will pay if the car is stolen", etc., is just a cop-out. At some point, insurance companies will care that manufs seem to have forgotten to keep their cars as secure as they were when keys were around, and if manufs still refuse to implement basic security options for apps like these, I would not be surprised if the insurance companies put clauses in their contracts that say something along the lines of we will not pay if your car is stolen due to defects in the manufs implementation of security. Insurance companies will not put up with this crap once it starts to become a major problem.

    I'll be in the market for a new car in the next few years, and if any car I am interested in has anything like this where the car can be compromised in any way by something stupid that the manufacturer could have taken steps to prevent, such as putting critical controls on a separate network, etc., I'll be telling the dealer: Thanks but no thanks, because I am not exposing my loved ones or myself to that kind of risk.
    Reply