Mobile car apps implement poor security measures advantaging car thieves

Pierluigi Paganini February 18, 2017

Experts at Kaspersky Lab have analyzed several Android car apps and discovered that most of them lack proper security features to protect vehicles.

Security researchers from antivirus vendor Kaspersky Lab have analyzed seven of the most popular Android apps that allow to remotely control millions of modern cars.

The experts discovered that the Android apps, whose name were not disclosed, lack basic security features that expose owners to cyber attacks.

The expert focused their analysis on the possible on available countermeasures that to protect the Android apps when the owner’s mobile devices are infected with malware.

None of the tested applications used code obfuscation to make it harder for hackers the reverse engineering of the code and none of them used code integrity checks to prevent malicious manipulation.

android car apps

It is interesting to note that none of the tested apps checked if the devices are rooted, a circumstance which opens the door to hacking due to the presence of software installed from unofficial App stores.

Two Android car apps of seven didn’t encrypt the login credentials stored locally and four encrypted only the password.

None of the tested applications used overlay protections to prevent other apps from displaying phishing forms over the legit applications. This technique is very common for mobile malware that display fake log-in screens on top of other apps in order to trick users to provide their log-in credentials.

“Theoretically, after stealing credentials, an evildoer will be able to gain control of the car, but this does not mean that the criminal is capable of simply driving off with it. The thing is, a key is needed for a car in order for it to start moving. Therefore, after accessing the inside of a car, car thieves use a programming unit to write a new key into the car’s on-board system.” reads the analysis published by Kaspersky. “Now, let us recall that almost all of the described apps allow for the doors to be unlocked, that is, deactivation of the car’s alarm system. Thus, an evildoer can covertly and quickly perform all of the actions in order to steal a car without breaking or drilling anything.”

Once compromised the Android car apps the attacker can remotely unlock the vehicle and disable its alarm system in order to steal the car.

“Also, the risks should not be limited to mere car theft. Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death.” continues Kaspersky.

The experts from Kaspersky warn that security implemented by mobile car apps should not be ignored because it could offer a precious opportunity to thieves, they want an approach to security as the one used for banking applications

“Being an expensive thing, a car requires an approach to security that is no less meticulous than that of a bank account,” the researchers said.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – car apps, hacking)

you might also like

leave a comment