February 17, 2017

Android for cars: Secure connection?

Malware News Threats

In the movie Dude, Where’s My Car? (2000), viewers follow the humorous tale of two guys who partied a bit too hard trying to remember where they parked their car. We’ve all been there — well, not to the extent of the movie characters, but raise your hand if you have ever forgotten where you parked at a concert, shopping center, or grocery store.

Fast-forward 17 years and there are apps for everything — even your car. Chances are, if an app might make part of your life easier, someone will develop it and plenty of people will use it.

Over the past few years, the concept of the connected car has continued to evolve — and become reality. At this year’s RSA Conference in San Francisco, our anti-malware researchers Victor Chebyshev and Mikhail Kuzin presented research that they conducted on seven popular apps for vehicles.

The apps seem to make users’ lives easier by linking their Android devices to their automobiles, but we have ask: Are we trading security for convenience? And as with many IoT connected devices, the answer is, security needs to become more of a priority for developers and manufacturers.

The primary functions of these apps are to open doors and in many instances start the car. Unfortunately, flaws in the apps could be exploited by attackers:

No protection against application reverse engineering. As a result, malefactors can dig in and find vulnerabilities that give them access to server-side infrastructure or to the car’s multimedia system.
No code integrity check. This allows criminals to incorporate their own code in the app, adding malicious capabilities and replacing the original program with a fake one on user’s device.
No rooting detection techniques. Root rights provide Trojans with almost endless capabilities and leave the app defenseless.
Lack of protection against overlaying techniques. This allows malicious apps to show phishing windows on top of original apps’ windows, tricking users into entering login credentials in windows that send the info to criminals.
Storage of logins and passwords in plain text. Using this weakness, a criminal can steal users’ data relatively easily.

Upon successful exploitation, an attacker can gain control over the car, unlock the doors, turn off the security alarm and, theoretically, even steal the vehicle.

The researchers disclosed their findings to the developers (they did not disclose names of the apps publicly) and also told them that no exploitations had been seen in the wild. A full, detailed report on this can be found over on Securelist, where each of the apps is evaluated.

It’s easy to bury your head in the sand, thinking you won’t be hacked or that this is the stuff of science fiction, but the truth is, ever since its invention, the automobile has been a target for criminals. And if there is a hack to make things easier, just imagine the possibilities.

Another thing to keep in mind is that we’ve already seen vulnerabilities allow smart white-hat hackers to make the jump from “benign vulnerability” to controlling a car. Two of the bigger automotive stories of the past two years were about how Charlie Miller and Chris Valasek took control of a Jeep via vulnerabilities.

Ultimately, personal security and app usage comes down to personal preference. Who we share our data with or entrust our convenience to is really up to us. With IoT devices and apps, convenience is too often considered before security.

In closing, Chebyshev notes:

“Applications for connected cars are not ready to withstand malware attacks. We expect that car manufacturers will have to go down the same road that banks have already taken with their applications… After multiple cases of attacks against banking apps, many banks have improved the security of their products.

“Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right. How much time they have exactly is unknown. Modern Trojans are very flexible — one day they can act like normal adware, and the next day they can easily download a new configuration, making it possible to target new apps. The attack surface is really vast here.”