Follow
Subscribe

Kaspersky Labs Reveal Crippling Vulnerabilities in Smart Cars from Android Apps

Home > News > Content

【Summary】In case you were wondering, the types of vehicular apps Kaspersky Lab tested were equipped with core smart car features, such as door unlock and engine start. A successful attack through such apps could easily lead to theft.

Original Michael Cheng    Feb 23, 2017 1:10 PM PT
Kaspersky Labs Reveal Crippling Vulnerabilities in Smart Cars from Android Apps

With numerous entry points, from Bluetooth connectivity to wireless key fobs, keeping smart cars secure is an incredibly difficult task. While automakers can easily monitor and secure their own applications and digital systems, it is impossible for companies to ensure the security of third-party, connected components, like USB dongles and smartphones. This is an issue that Kaspersky Lab, a leading cybersecurity firm based in Woburn, Massachusetts, uncovered in its latest analysis of Android apps released at the RSA 2017 security conference in San Francisco.

"Applications for connected cars are not ready to withstand malware attacks. We expect that car manufacturers will have to go down the same road that banks have already taken with their applications… After multiple cases of attacks against banking apps, many banks have improved the security of their products," said Victor Chebyshev, a Kaspersky Lab anti-malware researcher.

Reverse Engineering and Code Integrity Checks

Kaspersky Lab experts revealed that several smart car apps lack basic security features, allowing entry-level coders and hackers to manipulate the platforms with minimal effort. For example, the team found that most car apps aren't protected from reverse engineering. To prevent copying or product manipulation, most consumer service apps, pack or "scramble" layers of codes. Without this precautionary measure, anyone with basic knowledge of source codes could scan through the information and exploit flaws in the system. It would also be possible to automate such processes using code auditing programs.

Interestingly, the research group cited that all smart car apps tested during the study were missing a code integrity check feature. This feature is extremely useful in detecting and tracing digital attacks, as it warns the automaker or creator of the app about tampering of source codes. In case you were wondering, the types of vehicular apps Kaspersky Lab tested were equipped with core smart car features, such as door unlock and engine start. A successful attack through such apps could easily lead to theft.

SMS and Voice Commands

What about new smart car features, like SMS controls and voice commands? The cybersecurity firm recommends staying away from such features until they have been properly and thoroughly secured by the automaker. Compared to Android apps, SMS and voice commands, including integration with Microsoft's Cortana and Amazon's Alexa, are known for being incredibly easy to break into.

On a positive note, smart car attacks are very limited in a sense that not much can happen once a hacker is able to compromise the vehicle. Because ADAS is still very nascent in nature, the most a criminal could do is break into the car, turn the lights on and off or take down the infotainment system. Lastly, no cases of serious attacks have been reported surrounding smart car applications. This indicates that automakers still have time to secure their apps.

"How much time they have exactly is unknown. Modern Trojans are very flexible — one day they can act like normal adware, and the next day they can easily download a new configuration, making it possible to target new apps," said the firm.

Prev                  Next
Writer's other posts
Comments:
    Related Content