Connected cars ―convenient and vulnerable

New analysis pinpoints some weaknesses in a new generation of cars with online capabilities. If exploited, this may result in car theft and other problems.

If you ever heard of futuristic concepts like “smart home” or “internet of things”, I may surprise you by saying that currently the most comprehensive implementation of such smart environments are actually modern cars. cars.min

A typical car contains dozens of computers that control brakes, wheels, lights, climate and everything else. Of course, automotive vendors have followed the trend and enabled the usage of various online services in new cars, making them “connected”. Thus, you can remotely adjust the air conditioning in your car by using your smartphone, check Yelp or Google Maps directly from car’s dashboard, or engage an automatic emergency system that can call for help and provide EMS with an accident’s GPS coordinates.

Widespread use of such services is already high, as demonstrated in the recent research conducted by a Spanish branch of Interactive Advertising Bureau (IAB). The analysis of “connected” features existing in recent cars from 15 leading automotive brands, including Audi, BMW, Ford, Lexus, Opel, Renault, Volvo and others, indicates that every vendor has some kind of connectivity solution. One group of vendors emphasizes “in-car” solutions, while another pays great attention to smartphone integration. BMW leads the pack with 20 smartphone apps and 14 in-car apps, which provide every single feature from Spotify to remote car diagnostics. It’s no wonder that IAB asked Kaspersky Lab to assess the security risks of using a “connected car” based on BMW implementation.

Of course, the most concerning scenarios involve hacking of the steering wheel and brakes, which was demonstrated before for other automotive brands, but for this research, Kaspersky experts focused on misusing “normal” functions of a connected car. The most intriguing one is obviously the ability to unlock the car without a key, using a smartphone with a dedicated app called My BMW Remote.

To BMW’s honor, their developers have done a decent job by implementing two-factor authentication, which requires the installation of a “virtual key” on a smartphone. However, any expert who has dealt with a banking Trojan can easily describe some tricks used by criminals to overcome that kind of protection. A combination of phishing, keylogging and man-in-the-middle techniques, along with social engineering allows criminals to overcome the most sophisticated protection mechanisms. In a practical test, a researcher was able to intercept a “victim’s” credentials and successfully installed a key app on his smartphone, thus being able to open a car without any help from a legitimate owner.

“Owners of connected cars may face risks ranging from password and geolocation theft to unsanctioned remote control and even door unlocking. Threats, specific to the computer world may become relevant for automotive industry as well and owners of next generation cars must learn to take these risks into account”, – said Vicente Diaz, Kaspersky Lab Principal Security Researcher.