decided to investigate<\/a>\u2026<\/p>\nWho\u2019s driving your car?<\/h2>\n For the car to know it\u2019s really you using the app, you need to enter a username and password. If you use the car maker\u2019s own app, your credentials don\u2019t get passed to a third party, which is a good thing. And there are security standards for car manufacturers that their products must meet.<\/p>\n
If you choose a third-party app with some unique features lacking in the official app, it somehow needs access to the vehicle or its telemetry data. Some apps use solutions specially developed by the automaker for this purpose, which do not require your credentials and are given limited access to the vehicle, allowing you to use their functionality but preventing them from doing dangerous things like unlocking the doors. These apps are more or less secure, but still few in number.<\/p>\n
Most connected cars apps require the username and password for your account with the manufacturer; that is, they get full access to your account. At the same time, the security requirements that apply to automakers do not extend to these apps, and this is where the problem arises.<\/p>\n
Trust is everything<\/h2>\n The study\u2019s main focus was on the third-party mobile apps that use the vehicle owner\u2019s account with the manufacturer. Unfortunately, more than half of app developers do not warn of the risks of handing over the account. Those who do warn the users, assure that they either won\u2019t store the credentials at all, or store them in encrypted form. Some of them emphasize that the username and password are needed only in order to obtain an authorization token. However, a token allows anyone to use the account on your behalf, just like with your login credentials, and it too could be leaked if stored improperly. What\u2019s more, there\u2019s no way to check how your credentials are actually handled: you either trust the developers or you don\u2019t use the app.<\/p>\n
In addition, the developers of 14% of the apps that our researchers investigated proved impossible to contact in case of problems: the contact details on their websites were either missing or pointed to deleted social media pages.<\/p>\n
It\u2019s a similar situation with web services: the user hands over their credentials without knowing for sure how they\u2019ll be stored and processed. Open-source solutions are more transparent in this respect: tech-savvy users can at least study the code. However, for regular folks without a technical background, it\u2019ll be extremely difficult to figure it out.<\/p>\n
Another problem is that there also exist intermediary services that link up the automaker\u2019s systems to third-party apps. These are used by developers of car apps and web services, but may be something that users have no inkling about whatsoever. And it\u2019s important to understand that if your chosen third-party automotive app works through an intermediary service, the developers of both will get hold of your credentials.<\/p>\n
Third-party apps accessing your car: what\u2019s the risk?<\/h2>\n If your credentials aren\u2019t stored very securely, intruders can get to them. They probably won\u2019t manage to steal your car, but they can remote-control the various systems: doors and windows, climate control, horn, headlights, etc. If an intruder starts honking or flashing lights randomly while you\u2019re driving, it can be unpleasant, if not downright dangerous.<\/p>\n
This might seem like a James Bond-type scenario: who on earth would want to do away with you in such an elaborate manner? But if such data were to leak into the public domain, it could fall into the hands of online pranksters anywhere in the world, of which are plenty, who just want to have fun and don\u2019t even realize what the consequences might be.<\/p>\n
Besides, if an app is hacked, the attackers will have access to all the collected data, including geolocation. And this can be used to track the movements of car owners \u2014 again, from anywhere in the world.<\/p>\n
Here\u2019s a recent example. Not long ago, 19-year-old security expert David Colombo accidentally discovered<\/a> a vulnerability in the TeslaMate app for collecting, storing and visualizing telemetry data from Tesla vehicles. He managed to find out where the car owners lived, where they drove and at what speed, where the vehicles were parked, where they were charged, and what updates were installed on those cars.<\/p>\nAlthough the app itself was designed to just to collect data \u2014 not control the car, Colombo managed to do just that. And all because the storage containing the user\u2019s credentials was accessible with the default password, while some information could be retrieved with no authorization at all. Colombo reported the issue to the app developers and they fixed it relatively quickly. Despite the happy ending, the story shows that third-party car apps may not be as reliable as the devs claim.<\/p>\n
So, should I stop using third party apps?<\/h2>\n All this is not to say that third-party apps should never be used in any circumstances. By no means all developers are indifferent to user data security. As we observed, TeslaMate\u2019s creators responded rather quickly to the vulnerability report and fixed the issue. And, as mentioned, there are apps that do not require full access to your account with the automaker.<\/p>\n
That said, if you want to use features lacking in your vehicle\u2019s native app, be careful when choosing: if possible, choose an app from a reliable developer, which at the very least doesn\u2019t hide its contact details and respects the concept of transparency. Look for reports by security experts and feedback from tech-savvy users who understand how it all works and what the risks are.<\/p>\n
If you\u2019re already using a third-party app but want to stop, note that simply uninstalling it from your smartphone may not be enough\u2026<\/p>\n
\nCheck if you also need to unsubscribe or delete your account with the service;<\/li>\n Just in case, change the password for your account with the automaker;<\/li>\n If possible, revoke the app\u2019s access to your account through the manufacturer\u2019s website or technical support.<\/li>\n<\/ul>\nMost third-party apps for connected cars require access to your account with the manufacturer. But are they secure?<\/p>\n","protected":false},"author":2477,"featured_media":19692,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1226,1486],"tags":[109,621,698,628,765],"class_list":{"0":"post-19691","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"category-threats","9":"tag-apps","10":"tag-cars","11":"tag-connected-cars","12":"tag-internet-of-things","13":"tag-iot"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/automotive-apps-security\/19691\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/automotive-apps-security\/24209\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/automotive-apps-security\/26535\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/automotive-apps-security\/24493\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/automotive-apps-security\/24844\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/automotive-apps-security\/27214\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/automotive-apps-security\/26744\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/automotive-apps-security\/10726\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/automotive-apps-security\/44425\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/automotive-apps-security\/18950\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/automotive-apps-security\/19494\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/automotive-apps-security\/28754\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/cars\/","name":"Cars"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19691","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2477"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=19691"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19691\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/19692"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=19691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=19691"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=19691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}