{"id":5942,"date":"2017-02-16T08:45:51","date_gmt":"2017-02-16T13:45:51","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=5942"},"modified":"2017-09-24T18:21:40","modified_gmt":"2017-09-24T14:21:40","slug":"rsa-connected-cars","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/rsa-connected-cars\/5942\/","title":{"rendered":"Android for cars: Secure connection?"},"content":{"rendered":"

In the movie\u00a0Dude, Where\u2019s My Car?<\/em>\u00a0(2000), viewers follow the humorous tale of two guys who partied a bit too hard trying to remember where they parked their car. We\u2019ve all been there \u2014 well, not to the extent of the movie characters, but raise your hand if you have ever forgotten where you parked at a concert, shopping center, or grocery store.<\/p>\n

\"\"<\/p>\n

Fast-forward 17 years and there are apps for everything \u2014 even your car. Chances are, if an app might make part of your life easier, someone will develop it and plenty of people will use it.<\/p>\n

Over the past few years, the concept of the connected car has continued to evolve \u2014 and become reality. At this year\u2019s RSA Conference in San Francisco, our anti-malware researchers Victor Chebyshev and Mikhail Kuzin presented research that they conducted on seven popular apps for vehicles.<\/p>\n

The apps seem to make users\u2019 lives easier by linking their Android devices to their automobiles, but we have ask: Are we trading security for convenience? And as with many\u00a0IoT connected devices<\/a>, the answer is, security needs to become more of a priority for developers and manufacturers.<\/p>\n

\"\"<\/p>\n

The primary functions of these apps are to open doors and in many instances start the car. Unfortunately, flaws in the apps could be exploited by attackers:<\/p>\n

No protection against application reverse engineering.<\/b>\u00a0As a result, malefactors can dig in and find vulnerabilities that give them access to server-side infrastructure or to the car\u2019s multimedia system.
\nNo code integrity check.<\/b>\u00a0This allows criminals to incorporate their own code in the app, adding malicious capabilities and replacing the original program with a fake one on user\u2019s device.
\nNo rooting detection techniques.<\/b>\u00a0Root rights provide Trojans with almost endless capabilities and leave the app defenseless.
\nLack of protection against overlaying techniques.<\/b>\u00a0This allows malicious apps to show phishing windows on top of original apps\u2019 windows, tricking users into entering login credentials in windows that send the info to criminals.
\nStorage of logins and passwords in plain text.<\/b>\u00a0Using this weakness, a criminal can steal users\u2019 data relatively easily.<\/p>\n

Upon successful exploitation, an attacker can gain control over the car, unlock the doors, turn off the security alarm and, theoretically, even steal the vehicle.<\/p>\n

The researchers disclosed their findings to the developers (they did not disclose names of the apps publicly) and also told them that no exploitations had been seen in the wild. A full, detailed report on this can be\u00a0found over on Securelist<\/a>, where each of the apps is evaluated.<\/p>\n

It\u2019s easy to bury your head in the sand, thinking you won\u2019t be hacked or that this is the stuff of science fiction, but the truth is, ever since its invention, the automobile has been a target for criminals. And if there is a hack to make things easier, just imagine the possibilities.<\/p>\n

Another thing to keep in mind is that we\u2019ve already seen vulnerabilities allow smart white-hat hackers to make the jump from \u201cbenign vulnerability\u201d to controlling a car. Two of the bigger automotive stories of the past\u00a0two<\/a>\u00a0years<\/a>\u00a0were about how\u00a0Charlie Miller<\/a>\u00a0and\u00a0Chris Valasek<\/a>\u00a0took control of a Jeep via vulnerabilities.<\/p>\n

\n

#BlackHat<\/a> 2015: The full story of how that Jeep was hacked https:\/\/t.co\/y0d6k8UE4n<\/a> #bhUSA<\/a> pic.twitter.com\/SWulPz4Et7<\/a><\/p>\n

\u2014 Kaspersky (@kaspersky) August 7, 2015<\/a><\/p><\/blockquote>\n