Security researchers have discovered that it is easy for attackers to gain access to millions of cars, simply by hacking into car-controlling mobile apps and using them to unlock the vehicles.
Kaspersky Lab researchers Mikhail Kuzin and Victor Chebyshev decided to analyse nine different connected car Android apps – designed to let drivers easily locate cars and unlock them via smartphone – by top car manufacturers.
Each app has been downloaded between 10,000 to one million times from the Google Play app store. The researchers discovered that all nine mobile apps feature unencrypted usernames and passwords that are stored together with the car's unique Vehicle Identification Number (VIN) and in some cases, even the car's licence plate number in plaintext .xml files in the device, which is a dangerous mistake.
The apps don't check whether the user has root access to the device (meaning that the user is granted full privileges to the phone), and some of the apps can easily be decompiled to read the app's code or actively save debugging data to the phone's SD card.
Forget hotwiring, now you can steal someone's car through an app
Both the app and debugging code list the user's username and password as clear as day. This means that, if the device has been rooted by an attacker, or Android malware has been accidentally downloaded to the device, it would be easy for an attacker to steal these details, login to the app and unlock the user's car to steal it – in some cases even use the app to remotely start the car's engine.
Although storing login details in plaintext is clearly a rookie mistake, security researchers do point out that at least none of the car manufacturers have enabled users to unlock their automobiles using SMS text messages or voice control, and that all the apps have a white list of specified mobile numbers that are given permission to control the car.
However, even with a white list, it is possible for cybercriminals to either root the device or use a Trojan sneakily installed on the user's smartphone to gain access to login details. Once the attacker has this information, they can login on another device while standing next to the car, and at the same time, disable the speakers and screen on the victim's smartphone so that it doesn't notify the user that their car has been logged into by another device.
Since many of the apps even provide the ability to start the engines as well as opening the car doors, all the attacker would need to do is log into the app, disable the victim's phone and then jump into the car and drive off before the victim realises.
The automotive industry needs to wise up on cybersecurity fast
"The automotive industry is still relatively new to both application management and security issues, comparatively speaking, and is certainly working hard to address issues as they arise. While the banking industry may be better prepared to address security issues, the automotive industry continues to learn how to manage the many security challenges it faces as their connected vehicles continue to proliferate. It may take some time until the automotive industry reaches a level of security maturity that is as well developed as banks, but I have no doubt they will get there," Mike Ahmadi, Synopsys' global director of critical systems security told IBTimes UK.
Kaspersky are refusing to name any of the apps so as not to jeopardise the security of millions of cars, and all the manufacturers have been informed of the cybersecurity flaws, and it is assumed that they will update their apps to remove these serious security flaws. And fortunately, Kaspersky says it has not yet witnessed a single attack on an app that controls cars.
"When thinking about the security of a connected car, its infrastructure safety (for control servers) and its interaction and infrastructure channels are not the only things worth considering. It's also worth it to pay attention to the client side, particularly to the app that is installed on user devices. It is too easy to turn the app against the car owner nowadays, and currently the client side is quite possibly the most vulnerable spot that can be targeted by malefactors," Kuzin and Chebyshev said in the blog post.
"At this point, it should be noted that we have not witnessed a single attack on an app that controls cars, and none of the thousands of instances of our malware detection contain a code for downloading the configuration files of such apps.
"However, contemporary Trojans are quite flexible: if one of these Trojans shows a persistent ad today (which cannot be removed by the user himself), then tomorrow it can upload a configuration file from a car app to a command-and-control server at the request of criminals. The Trojan could also delete the configuration file and override it with a modified one. As soon as all of this becomes financially viable for evildoers, new capabilities will soon arrive for even the most common mobile Trojans."