Please create an account to participate in the Slashdot moderation system


Forgot your password?
Encryption Security Android Communications Privacy Software Transportation

Researchers Discover Security Problems Under the Hood of Automobile Apps ( 27

An anonymous reader quotes a report from Ars Technica: Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps. The vulnerabilities looked at by the Kaspersky researchers focused not on vehicle communication, but on the Android apps associated with the services and the potential for their credentials to be hijacked by malware if a car owner's smartphone is compromised. All seven of the applications allowed the user to remotely unlock their vehicle; six made remote engine start possible (though whether it's possible for someone to drive off with the vehicle without having a key or RFID-equipped key fob present is unclear). Two of the seven apps used unencrypted user logins and passwords, making theft of credentials much easier. And none of the applications performed any sort of integrity check or detection of root permissions to the app's data and events -- making it much easier for someone to create an "evil" version of the app to provide an avenue for attack. While malware versions of these apps would require getting a car owner to install them on their device in order to succeed, Chebyshev and Kuzin suggested that would be possible through a spear-phishing attack warning the owner of a need to do an emergency app update. Other malware might also be able to perform the installation.
This discussion has been archived. No new comments can be posted.

Researchers Discover Security Problems Under the Hood of Automobile Apps

Comments Filter:
  • that's no barrier. (Score:3, Insightful)

    by Anonymous Coward on Friday February 17, 2017 @10:03PM (#53890167)

    require getting a car owner to install them on their device in order to succeed

    If the decades since the dawn of the personal computer era have taught anything whatsoever, it's that getting people to do absolutely anything at all with a computer is no barrier whatsoever. If presented with a dialog box that says, "by pushing OK we will burn down your house, shoot your dog, sell your sister into slavery, commit credit card fraud with your account, and force you to listen to Justin Beiber music 24/7", people will happily click it.

    Technology = brain disabled.

  • I certainly hope that they have an emergency off button somewhere within the vehicle. If the car goes crazy, you are helpless.
  • by Snotnose ( 212196 ) on Friday February 17, 2017 @10:05PM (#53890179)
    For the last few years we've heard about car companies adding networking to their cars, without adding any kind of security. Do a 3 finger salute on your DVD player? Hello, you can turn off the brakes.

    I for one want to see car manufacturers 100% liable, plus damages, to software issues.

    Fuck em, they're cheaping out in the hopes of being first to market. I say, first to hacked, first to toast.
  • As a security expert (since anyone can make that claim), I have discovered that since code is written by people, and no one could possibly take the time and spend the money to absolutely secure any application written for any operating system (moving targets), that X (name your application) could possibly (if any number of random factors are taken into consideration) be compromised! Not that anyone has actually proven that any such hack has been accomplished.

    How about give us some news when the exploits ac

  • by Anonymous Coward

    An engine, four wheels, a cabin, a trunk, and air conditioning. That's it. Power windows and heated seats would be nice, but I can live without them.

    No DVD players, no touch/voice/gesture controls, no satnav, no phone integration, no remote starting, and no other "Smart"-whatever or capability to interact with anything or anyone else not in physical contact with it.

    Does such a thing even exist anymore?

  • all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps.

    Finding out the underlying working or source code of an application is not the actual security problem; provided of course that the program is audited, or, preferably, free software.

  • Clitorises have hoods too but you won't find any vulnerable smartphone apps underneath. It is best to press down gently and fumble as if you're searching for a catch, and polish until it shines! Life is more rewarding if you need not be concerned about cloud security.

  • Well, other news on this came out sometime ago now, but it's well known that car manufacturers have no clue about security when it comes to their car systems.
    It's a bit like IoT devices, only worse.

    Thing is, these car manufacturers managed to develop and evolve systems for a long time with costumers not questioning or taking security in consideration for the systems. The hacker and security community has been warning several manufacturers for the longest time, but they won't do anything because the vast maj

"What the scientists have in their briefcases is terrifying." -- Nikita Khrushchev