Researchers Discover Security Problems Under the Hood of Automobile Apps

An anonymous reader quotes a report from Ars Technica: Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps. The vulnerabilities looked at by the Kaspersky researchers focused not on vehicle communication, but on the Android apps associated with the services and the potential for their credentials to be hijacked by malware if a car owner's smartphone is compromised. All seven of the applications allowed the user to remotely unlock their vehicle; six made remote engine start possible (though whether it's possible for someone to drive off with the vehicle without having a key or RFID-equipped key fob present is unclear). Two of the seven apps used unencrypted user logins and passwords, making theft of credentials much easier. And none of the applications performed any sort of integrity check or detection of root permissions to the app's data and events -- making it much easier for someone to create an "evil" version of the app to provide an avenue for attack. While malware versions of these apps would require getting a car owner to install them on their device in order to succeed, Chebyshev and Kuzin suggested that would be possible through a spear-phishing attack warning the owner of a need to do an emergency app update. Other malware might also be able to perform the installation.

Re:

[kilodelta]

I cannot for a moment imagine the hell that would ensue if Windows were the dominant OS on cars. I know on my PC I had to go through several layers of things to get it where I can use it. But then I'm not your average user so YMMV.

Re:Android in the car?

[Hognoxious]

I cannot for a moment imagine the hell that would ensue if Windows were the dominant OS on cars.

1. For no reason whatsoever, your car would crash twice a day.

2. Every time they repainted the lines in the road, you would have to buy a new car.

3. Occasionally your car would die on the freeway for no reason. You would have to pull to the side of the road, close all of the windows, shut off the car, restart it, and reopen the windows before you could continue.

For some reason you would simply accept this.

4. Occasionally, executing a maneuver such as a left turn would cause your car to shut down and refuse to restart, in which case you would have to reinstall the engine.

5. Macintosh would make a car that was powered by the sun, was reliable, five times as fast and twice as easy to drive - but would run on only five percent of the roads.

6. The oil, water temperature, and alternator warning lights would all be replaced by a single "This Car Has Performed An Illegal Operation" warning light.

7. The airbag system would ask "Are you sure?" before deploying.

8. Occasionally, for no reason whatsoever, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key and grabbed hold of the radio antenna.

9. Every time a new car was introduced car buyers would have to learn how to drive all over again because none of the controls would operate in the same manner as the old car.

10. You'd have to press the "Start" button to turn the engine off."

http://www.hcs.harvard.edu/pnw... [harvard.edu]

Re:

[dougdonovan]

ok, these 2 guys need to buy better weed.

Re:

[Lehk228]

windows mobile is pretty common on shitty infotainment systems. The old Ford SYNC 1 and 2, and MyFord Touch were windows based, they were so bad that ford is getting sued over it.

the new(model year 2016 and later) SYNC 3 is QNX and doesn't have the same issues.

that's no barrier.

[Anonymous Coward]

require getting a car owner to install them on their device in order to succeed

If the decades since the dawn of the personal computer era have taught anything whatsoever, it's that getting people to do absolutely anything at all with a computer is no barrier whatsoever. If presented with a dialog box that says, "by pushing OK we will burn down your house, shoot your dog, sell your sister into slavery, commit credit card fraud with your account, and force you to listen to Justin Beiber music 24/7", people will happily click it.

Technology = brain disabled.

Re:

[amiga3D]

I was okay until you got to the Beeb. Fuck that shit.

Re:

[amiga3D]

Hey! I like Nickelback. Not as much as Puddle of Mud but pretty good.

Safety

[Neuronwelder]

I certainly hope that they have an emergency off button somewhere within the vehicle. If the car goes crazy, you are helpless.

This surprises exactly who?

[Snotnose]

For the last few years we've heard about car companies adding networking to their cars, without adding any kind of security. Do a 3 finger salute on your DVD player? Hello, you can turn off the brakes.

I for one want to see car manufacturers 100% liable, plus damages, to software issues.

Fuck em, they're cheaping out in the hopes of being first to market. I say, first to hacked, first to toast.

Re:

[fluffernutter]

Does "software issues" include AI?

Re:

[account_deleted]

Comment removed based on user account deletion

Discovery!

[Princeofcups]

As a security expert (since anyone can make that claim), I have discovered that since code is written by people, and no one could possibly take the time and spend the money to absolutely secure any application written for any operating system (moving targets), that X (name your application) could possibly (if any number of random factors are taken into consideration) be compromised! Not that anyone has actually proven that any such hack has been accomplished.

How about give us some news when the exploits ac

All I want is a goddamned car.

[Anonymous Coward]

An engine, four wheels, a cabin, a trunk, and air conditioning. That's it. Power windows and heated seats would be nice, but I can live without them.

No DVD players, no touch/voice/gesture controls, no satnav, no phone integration, no remote starting, and no other "Smart"-whatever or capability to interact with anything or anyone else not in physical contact with it.

Does such a thing even exist anymore?

Re:

[RespekMyAthorati]

Yes:http://nano.tatamotors.com/price-list-delhi.html [tatamotors.com].
About 4 grand US. (That's four not forty).

security through obscurity

[pD-brane]

all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps.

Finding out the underlying working or source code of an application is not the actual security problem; provided of course that the program is audited, or, preferably, free software.

Look Not Under the Hood

[TheRealHocusLocus]

Clitorises have hoods too but you won't find any vulnerable smartphone apps underneath. It is best to press down gently and fumble as if you're searching for a catch, and polish until it shines! Life is more rewarding if you need not be concerned about cloud security.

Yap...

[XSportSeeker]

Well, other news on this came out sometime ago now, but it's well known that car manufacturers have no clue about security when it comes to their car systems.
It's a bit like IoT devices, only worse.

Thing is, these car manufacturers managed to develop and evolve systems for a long time with costumers not questioning or taking security in consideration for the systems. The hacker and security community has been warning several manufacturers for the longest time, but they won't do anything because the vast maj