20160224stockmwcfreewaycarstrafficbarcelona100647680orig
Security

Insecure Android apps put connected cars at risk

Android applications that allow millions of car owners to remotely locate and unlock their vehicles are missing security features that could prevent tampering by hackers.

Researchers from antivirus vendor Kaspersky Lab took seven of the most popular Android apps that accompany connected cars from various manufacturers and analyzed them from the perspective of a compromised Android device. The apps and manufacturers have not been named.

The researchers looked at whether such apps use any of the available countermeasures that would make it hard for attackers to hijack them when the devices they're installed on are infected with malware. Other types of applications, such as banking apps, have such protections.

The analysis revealed that none of the tested applications used code obfuscation to make it harder for attackers to reverse engineer them and none of them used code integrity checks to prevent malicious manipulation.

Two applications didn't encrypt the login credentials stored locally and four encrypted only the password. None of the apps checked if the devices they're running on are rooted, which could indicate that they're insecure and possibly compromised.

Finally, none of the tested applications used overlay protections to prevent other apps from drawing over their screens. There are malware apps that display fake log-in screens on top of other apps in order to trick users to expose their log-in credentials.

While compromising connected car apps might not directly enable theft, it could make it easier for would-be thieves. Most such apps, or the credentials they store, can be used to remotely unlock the vehicle and disable its alarm system.

"Also, the risks should not be limited to mere car theft," the Kaspersky researchers said in a blog post. "Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death."

While manufacturers are rushing to add smart features to cars that are meant to improve the experience for car owners, they tend to focus more on securing the back-end infrastructure and the communications channels. However, the Kaspersky researchers warn that client-side code, such as the accompanying mobile apps, should not be ignored as it's the easiest target for attackers and most likely the most vulnerable spot.

"Being an expensive thing, a car requires an approach to security that is no less meticulous than that of a bank account," the researchers said.

IDG Insider

PREVIOUS ARTICLE

« Google tweaks its Verify Apps security feature to show what's been scanned

NEXT ARTICLE

AMD bundles Ashes of the Singularity with FX processors ahead of Ryzen's launch »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Amazon Cloud looms over China: Bezos enters Alibaba home ground

Lewis Page gets down to business across global tech

Poll

Do you think your smartphone is making you a workaholic?