Menu
Insecure Android apps put connected cars at risk

Insecure Android apps put connected cars at risk

The apps have no protection from malware running on mobile devices

Android applications that allow millions of car owners to remotely locate and unlock their vehicles are missing security features that could prevent tampering by hackers.

Researchers from antivirus vendor Kaspersky Lab took seven of the most popular Android apps that accompany connected cars from various manufacturers and analyzed them from the perspective of a compromised Android device. The apps and manufacturers have not been named.

The researchers looked at whether such apps use any of the available countermeasures that would make it hard for attackers to hijack them when the devices they're installed on are infected with malware. Other types of applications, such as banking apps, have such protections.

The analysis revealed that none of the tested applications used code obfuscation to make it harder for attackers to reverse engineer them and none of them used code integrity checks to prevent malicious manipulation.

Two applications didn't encrypt the login credentials stored locally and four encrypted only the password. None of the apps checked if the devices they're running on are rooted, which could indicate that they're insecure and possibly compromised.

Finally, none of the tested applications used overlay protections to prevent other apps from drawing over their screens. There are malware apps that display fake log-in screens on top of other apps in order to trick users to expose their log-in credentials.

While compromising connected car apps might not directly enable theft, it could make it easier for would-be thieves. Most such apps, or the credentials they store, can be used to remotely unlock the vehicle and disable its alarm system.

"Also, the risks should not be limited to mere car theft," the Kaspersky researchers said in a blog post. "Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death."

While manufacturers are rushing to add smart features to cars that are meant to improve the experience for car owners, they tend to focus more on securing the back-end infrastructure and the communications channels. However, the Kaspersky researchers warn that client-side code, such as the accompanying mobile apps, should not be ignored as it's the easiest target for attackers and most likely the most vulnerable spot.

"Being an expensive thing, a car requires an approach to security that is no less meticulous than that of a bank account," the researchers said.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments