By Charles Parker, II; Cybersecurity Lab Engineer
A new or newer car is a significant investment for most. As a rule of thumb, most people don’t have the ability to write a check for one of these vehicles. One of the selling points to entice the new buyers has been the connected features of the vehicles. Although this aspect is well-known, this feature uses a smartphone application to connect the smartphone to the vehicle. This application turns the smartphone into a remote control for the vehicle. The owner is also able to interact with the internet through the head unit (HU) of the vehicle. With all of this connectivity, there are several functions, including, the user is able to start the car in January from their office, lock/unlock the vehicle doors from virtually anywhere, access music, and a number of other functions which are a benefit to the user. This appears to be a great function.
There are however issues to be resolved.
The security on this topic has tended to be overlooked with this area. Smartphone and vehicle applications have tended to be under-researched and studied. This is and continues to be evidenced by this connection and attack points historically being an issue and compromised in relatively many of the manufacturers.
Kaspersky Labs elected to test seven of these applications native to the Android platform engineered to interact with the vehicles. These are Android applications, however, are coed by the car manufacturers and third party dev op teams.
The sample consisted of seven applications. The target points for this experiment were reverse engineering of the application, if the GUI was adequately secured, if there was an integrity check with the application, and if encryption was applied to the user name and password.
The research indicated the application code was not obfuscated, the username and password were not encrypted, there was no application integrity checks and other insecure features. These applications did not incorporate even basic security features. The applications and manufacturers were not noted as the researchers did not want these to be targeted by the attackers. This experiment also indicated the systems were open to credential theft.
The applications basically controlled access to the vehicle and its functions, acting as a gate. Unfortunately, the gate was not locked and the handle easily lifted. A deviant and attacker would be able to gain access to the vehicle’s interior using these insecure features. From here, the attacker would be able to steal the vehicle. As noted this is a rather blatant issue that has been problematic for years with many different manufacturers.
The vehicle has a great amount of respect for the vehicle. The owner and user do not want the vehicle to be vandalized and stolen. When the owner purchased the vehicle they bargained for, the person was not expecting the connectivity and application to be insecure and open to a form of vandalism. The level of insecurity allows for the vehicle to be attacked from many points. This could have been remediated with better planning or coding.
Greenberg, A. (2017, February 16). Android phone hacks could unlock millions of cars. Retrieved from https://www.wired.com/2017/02/hacked-android-phones-unlock-millions-cars/
Kuzin, M., & Chebyshev, V. (2017, February 16). Mobile apps and stealing a connected car. Retrieved from https://securelist.com/analysis/publications/77576/mobile-apps-and-stealing-a-connected-car
Zorz, Z. (2017, February 17). Insecure car-controlling android apps are a boon for car thieves. Retrieved from https://www.helpnetsecurity.com/2017/02/17/insecure-car-controlling-android-aps/
About the Author
Charles Parker, II began coding in the 1980s. Presently CP is a Cybersecurity Lab Engineer at a Tier One supplier to the automobile industry.
CP is presently completing the Ph.D. (Information Assurance and Security) with completing the dissertation. CP’s interests include cryptography, SCADA, and securing communication channels.
He has presented at regional InfoSec conferences. Charles Parker, II can be reached online at firstname.lastname@example.org and InfoSecPirate (Twitter).