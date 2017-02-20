Kaspersky Lab researchers have warned that the benefits of having an internet-connected car are heavily outweighed by the current security risks they introduce due to car manufacturers looking to get products to market in the quickest time possible rather than ensuring the products are safe.

The security firm notes they are not only referring to “multimedia systems”, but included “car key systems,” and apps which show, “GPS coordinates of a car, trace its route, open its doors, start its engine, and turn on its auxiliary devices.”

The firm said: “On the one hand, these are absolutely useful features used by millions of people, but on the other hand, if a car thief were to gain access to the mobile device that belongs to a victim that has the app installed, then would car theft not become a mere trifle?”

In its quest to answer this question, Kaspersky Lab analysed seven of the most popular car-controlling apps from various manufacturers readily available on app stores and downloaded millions of times collectively.

The researchers said they tested the apps for availability of potentially dangerous features, which basically means whether it is possible to steal a car or incapacitate one of its systems by using the app.

They tested apps to see if it employed the means to complicate reverse engineering of the app. They explained: “If not, then it won't be hard for an evildoer to read the app code, find its vulnerabilities, and take advantage of them to get through to the car's infrastructure.”

Whether the app checks for root permissions on the device (including subsequent cancelled installations in case the permissions have been enabled). Did the developers program user credentials to be saved on the device as plain text?

They examined whether or not there is verification that it is the GUI of the app that is displayed to the user (overlay protection). Android allows for monitoring of which app is displayed to the user, and a malware can intercept this event by showing a phishing window with an identical GUI to the user and steal, for instance, the user's credentials.

Finally they performed availability of an integrity check in the app, ie, whether it verifies itself for changes within its code or not. They noted that, “this affects the ability of a malefactor to inject his code into the app and then publish it in the app store, keeping the same functionality and features of the original app.”

The researchers claimed, “Unfortunately, all of the apps turned out to be vulnerable to attacks in one way or another,” adding, “None of the reviewed apps have defence mechanisms.”

Several of the apps reviewed stored login credentials in a plain text xml file, data as sensitive as VIN numbers, others were writing log files which contained user information and some even use the phone number for authorisation.

The researchers said: “It is too easy to turn the app against the car owner nowadays, and currently the client side is quite possibly the most vulnerable spot that can be targeted by malefactors.”

Despite the stark lack of security in the apps, the researchers highlighted that they had not witnessed a single attack on an app that controls cars, and none of the thousands of instances of their malware detection contain a code for downloading the configuration files of such apps.

The researcher concluded: “However, contemporary trojans are quite flexible: if one of these trojans shows a persistent ad today (which cannot be removed by the user himself), then tomorrow it can upload a configuration file from a car app to a command-and-control server at the request of criminals. The trojan could also delete the configuration file and override it with a modified one. As soon as all of this becomes financially viable for evildoers, new capabilities will soon arrive for even the most common mobile trojans.”

