Researchers discover security problems under the hood of automobile apps

In a presentation at this week’s RSA security conference in San Francisco, researchers from Kaspersky Labs revealed more bad news for the Internet of drivable things—connected cars. Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps.

The security vulnerabilities of connected cars have been a hot topic at security conferences for the past few years—particularly after researchers Charlie Miller and Chris Valasek demonstrated that they could control many of the functions of a Jeep Grand Cherokee (including its brakes and steering) remotely through the vehicle’s built-in cellular data connection. There have also been repeated demonstrations of vulnerabilities in how the mobile applications from various connected vehicle services connect to vehicles, such as Sammy Kamkar’s demonstration of intercepting data from the mobile app for GM’s OnStar.

All seven of the applications allowed the user to remotely unlock their vehicle; six made remote engine start possible (though whether it’s possible for someone to drive off with the vehicle without having a key or RFID-equipped key fob present is unclear). Two of the seven apps used unencrypted user logins and passwords, making theft of credentials much easier. And none of the applications performed any sort of integrity check or detection of root permissions to the app’s data and events—making it much easier for someone to create an “evil” version of the app to provide an avenue for attack.