More and more car manufacturers are launching mobile applications to make their users and customers more interactive with their vehicles and to give them connectivity. Thanks to them, we can not only use information and navigation systems but also close and open the doors, start the engine, obtain the coordinates of locating a car, know the route and control a series of additional functions. But how secure are these apps? Are the connected cars really protected? Kaspersky Lab has analyzed seven of these tools that have millions of downloads on Google Play (some have more than 5 million) and concluded that they are full of risks.
The security company has encountered several problems. For example, there would be no reverse engineering of these applications, so cyber criminals could find vulnerabilities with which to access the server infrastructure or the multimedia system of the car. There is also no verification of code integrity, which can be exploited by hackers to enter their own code, add malicious functions and replace the original program with a fake one. Also, there are no robotic techniques, which leaves the Trojans a lot of possibilities.
Likewise, Kaspersky has detected a lack of protection against overlay techniques and the storage of plain text access data. The first allows malicious apps to display phishing windows and gain user credentials, while the second one leaves criminals free to steal user data in a simple way.
However, despite all these risks, it would still be a step further. Vehicle owners should still be drawn to install malicious applications, which would be downloaded to the device and accessed by the car app.
” The main conclusion of our study is that, in the current situation, applications for connected cars are still not prepared to withstand malware attacks. When we talk about security in a connected car, we should not only take into account the server infrastructure, “says Victor Chebyshev, a security expert at Kaspersky Lab.
“We expect car manufacturers to follow the same path that banks and financial institutions have followed in their applications. Initially, applications for online banking did not have all the security features included in our study. Now, after many attacks against banking applications, financial institutions have improved the safety of their products, “says Chebyshev.
The expert reveals that, fortunately, they have not yet detected any real case of attacks against the automotive apps. However, they warn manufacturers not to rest on their laurels because “modern Trojans are very flexible.” That cyber criminals fix connected cars as their targets is only a matter of time.