Android applications that allow millions of car owners to remotely locate and unlock their vehicles lack security features, hence fail to prevent meddling by hackers.
At this year’s RSA Conference in San Francisco, Kaspersky anti-malware researchers Victor Chebyshev and Mikhail Kuzin presented research that they conducted on seven popular apps for vehicles. They raised a critical question -are we trading security for convenience?
The researches also pointed out four basic flaws in the apps could be exploited by attackers:
- No protection against application reverse engineering. As a result, malefactors can dig in and find vulnerabilities that give them access to server-side infrastructure or to the car’s multimedia system.
- No code integrity check. This allows criminals to incorporate their own code in the app, adding malicious capabilities and replacing the original program with a fake one on user’s device.
- No rooting detection techniques. Root rights provide Trojans with almost endless capabilities and leave the app defenseless.
- Lack of protection against overlaying techniques. This allows malicious apps to show phishing windows on top of original apps’ windows, tricking users into entering login credentials in windows that send the info to criminals. Storage of logins and passwords in plain text. Using this weakness, a criminal can steal users’ data relatively easily.
Upon successful exploitation, an attacker can gain control over the car, unlock the doors, turn off the security alarm and, theoretically, even steal the vehicle.