Page 25 - Cyber Defense eMagazine - September 2017
P. 25
Connected Vehicle Apps - High Risks
by Charles Parker, II; Cybersecurity Lab Engineer
A new or newer car is a significant investment for most. As a rule of thumb most people don’t
have the ability to write a check for one of these vehicles. One of the selling points to entice the
new buyers has been the connected features of the vehicles. Although this aspect is well-
known, this feature uses a smartphone application to connect the smartphone to the vehicle.
This application turns the smartphone into a remote control for the vehicle. The owner is also
able to interact with the internet through the head unit (HU) of the vehicle. With all of this
connectivity there are several functions, including, the user is able to start the car in January
from their office, lock/unlock the vehicle doors from virtually anywhere, access music, and a
number of other functions which are benefit to the user. This appears to be a great function.
There are however issues to be resolved.
Issue
The security on this topic has tended to be overlooked with this area. The smart phone and
vehicle applications have tended to be under-researched and studied. This is and continues to
be evidenced by this connection and attack points historically being an issue and compromised
in relatively many of the manufacturers.
Kaspersky Labs elected to test seven of these applications native to the Android platform
engineered to interact with the vehicles. These are Android applications, however are coed by
the car manufacturers and third party dev op teams.
The sample consisted of seven applications. The target points for this experiment were reverse
engineering of the application, if the GUI was adequately secured, if there was an integrity
check with the application, and if encryption was applied to the user name and password.
The research indicated the application code was not obfuscated, the username and password
were not encrypted, there was no application integrity checks, and other insecure features.
These applications did not incorporate even the basic security features. The applications and
manufacturers were not noted as the researchers did not want these to be targeted by the
attackers. This experiment also indicated the systems were open to credential theft.
Analysis
The applications basically controlled access to the vehicle and its functions, acting as a gate.
Unfortunately the gate was not locked and the handle easily lifted. A deviant and attacker would
be able to gain access to the vehicle’s interior using these insecure features. From here, the
attacker would be able to steal the vehicle. As noted this is a rather blatant issue that has been
problematic for years with many different manufacturers.
25 Cyber Defense eMagazine – September 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide.
