Researchers Discover Security Problems Under the Hood of Automobile Apps

An anonymous reader quotes a report from Ars Technica: Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps. The vulnerabilities looked at by the Kaspersky researchers focused not on vehicle communication, but on the Android apps associated with the services and the potential for their credentials to be hijacked by malware if a car owner's smartphone is compromised. All seven of the applications allowed the user to remotely unlock their vehicle; six made remote engine start possible (though whether it's possible for someone to drive off with the vehicle without having a key or RFID-equipped key fob present is unclear). Two of the seven apps used unencrypted user logins and passwords, making theft of credentials much easier. And none of the applications performed any sort of integrity check or detection of root permissions to the app's data and events -- making it much easier for someone to create an "evil" version of the app to provide an avenue for attack. While malware versions of these apps would require getting a car owner to install them on their device in order to succeed, Chebyshev and Kuzin suggested that would be possible through a spear-phishing attack warning the owner of a need to do an emergency app update. Other malware might also be able to perform the installation.

DMCA!

I want to stay there?

Android in the car?

I guess so if you like malware and exploits. Might as well run Windows then.

Re:Android in the car?

[kilodelta]

I cannot for a moment imagine the hell that would ensue if Windows were the dominant OS on cars. I know on my PC I had to go through several layers of things to get it where I can use it. But then I'm not your average user so YMMV.

Re:Android in the car?

[Hognoxious]

I cannot for a moment imagine the hell that would ensue if Windows were the dominant OS on cars.

1. For no reason whatsoever, your car would crash twice a day.

2. Every time they repainted the lines in the road, you would have to buy a new car.

3. Occasionally your car would die on the freeway for no reason. You would have to pull to the side of the road, close all of the windows, shut off the car, restart it, and reopen the windows before you could continue.

For some reason you would simply accept this.

4. Occasionally, executing a maneuver such as a left turn would cause your car to shut down and refuse to restart, in which case you would have to reinstall the engine.

5. Macintosh would make a car that was powered by the sun, was reliable, five times as fast and twice as easy to drive - but would run on only five percent of the roads.

6. The oil, water temperature, and alternator warning lights would all be replaced by a single "This Car Has Performed An Illegal Operation" warning light.

7. The airbag system would ask "Are you sure?" before deploying.

8. Occasionally, for no reason whatsoever, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key and grabbed hold of the radio antenna.

9. Every time a new car was introduced car buyers would have to learn how to drive all over again because none of the controls would operate in the same manner as the old car.

10. You'd have to press the "Start" button to turn the engine off."

http://www.hcs.harvard.edu/pnw...

Re:Android in the car?

[dougdonovan]

ok, these 2 guys need to buy better weed.

Re:Android in the car?

#11. At any time the Windows Update screen will suddenly appear on the windshield, completely blocking all ability to see through the windshield. You have died. Would you like to re-start now?

Re:Android in the car?

[Lehk228]

windows mobile is pretty common on shitty infotainment systems. The old Ford SYNC 1 and 2, and MyFord Touch were windows based, they were so bad that ford is getting sued over it.

the new(model year 2016 and later) SYNC 3 is QNX and doesn't have the same issues.

that's no barrier.

require getting a car owner to install them on their device in order to succeed

If the decades since the dawn of the personal computer era have taught anything whatsoever, it's that getting people to do absolutely anything at all with a computer is no barrier whatsoever. If presented with a dialog box that says, "by pushing OK we will burn down your house, shoot your dog, sell your sister into slavery, commit credit card fraud with your account, and force you to listen to Justin Beiber music 24/7", people will happily click it.

Technology = brain disabled.

Re:that's no barrier.

[amiga3D]

I was okay until you got to the Beeb. Fuck that shit.

Re:that's no barrier.

At least he didn't threaten to put you in the back of a cop car and make you listen to Nickelback :(

Re:that's no barrier.

[amiga3D]

Hey! I like Nickelback. Not as much as Puddle of Mud but pretty good.

Safety

[Neuronwelder]

I certainly hope that they have an emergency off button somewhere within the vehicle. If the car goes crazy, you are helpless.

This surprises exactly who?

[Snotnose]

For the last few years we've heard about car companies adding networking to their cars, without adding any kind of security. Do a 3 finger salute on your DVD player? Hello, you can turn off the brakes.

I for one want to see car manufacturers 100% liable, plus damages, to software issues.

Fuck em, they're cheaping out in the hopes of being first to market. I say, first to hacked, first to toast.

Re:This surprises exactly who?

[fluffernutter]

Does "software issues" include AI?

What happened to Ruslan Stoyanov?

What happened about Kaspersky Labs 'Ruslan Stoyanov' ? The ex Russian Interior officer arrested for receiving foreign payment with Sergei Mikhailov (FSB man) on charges of treason? As ever with Russia, these people just sort of fell off the agenda.

These two are believed to be American spies, who ratted out Trump. They were arrested shortly after Trump got control of the CIA.

Since then, Paul Manafort and Michael Flynn (and others) in the Trump team have been confirmed to have been in constant touch with Russian high level officials during the election.
http://edition.cnn.com/2017/02/14/politics/donald-trump-aides-russians-campaign/

And now we know why Manafort, claiming to represent Trump campaign, he went to Senate Republicans back in July last year, and got them to change their policy, of sending *lethal* weapons to Ukraine to defend against Russia, to *NON* lethal weapons. So in effect Republicans were being lobbied by Putin in the guise of Trump's man Manafort:

https://www.washingtonpost.com/opinions/global-opinions/trump-campaign-guts-gops-anti-russia-stance-on-ukraine/2016/07/18/98adb3b0-4cf3-11e6-a7d8-13d06b37f256_story.html?utm_term=.261a82213e96

And now we know Manafort was one of the Trump team in constant touch with Russian high command.

Re:What happened to Ruslan Stoyanov?

[mmell]

Careful - you seem to be discussing RealFacts instead of GoodFacts.

making keys look better every day

there may only be 500 or 1000 key codes, but that's better odds.

Discovery!

[Princeofcups]

As a security expert (since anyone can make that claim), I have discovered that since code is written by people, and no one could possibly take the time and spend the money to absolutely secure any application written for any operating system (moving targets), that X (name your application) could possibly (if any number of random factors are taken into consideration) be compromised! Not that anyone has actually proven that any such hack has been accomplished.

How about give us some news when the exploits actually exist.

All I want is a goddamned car.

An engine, four wheels, a cabin, a trunk, and air conditioning. That's it. Power windows and heated seats would be nice, but I can live without them.

No DVD players, no touch/voice/gesture controls, no satnav, no phone integration, no remote starting, and no other "Smart"-whatever or capability to interact with anything or anyone else not in physical contact with it.

Does such a thing even exist anymore?

Re:All I want is a goddamned car.

It's been predicted... https://www.youtube.com/watch?v=yyy3hVIgJM8

Re:All I want is a goddamned car.

[RespekMyAthorati]

Yes:http://nano.tatamotors.com/price-list-delhi.html.
About 4 grand US. (That's four not forty).

At least on Chevys

When the remote start is engaged from the keyfob the doors lock, and you need the key in your pocket to get in. If the android app uses the same method to
do remote start the doors should lock. Thus requiring the key fob to get in. Note that remote start tends to time out at 10 mins and may only be extended once. So you would not get to far if the doors were unlocked.

Reverse engineering?

What has "reverse-engineering" to do with security? Is a product more secure when "reverse-engineering" or when not?

C'mon, Slashdot. You once were held against higher standards. You can!

security through obscurity

[pD-brane]

all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps.

Finding out the underlying working or source code of an application is not the actual security problem; provided of course that the program is audited, or, preferably, free software.

Look Not Under the Hood

[TheRealHocusLocus]

Clitorises have hoods too but you won't find any vulnerable smartphone apps underneath. It is best to press down gently and fumble as if you're searching for a catch, and polish until it shines! Life is more rewarding if you need not be concerned about cloud security.

Who would have thought of that?

Really? Apps are safe, always! Oh, these fake news again! Now they're gonna' tell us the Internet if Things is unsafe too!

Yap...

[XSportSeeker]

Well, other news on this came out sometime ago now, but it's well known that car manufacturers have no clue about security when it comes to their car systems.
It's a bit like IoT devices, only worse.

Thing is, these car manufacturers managed to develop and evolve systems for a long time with costumers not questioning or taking security in consideration for the systems. The hacker and security community has been warning several manufacturers for the longest time, but they won't do anything because the vast majority of costumers have no clue how insecure their cars are.

And really, it'll only come up once some crime happens. A car that was hacked, ended up crashing and killing everyone inside. A bunch of cars stolen or that stopped working due to some malware.

Can you imagine manufacturers who act like that putting out autonomous cars on the streets?