Researchers Discover Security Problems Under the Hood of Automobile Apps

An anonymous reader quotes a report from Ars Technica: Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps. The vulnerabilities looked at by the Kaspersky researchers focused not on vehicle communication, but on the Android apps associated with the services and the potential for their credentials to be hijacked by malware if a car owner's smartphone is compromised. All seven of the applications allowed the user to remotely unlock their vehicle; six made remote engine start possible (though whether it's possible for someone to drive off with the vehicle without having a key or RFID-equipped key fob present is unclear). Two of the seven apps used unencrypted user logins and passwords, making theft of credentials much easier. And none of the applications performed any sort of integrity check or detection of root permissions to the app's data and events -- making it much easier for someone to create an "evil" version of the app to provide an avenue for attack. While malware versions of these apps would require getting a car owner to install them on their device in order to succeed, Chebyshev and Kuzin suggested that would be possible through a spear-phishing attack warning the owner of a need to do an emergency app update. Other malware might also be able to perform the installation.

that's no barrier.

require getting a car owner to install them on their device in order to succeed

If the decades since the dawn of the personal computer era have taught anything whatsoever, it's that getting people to do absolutely anything at all with a computer is no barrier whatsoever. If presented with a dialog box that says, "by pushing OK we will burn down your house, shoot your dog, sell your sister into slavery, commit credit card fraud with your account, and force you to listen to Justin Beiber music 24/7", people will happily click it.

Technology = brain disabled.

This surprises exactly who?

[Snotnose]

For the last few years we've heard about car companies adding networking to their cars, without adding any kind of security. Do a 3 finger salute on your DVD player? Hello, you can turn off the brakes.

I for one want to see car manufacturers 100% liable, plus damages, to software issues.

Fuck em, they're cheaping out in the hopes of being first to market. I say, first to hacked, first to toast.

Re:Android in the car?

[Hognoxious]

I cannot for a moment imagine the hell that would ensue if Windows were the dominant OS on cars.

1. For no reason whatsoever, your car would crash twice a day.

2. Every time they repainted the lines in the road, you would have to buy a new car.

3. Occasionally your car would die on the freeway for no reason. You would have to pull to the side of the road, close all of the windows, shut off the car, restart it, and reopen the windows before you could continue.

For some reason you would simply accept this.

4. Occasionally, executing a maneuver such as a left turn would cause your car to shut down and refuse to restart, in which case you would have to reinstall the engine.

5. Macintosh would make a car that was powered by the sun, was reliable, five times as fast and twice as easy to drive - but would run on only five percent of the roads.

6. The oil, water temperature, and alternator warning lights would all be replaced by a single "This Car Has Performed An Illegal Operation" warning light.

7. The airbag system would ask "Are you sure?" before deploying.

8. Occasionally, for no reason whatsoever, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key and grabbed hold of the radio antenna.

9. Every time a new car was introduced car buyers would have to learn how to drive all over again because none of the controls would operate in the same manner as the old car.

10. You'd have to press the "Start" button to turn the engine off."

http://www.hcs.harvard.edu/pnw...