Kaspersky Lab’s new research on mobile app security testing of mobile apps for connected cars showed that it’s possible to unlock and start cars from seven well known car manufacturers.
These remote car control apps are developed by the manufacturers, giving the owners of connected vehicles a way to track the location of the car, turn the alarm on and off, open doors, and start the engine. In contrast to the cars, these remote control apps had been through no mobile app security testing, with all seven apps containing a number of vulnerabilities that give hackers and criminals a way to cause significant damage. One of the apps had been downloaded over five million times from Google Play.
Issues from mobile app security testing
Kaspersky Lab’s mobile app security testing turned up the following issues:
- all seven apps were open to reverse engineering, giving attackers a way to map a number of potential security issues and gain access to server side infrastructure or the car’s multimedia system
- no code integrity, giving hackers a way to insert their own code
- none of the apps had root detection
- no protection against app overlay, leaving the apps open to phishing malware
- logins and passwords stored in plain text, making it easy to steal the user’s data
Exploitation of these vulnerabilities would give a hacker a way to gain control over the car, unlock the doors, turn off the alarm, and steal the vehicle.
Malware threats
Kaspersky Lab noted that attackers using would be able to force a device root through getting car owners to install malicious app. The owners are also at risk of social engineering techniques. The remote control car apps that went through mobile app security testing are failing to use best practice
And Kaspersky Lab warned that the car industry needed to toughen their car apps, as they are not yet ready for a malware attack.
Tesla was also shown to be vulnerable to a number of these same issues in December.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.