Android Phone Hacks Could Unlock Millions of Cars
Android Phone Hacks Could Unlock Millions of Cars
In the era of the connected car, automakers and third-party developers rival to turn smartphones into vehicular remote controls, permitting drivers to locate, lock, and unlock their rails with a screen tap. Some apps even summon cars and trucks in Knight Rider style . But phones can be hacked. And when they are, those car-connected features can fall into the mitts of hackers, too.
That's the troubling result of a test of nine different connected-car Android apps from seven companies. A pair of researchers from the Russian security stiff Kaspersky found that most of the apps, several of which have been downloaded hundreds of thousands or over a million times, lacked even basic software defenses that drivers might expect to protect one of their most valuable possessions. By either rooting the target phone or tricking a user into installing malicious code, the researchers say, hackers could use any of the apps Kaspersky tested to locate a car, unlock it, and in some cases embark its ignition.
Ignition Remix
For now, the researchers have declined to name any of the specific apps they tested for fear they'd provide tips to car thieves. But they argue their work should send a message to the car industry in general to take connected car security more earnestly. “Why don’t connected car application developers care about security as much as the developers of banking applications?” asks Kaspersky researcher Viktor Chebyshev. “They’re also controlling very valuable things for the user, but they're not thinking about security mechanisms.”
Car Hacks
Hackers Remotely Kill a Jeep on the Highway–With Me in It
The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse
The FBI Warns That Car Hacking Is a Real Risk
The worst-case attack researchers found would permit a hacker access to the inwards of a locked car; thieves would need other tricks to achieve a more serious outcome, like spoofing a key or otherwise disabling the car's immobilizer, which prevents cars from being stolen. They point out that Tesla's vehicles permit a car to be driven with only a smartphone app as an example of how compromising a phone could lead to more serious theft, however Tesla wasn't part of their research.
The analysis mostly tucks to the apps themselves—researchers only attempted the attacks on one of the affected car models. And they say they haven't discovered any samples of Android malware in active use that pull off the tricks they describe. But they nonetheless argue that looking at the apps' code alone shows how car thieves could exploit their features, and they point to limited evidence from hacker forums that the black market has already taken an interest. Screenshots of postings in those forums (below) showcase offers to buy and sell connected car app credentials including usernames and passwords, as well as PIN numbers and Vehicle Identification Numbers (VINs) for different makes and models of car. The going rate is hundreds of dollars per account. “Cybercriminals are preparing these attacks now,” Chebyshev says.
The Kaspersky researchers outline three mechanisms for exploiting the Android apps they tested. (iOS is generally considered far more difficult to hack.) All but one of the apps, for example, stored the associated username, password, or both in an unencrypted form in the phone's storage. By rooting the victim's phones—using an exploit that gains total privileges in the device's operating system—a hacker could access those stored login details and send them off to his or her command-and-control server. Alternatively, they suggest hackers could trick car owners into downloading altered versions of the connected car apps that include malicious code that siphons off their login details. Or thieves could infect phones with malware that performs an “overlay” attack: When the car app launches, the malware would detect it loading and preempt it with a fake interface that steals and transmits the user's credentials. A hacker could even geyser the malware with numerous overlays, so that it's ready to spoof any connected car app the victim explosions. “If I were an attacker, I would overlay all the connected car apps and just steal all the apps’ credentials,” says Chebyshev.
Buckle Up
The researchers say they've reported the security issues they're highlighting to several of the affected car companies, and are still informing others. But they also note that the problems they're pointing out aren't security bugs, so much as a lack of safeguards. Encrypting or hashing the credentials stored on the device, adding two-factor authentication or fingerprint authentication, or creating integrity checks that the apps would perform to see if they've been altered to include malicious code would all go a long way toward mediating the problem.
It's not the very first time that a lack of safeguards in connected car apps has come back to bite automakers—nor is the problem entirely restrained to Android phones. Security researcher Samy Kamkar displayed in two thousand fifteen that he could use a puny chunk of hardware hidden on a car to wirelessly intercept credentials from iOS apps like GM's Onstar, Chrysler's UConnect, Mercedes-Benz mbrace, and BMW's Remote. Kamkar's attack similarly permitted him to remotely locate those cars, unlock them, and in some cases embark their ignitions. With that method, “there would be no warnings; your credentials would be stolen and reusable by the attacker without any phone modifications,” says Kamkar, contrasting his attack with the Android hacks suggested by Kaspersky. “But it’s nonetheless interesting to see that when a phone is compromised now, so many other areas of your life can be taken.”
As connected cars build up features, the Kaspersky researchers argue, the need to lock down the apps that control those features will only grow. “Maybe today we can open the car without triggering the alarm, but these functionalities are only the beginning,” says Kaspersky researcher Mikhail Kuzin. “Car manufacturers will add fresh features to make our lives more convenient. To prevent more attacks in the future, we need to think about this now.”