Millions of cars at risk of being stolen after Android app hacked

In the era of connected vehicles, automakers and third-party developers are competing to transform smartphones into remote controls, allowing drivers to use their phones to locate and lock/unlock their vehicles. Some applications can even realize the scene in "Knight Rider" - summoning a car or truck to your side.

However, while providing portability, smartphones also pose the risk of being hacked. Once the phone is hacked, all Internet car functions controlled through the network will fall into the control of the hacker.

And the results of a recent survey show that this concern is entirely true. Recently, a team of researchers from the Russian security company Kaspersky tested Android applications (from seven companies) for nine connected cars. The number of downloads of these applications has exceeded hundreds of thousands, and some applications have even exceeded 1 million. However, they found that these applications did not even provide the most basic software protection, let alone help car owners protect one of their important and valuable assets.

By rooting the target device and tricking the user into installing malicious code, the researchers said, hackers were able to use all seven apps tested by Kaspersky to locate the vehicle, unlock the doors, and even start the ignition in some cases.

ignition

To prevent car thieves from using this information to commit crimes, the researchers currently refuse to provide detailed names of the test applications. However, they believe that it should serve as a warning to the automotive industry, requiring automakers to treat security issues more carefully.

Viktor Chebyshev, a security researcher at Kaspersky, said: Why do developers of Internet car applications pay more attention to security than developers of banking applications? They can both help users control various valuable things, but they often don’t think too much about security mechanisms.

The researchers found that the worst attack scenario allowed hackers to gain access to the interior of a locked vehicle, and that car thieves could have more serious consequences by spoofing the key or disabling the vehicle's immobilizer. The researchers noted that although it was not included in this test, Tesla's cars allow drivers to start driving via a smartphone app, which could lead to more serious damage if the smartphone was compromised.

Although a comprehensive analysis of multiple vulnerabilities in the application was conducted, only one of the vulnerabilities was randomly exploited to attack the affected models during the test. And the researchers said that no Android malware has been found to activate the attack method they described.

Still, they believe that car thieves could have known to exploit the vulnerabilities and features simply by looking at the app's code scripts, and they point to limited evidence from hacker forums that the attack has attracted attention and interest on the black market.

According to a screenshot of the forum post (below), there is already information about the transaction of Internet car credentials, which contain user names, passwords, PIN codes and vehicle identification number (VIN) information for different markets and different models. Each account is sold for hundreds of dollars. Chebyshev said: Cybercriminals are now targeting these attacks.

Kaspersky researchers outlined three techniques used in testing Android apps. (iOS is generally considered more difficult to hack.) In all but one of the apps tested, usernames or passwords were stored unencrypted on the phone, and some apps didn't encrypt either. By rooting (taking advantage of a vulnerability to gain full access to the device's operating system) the victim's phone, the hacker accessed the locally stored login information and sent it to his or her command-and-control server.

Second, security researchers believe hackers could trick car owners into downloading and installing a modified version of an Internet car app that contains malware, thereby obtaining login details. Third, car thieves could infect a target device with a malware program that can perform an overlay attack: Once a vehicle app is opened, the malware program automatically loads and replaces it with a fake interface, thereby stealing and transferring user credentials. Hackers can even load a malware program containing multiple overlays, thereby deceiving the victim that all Internet car connections have been completed. Chebyshev said: If I were an attacker, I would overlay all Internet car apps and just steal the credentials of all apps.

Fasten your seat belts

Kaspersky researchers said they have reported the security vulnerabilities to several automakers and are still notifying other automakers. But they also noted that the problems they pointed out are not just security bugs, but a lack of effective security protection. Encrypting or hashing the credentials stored on the device, adding two-factor authentication or fingerprint recognition, and creating integrity checks to ensure that the application has not been modified by malicious programs can greatly improve this problem.

In fact, this is not the first report about the lack of protection measures for Internet car applications, and it is not entirely limited to the Android operating system. Security expert Samy Kamkar demonstrated in 2015 that it was possible to wirelessly intercept the credentials of iOS applications such as GM Onstar, Chrysler's UConnect, Mercedes-Benz's mbrace and BMW's Remote by using a small piece of hardware hidden in the car. Kamkar's attack also allows these vehicles to be remotely located, unlocked, and even ignited in some cases.

Comparing Kaspersky and his attack methods, Kamkar said: There is no warning: your credentials have been stolen or reused by hackers, and you will not receive any notifications on your phone. But the interesting thing is that once your phone is hacked, other aspects of your life will be disrupted.

As the functions of Internet cars continue to grow, Kaspersky researchers believe that the applications that control these functions will increasingly require locking functions. Kaspersky researcher Mikhail Kuzin said: "Maybe today we can open the car door without triggering the alarm, but these functions are just the beginning of Internet cars. Car manufacturers will add various functions to make our lives more convenient. In order to deal with more such attacks in the future, we need to think carefully now."

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.