Did you know? Since cars are now actively connected online, it’s also now possible for criminals to cyberhack into your vehicle. But how long does it take for them to do so? Kaspersky Lab presents you their results, from examining security of applications for the car remote control, to a couple of security issues faced in Malaysia.
According to Kaspersky Lab research, here is a list of the security issues discovered:
- No defense against application reverse engineering. As a result, hackers can understand how the app works and find a vulnerability that would allow them to obtain access to server-side infrastructure or to the car’s multimedia system
- No code integrity check, which is important because it enables criminals to incorporate their own code in the app and replace the original program with a fake one
- No rooting detection techniques. Root rights provide Trojans with almost endless capabilities and leave the app defenseless
- Lack of protection against app overlaying techniques. This helps malicious apps to show phishing windows and steal users’ credentials
- Storage of logins and passwords in plain text. Using this weakness, a criminal can steal users’ data relatively easily.
So with this, it doesn’t take too long for the attacker to gain complete control of the car. However, this would require some additional preparations such as luring the car owner to install specially-crafted malicious apps, as well as needing to be experience in social engineering techniques to begin with, so in other words, Kaspersky Labs think it’s unlikely a problem from their research conclusion.
“The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks. Thinking about the security of the connected car, one should not only consider the security of server-side infrastructure. We expect that car manufacturers will have to go down the same road that banks have already gone down with their applications. Initially, apps for online banking did not have all the security features listed in our research. Now, after multiple cases of attacks against banking apps, many banks have improved the security of their products.
Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right. How much time they have exactly is unknown. Modern Trojans are very flexible – one day they can act like normal adware, and the next day they can easily download a new configuration making it possible to target new apps. The attack surface is really vast here,” said Victor Chebyshev, security expert at Kaspersky Lab.
So there you have it, looks like car hacking isn’t even a thing right now. But they did prepare some tips for car manufacturers to prepare themselves from it in the near future, the tips are:
- Don’t root your Android device as this will open almost unlimited capabilities to malicious apps
- Disable the ability to install applications from sources other than official app stores
- Keep the OS version of your device up to date in order to reduce vulnerabilities in the software and lower the risk of attack
- Install a proven security solution in order to protect your device from cyberattacks.
To learn more about the connected ?ar threat, please read the blog post available at Securelist.com.
COMMENTS