Android applications that allow millions of car owners to remotely locate and unlock their vehicles are missing security features that could prevent tampering by hackers.
Researchers from antivirus vendor Kaspersky Lab took seven of the most popular Android apps that accompany connected cars from various manufacturers and analyzed them from the perspective of a compromised Android device. The apps and manufacturers have not been named.
The researchers looked at whether such apps use any of the available countermeasures that would make it hard for attackers to hijack them when the devices they’re installed on are infected with malware. Other types of applications, such as banking apps, have such protections.
The analysis revealed that none of the tested applications used code obfuscation to make it harder for attackers to reverse engineer them and none of them used code integrity checks to prevent malicious manipulation.
Two applications didn’t encrypt the login credentials stored locally and four encrypted only the password. None of the apps checked if the devices they’re running on are rooted, which could indicate that they’re insecure and possibly compromised.
Finally, none of the tested applications used overlay protections to prevent other apps from drawing over their screens. There are malware apps that display fake log-in screens on top of other apps in order to trick users to expose their log-in credentials.
While compromising connected car apps might not directly enable theft, it could make it easier for would-be thieves. Most such apps, or the credentials they store, can be used to remotely unlock the vehicle and disable its alarm system.
“Also, the risks should not be limited to mere car theft,” the Kaspersky researchers said in a blog post. “Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death.”
While manufacturers are rushing to add smart features to cars that are meant to improve the experience for car owners, they tend to focus more on securing the back-end infrastructure and the communications channels. However, the Kaspersky researchers warn that client-side code, such as the accompanying mobile apps, should not be ignored as it’s the easiest target for attackers and most likely the most vulnerable spot.
“Being an expensive thing, a car requires an approach to security that is no less meticulous than that of a bank account,” the researchers said.