Connected Vehicle Applications: Android to the Un-Rescue
A new or newer car is a significant investment for most. As a rule of thumb most people don’t have the ability to write a check for one of these vehicles. One of the selling points to entice the new buyers has been the connected features of the vehicles. Although this aspect is well-known, this feature uses a smartphone application to connect the smartphone to the vehicle. This application turns the smartphone into a remote control for the vehicle. The owner is also able to interact with the internet through the head unit (HU) of the vehicle. With all of this connectivity there are several functions, including, the user is able to start the car in January from their office, lock/unlock the vehicle doors from virtually anywhere, access music, and a number of other functions which are benefit to the user. This appears to be a great function. There are however issues to be resolved.
The security on this topic has tended to be overlooked with this area. The smart phone and vehicle applications have tended to be under-researched and studied. This is and continues to be evidenced by this connection and attack points historically being an issue and compromised in relatively many of the manufacturers. Kaspersky Labs elected to test seven of these applications native to the Android platform engineered to interact with the vehicles. These are Android applications, however are coed by the car manufacturers and third party dev op teams.
The sample consisted of seven applications. The target points for this experiment were reverse engineering of the application, if the GUI was adequately secured, if there was an integrity check with the application, and if encryption was applied to the user name and password. The research indicated the application code was not obfuscated, the username and password were not encrypted, there was no application integrity checks, and other insecure features. These applications did not incorporate even the basic security features. The applications and manufacturers were not noted as the researchers did not want these to be targeted by the attackers. This experiment also indicated the systems were open to credential theft.
The applications basically controlled access to the vehicle and its functions, acting as a gate. Unfortunately the gate was not locked and the handle easily lifted. A deviant and attacker would be able to gain access to the vehicle’s interior using these insecure features. From here, the attacker would be able to steal the vehicle. As noted this is a rather blatant issue that has been problematic for years with many different manufacturers.
The vehicle has a great amount of respect for the vehicle. The owner and user do not want the vehicle to be vandalized and stolen. When the owner purchased the vehicle they bargained for, the person was not expecting the connectivity and application to be insecure and open to a form of vandalism. The level of insecurity allows for the vehicle to be attacked from many points. This could have been remediated with better planning or coding.
Greenberg, A. (2017, February 16). Android phone hacks could unlock millions of cars. Retrieved from https://www.wired.com/2017/02/hacked-android-phones-unlock-millions-cars/
Kuzin, M., & Chebyshev, V. (2017, February 16). Mobile apps and stealing a connected car. Retrieved from https://securelist.com/analysis/publications/77576/mobile-apps-and-stealing-a-connected-car
Zorz, Z. (2017, February 17). Insecure car-controllering android apps are a boon for car thieves. Retrieved from https://www.helpnetsecurity.com/2017/02/17/insecure-car-controlling-android-aps/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.