Kaspersky Lab Discovers Security Flaws in Connected Cars

In order to examine the security of connected cars, Kaspersky Lab researchers tested seven remote car control applications developed by major car manufacturers. The research discovered that each of the examined apps contained several security vulnerabilities.

This is according to a research report by Kaspersky Lab researchers, which examines the security of applications for the remote control of connected cars from several famous car manufacturers. As a result, the security company's experts discovered that all of the applications contain a number of security issues that can potentially allow criminals to cause significant damage for connected car owners.

Upon successful exploitation, an attacker can gain control over the car, unlock the doors, turn off the security alarm and, theoretically, steal the vehicle, reveals the report.

The list of the security issues discovered includes:

* No defense against application reverse engineering -- as a result, malicious users can understand how the app works and find a vulnerability that would allow them to obtain access to server-side infrastructure or to the car's multimedia system;

* No code integrity check, which is important because it enables criminals to incorporate their own code in the app and replace the original program with a fake one; * No rooting detection techniques. Root rights provide Trojans with almost endless capabilities and leave the app defenseless;

* Lack of protection against app overlaying techniques. This helps malicious apps to show phishing windows and steal users' credentials;

and * Storage of logins and passwords in plain text. Using this weakness, a criminal can steal users' data relatively easily.

"The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks. Thinking about the security of the connected car, one should not only consider the security of server-side infrastructure. We expect that car manufacturers...

Comments are closed.

Kaspersky Lab Discovers Security Flaws in Connected Cars

In order to examine the security of connected cars, Kaspersky Lab researchers tested seven remote car control applications developed by major car manufacturers. The research discovered that each of the examined apps contained several security vulnerabilities.

This is according to a research report by Kaspersky Lab researchers, which examines the security of applications for the remote control of connected cars from several famous car manufacturers. As a result, the security company's experts discovered that all of the applications contain a number of security issues that can potentially allow criminals to cause significant damage for connected car owners.

Upon successful exploitation, an attacker can gain control over the car, unlock the doors, turn off the security alarm and, theoretically, steal the vehicle, reveals the report.

The list of the security issues discovered includes:

* No defense against application reverse engineering -- as a result, malicious users can understand how the app works and find a vulnerability that would allow them to obtain access to server-side infrastructure or to the car's multimedia system;

* No code integrity check, which is important because it enables criminals to incorporate their own code in the app and replace the original program with a fake one; * No rooting detection techniques. Root rights provide Trojans with almost endless capabilities and leave the app defenseless;

* Lack of protection against app overlaying techniques. This helps malicious apps to show phishing windows and steal users' credentials;

and * Storage of logins and passwords in plain text. Using this weakness, a criminal can steal users' data relatively easily.

"The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks. Thinking about the security of the connected car, one should not only consider the security of server-side infrastructure. We expect that car manufacturers...

Comments are closed.