A connected car, or a car equipped with Internet access, has been gaining popularity for the last several years.
Not only multimedia systems are available, but also car key systems in literal and figurative senses. By using proprietary mobile apps, it is possible to get the GPS coordinates of a car, trace its route, open its doors, start its engine, and turn on its auxiliary devices.
There is no doubt these are great features used by millions of people, but if a car thief were to gain access to the mobile device that belongs to a victim, it would be rather easy to drive away with a new purloined vehicle.
Along those lines, Mikhail Kuzinf and Victor Chebyshev from Kaspersky Lab reviewed how car owners can avoid possible predicaments related to this issue.
Car-controlling apps are very popular right now with most popular brands releasing apps between several tens of thousands and several million people.
For the Kaspersky experiments, the researches took several apps that control cars from various manufacturers. They did not disclose the app titles, but they did notify the manufacturers of findings.
Kaspersky reviewed the following aspects of each app:
• Availability of potentially dangerous features, which basically means whether it is possible to steal a car or incapacitate one of its systems by using the app.
• Whether the developers of an app employed means to complicate reverse engineering of the app (obfuscation or packing). If not, then it won’t be hard for an evildoer to read the app code, find its vulnerabilities, and take advantage of them to get through to the car’s infrastructure.
• Whether the app checks for root permissions on the device (including subsequent canceled installations in case the permissions have been enabled). After all, if malware manages to infect a rooted device, then the malware will be capable of doing virtually anything. In this case, it is important to find out if developers programmed user credentials to be saved on the device as plain text.
• Whether there is verification it is the GUI of the app that ends up displayed to the user (overlay protection). Android allows for monitoring of which app is displayed to the user, and a malware can intercept this event by showing a phishing window with an identical GUI to the user and steal, for instance, the user’s credentials.
• Availability of an integrity check in the app, i.e., whether it verifies itself for changes within its code or not. This affects the ability of a malefactor to inject his code into the app and then publish it in the app store, keeping the same functionality and features of the original app.
As it turns out, all of the apps turned out to be vulnerable to attacks in one way or another, the Kaspersky researchers said.
Theoretically, after stealing credentials, an attacker will be able to gain control of the car, but this does not mean that the criminal is capable of simply driving off with it. The thing is, a key is needed for a car in order for it to start moving. Therefore, after accessing the inside of a car, car thieves use a programming unit to write a new key into the car’s on-board system. Now, let us recall that almost all of the described apps allow for the doors to be unlocked, that is, deactivation of the car’s alarm system, the Kaspersky researchers said. Thus, a thief can covertly and quickly perform all the actions in order to steal a car without breaking or drilling anything.
Also, the risks should not be limited to a mere car theft. Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death.
None of the reviewed apps have defense mechanisms. Due credit should be given to the app developers though: It is a very good thing that not a single of the aforementioned cases uses voice or SMS channels to control a car. Nonetheless, these exact methods end up used by aftermarket alarm-system manufacturers. On the one hand, this fact does not come as a surprise, as the quality of the mobile Internet does not always allow cars to stay connected everywhere, while voice calls and SMS messages are always available, since they are basic functions, the Kaspersky researchers said. On the other hand, this creates supernumerary car security threats, which we will now review.
Voice control is handled with DTMF commands. The owner literally has to call up the car, and the alarm system responds to the incoming call with a pleasant female voice, reports the car status, and then switches to standby mode, where the system waits for commands from the owner, the Kaspersky researchers said. Then, it is enough to dial preset numbers on the keypad of the phone to command the car to unlock the doors and start the engine. The alarm system recognizes those codes and executes the proper command.
Developers of such systems have taken care of security by providing a whitelist for phone numbers that have permission to control the car, the Kaspersky researchers said. However, nobody imagined a situation where the phone of the owner suffers compromise. This means it is enough for a malefactor to infect the smartphone of a victim with an unsophisticated app that calls up the alarm system on behalf of the victim. If the speakers and screen are disabled at the same time, then it is possible to take full command of the car, unbeknownst to the victim.
Certainly though, not everything is as simple as it seems at first glance, the Kaspersky researchers said. For example, car enthusiasts save the alarm-system number under a made-up name, i.e. a successful attack necessitates frequent interaction of the victim with the car via calls. Only this way can a thief that has stolen the history of outgoing calls find the car number in the victim’s contacts.
The developers of another control method for the car alarm system certainly have read none of our articles on the security of Android devices, as the car is operated through SMS commands. The thing is, the first and most common mobile Trojans that Kaspersky Lab faced were SMS Trojans, or malware that contains code for sending SMS surreptitiously, which was done through common Trojan operation as well as by a remote command issued by malefactors.
As a result, the doors of a victim’s car can end up unlocked if malware developers perform the following three steps:
1. Go through all the SMS messages on the smartphone to look for car commands
2. If the needed SMS messages end up located, then extract the phone number and password from them in order to gain access
3. Send an SMS message to the discovered number that unlocks the car’s doors
All three steps can occur via a Trojan while its victim suspects nothing. The only thing that needs to be done, which malefactors are certainly capable of handling, is to infect the smartphone.
Being an expensive thing, a car requires an approach to security that is no less meticulous than that of a bank account.
The attitude of car manufacturers and developers is clear: they strive to fill the market quickly with apps that have new features to provide quality-of-life changes to car owners. Yet, when thinking about the security of a connected car, its infrastructure safety (for control servers) and its interaction and infrastructure channels are not the only things worth considering. It’s also worth it to pay attention to the client side, particularly to the app installed on user devices, the Kaspersky researchers said. It is too easy to turn the app against the car owner nowadays, and currently the client side is quite possibly the most vulnerable spot that can end up targeted by malefactors.
At this point, it should be noted we have not witnessed a single attack on an app that controls cars, and none of the thousands of instances of our malware detection contain a code for downloading the configuration files of such apps, the Kaspersky researchers said. However, contemporary Trojans are quite flexible: if one of these Trojans shows a persistent ad today (which cannot be removed by the user himself), then tomorrow it can upload a configuration file from a car app to a command-and-control server at the request of criminals. The Trojan could also delete the configuration file and override it with a modified one. As soon as all of this becomes financially viable for evildoers, new capabilities will soon arrive for even the most common mobile Trojans.