17 Apr 2017
In the past, we’ve told you about how manufacturers won’t make safer IOT devices until consumers demand it. We’ve also told you that downloading apps without verifying them might not hurt you now, but is the first crack that will lead to a larger breach in the future. Unfortunately, those facts are now combining into a powerful 1,2 cybersecurity punch in the last place you need it, your car.
Given how important our cars are to us, it’s no surprise that smartphone apps that do everything from telling you where the nearest gas station is to running diagnostics on your car have popped up by the dozen. Tesla even has a feature for their cars that allows it to pull out of a parking spot and up to driver without anyone in the car. As great as it is pretending you’re in Night Rider, the abundance of auto apps has made the marketplace for them full of potholes that could stop you and your car in your tracks. Recently, two Russian security experts from a firm called Kaspersky tested 9 different Android car connected auto apps and found that the apps weren’t even close to being secure. For example, 8 out of 9 apps stored the username, password, or both used to access the app as unencrypted data on the phone. Since these apps connect to cars, all it would take for a hacker to be able to do something like unlocking a locked car without a key would be to access the login credentials through the phone and hack the app. Thanks to the abundance of auto apps, a hacker would simply need to create a fake app that was carrying malware. Once the app was downloaded they could easily steal login credentials and access other parts of the phone.
The good news is that a flaw like this can be easily fixed, the bad news is that the people making the apps and cars they connect to have no reason to do so until consumers demand it. Just like manufacturers of IOT devices, the people making the apps are not worrying about their cybersecurity code because there haven’t been enough instances of cars being hacked through apps to worry consumers. Just because it hasn’t happened on a wide scale yet doesn’t mean we shouldn’t be preparing for hackers to target cars through apps, because hackers already are. On online hacking forums posts have been seen that offer to pay hackers to breach certain auto apps and retrieve the VIN number of the connected vehicle while also stealing the user’s login credentials.
Remember though, as of now popular auto apps are missing basic security features such as encryption and two-factor authentication. Most phones today even have a fingerprint scanner built in, so fixing these apps isn’t an impossible task. It’s up to you to make sure it happens though. If you want to help secure the future of auto connected apps the first step would be making sure you don’t support apps that don’t put user security first. This should be easy considering that by doing so you’ll be protecting your own privacy. If it becomes common practice to only download auto connected apps that have basic security features and to avoid unverified apps, then app manufacturers will be forced to make those features standard if they want a chance at being downloaded.
As of now the only thing standing between hackers and your car if you have an auto connected app is a chain link fence, and the hackers have plenty of wire cutters. If you want to put a solid stone wall up instead of a fence, take the time to research cybersecurity and make smart downloads.