Kaspersky research finds third-party automotive apps bear significant privacy risks
Mobile applications for connected cars provide various features to make life easier for motorists, but they can also be a source of risk. Kaspersky experts have analyzed 69 popular third-party mobile applications designed to control connected cars and defined the main threats drivers may face while using them. They found out that more than half (58%) of these applications use the vehicle owners’ credentials without asking for their consent. On top of this, one in five of the applications have no contact information, which makes it impossible to report a problem. These and other findings are published in the new Kaspersky Connected Apps report.
Connected automotive applications provide a wide range of functions to make drivers’ lives easier. For example, they allow users to remotely control their vehicles by locking or unlocking the doors, adjusting climate control, starting and stopping the engine, etc. Even though most car manufacturers have their own legitimate applications for the cars they make, third-party apps designed by mobile developers are also very popular among users as they may offer unique features that have not yet been introduced by the vehicle manufacturer.
The third-party applications analyzed by Kaspersky cover almost all major vehicle brands, with Tesla, Nissan, Renault, Ford and Volkswagen in the top-5 cars most often controlled by such apps. However, these applications are not entirely safe to use, claim Kaspersky researchers.
The company’s experts examined 69 third-party applications designed for connected cars and identified key privacy risks drivers might face while using one of these. They found that more than half (58%) of the applications doesn’t warn about the risks of using owner’s account from the original automaker’s service.
Some developers advise using the authorization token instead of a username and password to look more credible. The tricky part here is that, if a token is compromised, malefactors can get access to the cars the same way they would by using victims’ credentials. This means that the risk of losing control over the vehicles is still high. Users should be aware that everything is at their own risk and using authorization tokens does not ensure total safety. Despite this, only 19% of developers mention this and warn the user without hiding it in several layers of fine print.
It is also worth noting that 46 of the 69 applications are either free of charge or offer a demo mode. This has contributed to such applications being downloaded from the Google Play Store more than 239,000 times, which makes you wonder how many people are giving strangers free access to their cars.
“The benefits of a connected world are countless. However, it is important to note that this is still a developing industry, which carries certain risks. When downloading a third-party application to control your car remotely, users should be aware of possible threats. We entrust a lot of private information and personal data to connected technology. Unfortunately, not all developers take a responsible approach when it comes to data storage and collection, which results in users exposing their personal information. This data may further be sold on the dark web and end up in untrustful hands. Moreover, cybercriminals might not only steal your data and personal credentials but also gain access to your vehicle – and that might lead to physical threats. For these reasons, we urge application developers to make user protection a priority and take precautionary measures to avoid compromising their customers and themselves,’ comments Sergey Zorin, Head of Kaspersky Transportation Security at Kaspersky.
To learn more about risks of using third-party applications for connected cars, visit Securelist.com.
For application developers, Kaspersky experts recommend the following advice:
Adopt solutions that secure the software development process through application control at runtime, scanning for vulnerabilities before deployment, routinely conducting security vetting of containers and anti-malware testing of production artifacts. With supply chain attacks through public repositories becoming more frequent as of late, the development process is in need of enhanced protection against outside interference
Kaspersky Hybrid Cloud Security meets developers’ needs. It secures Docker and Windows containers and provides a ‘security as code’ approach, with containerization host memory protection, tasks for containers, image scanning and scriptable interfaces. So, you can integrate security tasks into CI/CD pipelines without impacting the development process
Implement protection mechanisms into the application. Kaspersky Mobile SDK provides data protection for customers as well as malware detection, secure connectivity and more
Kaspersky experts recommend that users:
Only download apps from official stores like the Apple App Store, Google Play or Amazon Appstore. Apps from these markets are not 100% failsafe but they at least get checked by shop representatives and there is some filtration system in place, meaning that not every app can get into these stores
Check the permissions of the apps you use and think carefully before permitting a process, especially when it comes to high-risk permissions such as access to Accessibility Services. The only permission that a flashlight app, for example, needs is access to the flashlight functionality
Adopt a reliable security solution to help detect malicious apps and adware before they can start behaving badly on your device
Don’t forget to update your operating system and all software regularly. Many safety issues can be resolved by installing updated versions of software