As we tumble headlong into the Era of the Connected Car, one thing engineers are struggling to address is the possibility that evildoers might hack our cars' burgeoning networks.
Unfortunately, a new report suggests that automakers have left open a fairly large back door for the bad guys--a back door that could, quite literally, allow hackers into cars.
The report comes from two researchers employed by Kaspersky, the well-known Russian security firm. They poked and prodded at nine different car-related Android apps and discovered that the apps lacked appropriate security firewalls to guard them from malicious hacking.
The researchers haven't publicly identified the apps in question for fear of letting hackers in on the secret. However, they have shared their findings with the app-makers, in the hope that they'll harden security protocols.
How would an attack work?
Hacking an auto app could take at least three different forms, though really, the possibilities are probably endless.
One version of such an attack could involve hackers infecting smartphones with malware--for example, via a bogus email attachment. Without too much effort, that malware could search for any number of auto apps, and if it finds one (or more), it could then burrow into it/them and look for usernames and passwords, which many apps store in unencrypted format.
Another approach would involve hackers posting fake, infected versions of the nine Android apps for unsuspecting users to download. Once those apps are installed, they could ferret out login credentials for other apps on users' phones.
Or, hackers might post apps that have nothing to do with cars, but which car-owners might be likely to install (e.g. gas-finding apps, travel, apps, etc.). Those apps could then be triggered to launch any time one of the susceptible auto apps opens and forward login data.
The result of all three scenarios would ultimately be the same: hackers would amass app credentials for hundreds, possibly even thousands of vehicles. That data could then be sold on the dark web to interested parties, who could use it to break into vehicles. In some cars (looking at you, Tesla), hackers might even be able to start a car and drive off in it, using only an app on their smartphone.
Sound far-fetched? Unfortunately, the researchers have shared screencaps of black-market forums in which ne'er-do-wells express interest in obtaining such login info--and they're willing to pay for it.
How can you protect yourself?
At the moment, there's no easy fix for any of these issues, because the problems lie within the apps themselves. However, there are a few things you can do to minimize the possibility that you and your car are the target of hackers:
1. Stop using auto apps and delete them from your Android phone.This isn't an ideal solution for people who've come to depend on apps to keep track of fuel, maintenance needs, battery charge, and so on. However, if an app isn't around, the chance that a hacker can steal login credentials from it is seriously minimized.
2. Download all apps directly from Google Play. Android has a fairly loose app ecosystem, which is great for developers who want to publish new apps quickly on their own sites. However, it also presents an opportunity for hackers to create apps that can wreak havoc on handsets. If you download your apps directly from Google Play, there's less of a chance that they contain malicious code.
3. Switch to an iPhone. Apple runs a tight ship--a very tight, very proprietary ship. Critics say that Apple's need to control everything their products do stifles creativity among developers. However, in this case, Apple's strict controls are a saving grace.