Kaspersky has found that many of the apps in the connected car contain a number of security issues that can potentially allow criminals to cause significant damage for connected car owners.
Kaspersky Lab researchers have examined the security of applications for the remote control of cars from several famous car manufacturers. As a result, the company’s experts have discovered that all of the applications contain a number of security issues that can potentially allow criminals to cause significant damage for connected car owners.
During the last few years, cars have started actively connecting to the Internet. Connectivity includes not only their infotainment systems but also critical vehicle systems, such as door locks and ignition, which are now accessible online. With the help of mobile applications, it is now possible to obtain the location coordinates of the vehicle as well as its route, and to open doors, start the engine and control additional in-car devices. On the one hand, these are extremely useful functions. On the other hand, how do manufacturers secure these apps from the risk of cyberattacks?
In order to find this out, Kaspersky Lab researchers have tested seven remote car control applications developed by major car manufacturers, and which, according to Google Play statistics, have been downloaded tens of thousands, and in some cases, up to five million times. The research discovered that each of the examined apps contained several security issues.
The list of the security issues discovered includes:
· No defense against application reverse engineering. As a result, malicious users can understand how the app works and find a vulnerability that would allow them to obtain access to server-side infrastructure or to the car’s multimedia system
· No code integrity check, which is important because it enables criminals to incorporate their own code in the app and replace the original programme with a fake one
· No rooting detection techniques. Root rights provide Trojans with almost endless capabilities and leave the app defenseless
· Lack of protection against app overlaying techniques. This helps malicious apps to show phishing windows and steal users’ credentials
· Storage of logins and passwords in plain text. Using this weakness, a criminal can steal users’ data relatively easily.
Upon successful exploitation, an attacker can gain control over the car, unlock the doors, turn off the security alarm and, theoretically, steal the vehicle.
In each case the attack vector would require some additional preparations, like luring owners of applications to install specially-crafted malicious apps that would then root the device and get access to the car application. However, as Kaspersky Lab experts have concluded from research into multiple other malicious applications which target online banking credentials and other important information, this is unlikely to be a problem for criminals experienced in social engineering techniques, should they decide to hunt for owners of connected cars.
“The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks. Thinking about the security of the connected car, one should not only consider the security of server-side infrastructure. We expect that car manufacturers will have to go down the same road that banks have already gone down with their applications. Initially, apps for online banking did not have all the security features listed in our research. Now, after multiple cases of attacks against banking apps, many banks have improved the security of their products. Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right. How much time they have exactly is unknown. Modern Trojans are very flexible – one day they can act like normal adware, and the next day they can easily download a new configuration making it possible to target new apps. The attack surface is really vast here,” said Victor Chebyshev, security expert at Kaspersky Lab.
Kaspersky Lab researchers advise users of connected car apps to follow these measures in order to protect their cars and private data from possible cyberattacks:
· Don’t root your Android device as this will open almost unlimited capabilities to malicious apps
· Disable the ability to install applications from sources other than official app stores
· Keep the OS version of your device up to date in order to reduce vulnerabilities in the software and lower the risk of attack
· Install a proven security solution in order to protect your device from cyberattacks.
Mini embraces innovation
Mini has launched its 2018 models with customisable interior features and major technology upgrades, writes BRYAN TURNER.
Mini has never been known as a high-tech car, due to its small form factor being the differentiator. But now the well-known brand has received a long-awaited strategy overhaul, bringing with it a new technology focus. Even the Mini logo underwent a subtle redesign, opting to use negative space to show the gaps in the wings of the logo instead of a raised metal look. This forms part of the new “MINImalism” strategy.
Mini’s strategy for now and the foreseeable future is to increase automation in its cars.
Connected Drive, pioneered by BMW, allows for an intelligent connection between the car and smartphone. This enables one to check the fuel level, heat the interior and start the onboard navigation, all without having to be near the car, from a smartphone. When one is in the car, calendar events with location data can trigger the onboard navigation to calculate ETAs and time in traffic, offset on real-time data collected through the smartphone’s Internet connection.
We tested it with both the Mini Connected Drive and BMW Connected Drive apps, and both interfaced well with the car. Surprisingly, the BMW Connected Drive app seemed to interface slightly better with the Mini than the Mini Connected Drive app.
While the app is recommended, it’s not required, because the car integrates excellently with Bluetooth-enabled devices. iPhone users are in luck, because the entertainment system includes CarPlay, Apple’s simplified connected car interface software. This allows for music, maps and other CarPlay-enabled apps to be shown directly on the car’s touchscreen ,as they do on the iPhone, save some text-sizing adjustments.
Pairing the iPhone is as easy as holding down a button on the steering wheel and tapping the car when it appears in the built-in CarPlay menu on the iPhone. No app download is required.
MINImalism runs through the car’s technology. The Mini’s 6.5-inch touch screen control panel shows an image of the car with layman’s terms of what the internal systems are doing, keeping to minimalist design patterns. The new Mini Coopers come standard with a Harman/Kardon 12-speaker setup, which features in the Mini Connected Drive.
The steering wheel is redesigned, now featuring more buttons to help keep one’s hands on the wheel. The left side of the wheel features cruise control buttons, while volume and call controls are located on the right side. This bears a strong resemblance to the BMW configuration, featuring similarly placed steering controls.
With all the Mini’s customisations, the company invites consumers to take it further with optional extra.s Mini Yours Customised (yours-customised.mini) is a web platform where one can choose custom side scuttles, custom cockpit facia, customised LED door stills and even a customised door projection light. These parts are either 3D-printed or laser-cut, depending on the material, to the specification outlined on the web app.
As optional extras, one can opt for a wireless charger in the armrest compartment and secondary front USB port for both the driver and front passenger, to charge their phones simultaneously. A SIM card connecting to the 4G/LTE network can be fitted directly into the car, allowing for use of Mini Teleservices and Intelligent Emergency Calling, with automatic vehicle location reporting. The Mini Find Mate is an extra service that uses wireless tags to track items from the car’s onboard system or from the Mini Connected Drive app. This tag can be attached to frequently misplaced items or travel items, like backpacks, suitcases and briefcases.
Future Minis are expected to be electric by 2019 in Europe and are expected to arrive in South Africa in mid-2020. This seems realistic, considering that the BMW i3 forms part of the same group.
Overall, the Mini range has received a subtle yet effective cosmetic and technology overhaul, delivering loads of functionality in a minimalist package.
Why SA needs connected taxis
Traffic across South Africa continues to be a headache and digital acceleration may just be the answer in mitigating daily congestion, says CLAYTON NAIDOO, General Manager, Sub-Saharan Africa, Cisco.
Creating smart cities and digital workplaces means connecting infrastructure and digitizing transport systems, particularly in the taxi industry. Can you imagine what South Africa roads would looks like in 10-years-time, if taxis were connected?
According to Statistics SA’s 2013 Household Survey, taxi operators transport over 15 million commuters daily. Around 200,000 minibus taxis, across 2 600 taxi ranks, provide the main mode of transport for 50% of SA’s population earning less than R3 000 per month.
The impact of the taxi industry on the daily lives of South Africans is huge, research by Transaction Capital, a financial services provider in the taxi industry revealed. An estimated 70% of people who attend educational institutions make use of taxis, 69% of all South African households use taxis in their transport mix, and a staggering 68% of all public transport trips to work are in taxis. Plus, minibus taxis reach remote places other forms of public transport don’t – the average South African lives within a 5-minute walk of a minibus taxi.
Sadly, the industry is still faced with challenges when it comes to road congestion, accidents and safety, and with drivers often forced by financial needs to work long hours. But a future where taxis can operate efficiently and profitably, while improving safety and providing a more convenient customer and employee experience, is possible. But it requires a digital business transformation.
Our cities need to start connecting infrastructure and piloting these digital experiences now. Globally, there will be 380 million connected vehicles on the roads by 2020, but that is only half the battle. The first step toward making the frictionless commute a reality is for local governments to begin investing in technology architectures and physical infrastructure to accelerate connected transportation systems and create workplace innovation.
On the strategic side, transportation officials can begin by identifying best practice. It is best to first pinpoint a problem that is unique to a city or region. For example, a city with notorious traffic congestion might want to start integrating smart sensors on roadways to alert drivers and connected vehicles in real-time of potential hazards, and possibly prevent accidents before they happen.
How would that look in practice? Let’s take the example of Sipho Ngwenya, a fictional character, from Zola in Soweto, one of the 600 000 people employed in the industry.
He gets up at 4am everyday to get to the taxi rank where he parks his mini bus overnight. Sipho hopes to be one of the first drivers there to ensure he fills his taxi with commuters, who travel to the northern suburbs of Johannesburg for work and school.
The earlier he starts transporting people, the better chance he has of generating the daily “rental fee” he pays his boss – the owner of the minibus. If Sipho is even 10 minutes late, the queue of people at the rank may have halved. If his taxi is the last one in the queue, it may not fill up, and he may need to drive around the block to find more commuters. The delay means longer hours for him, his conductor-cum-assistant (guardjie) will have to spend more time calculating and collecting fares, and it will increase his costs – he’ll spend more money on fuel.
Fast forward six-months later, when the Joburg metro area would have implemented the Cisco Connected Mass Transit technology solution to connect the taxi industry. Sipho’s alarm goes off at 4am. He grabs his phone and logs onto the Cisco platform before he jumps out of bed: the weather is clear but there’s been an accident overnight on his route to the rank – he’ll have to take a detour. He checks once again just as he leaves home, and sees that he has time to grab breakfast on his way.
He is the first driver to arrive at the rank that morning – stress-free and ready to start. The rest of the minibuses are stuck behind the accident. He loads commuters and manages to get all of them to their destinations 10 minutes early, by checking the best routes. Payments are no longer collected in person – there is now an easy mobile payment option that customers love, especially the young ones. And Sipho no longer needs to search for commuters – they stop his minibus on the road because it is marked as a ‘connected minibus’. This is a smart workplace.
These digital solutions are real and available to the SA taxi world. There are some caveats, though: Cisco’s international experience shows that these solutions are best implemented alongside awareness campaigns for commuters and government incentives to drive adoption, as well as ensuring the regulatory environment is conducive. Luckily, technology itself isn’t too much of a problem: the solutions work with existing IT systems local governments have installed.
Imagine South Africa in a decade. Now imagine a South Africa where traffic congestion is a thing of the past.