Kaspersky has found that many of the apps in the connected car contain a number of security issues that can potentially allow criminals to cause significant damage for connected car owners.
Kaspersky Lab researchers have examined the security of applications for the remote control of cars from several famous car manufacturers. As a result, the company’s experts have discovered that all of the applications contain a number of security issues that can potentially allow criminals to cause significant damage for connected car owners.
During the last few years, cars have started actively connecting to the Internet. Connectivity includes not only their infotainment systems but also critical vehicle systems, such as door locks and ignition, which are now accessible online. With the help of mobile applications, it is now possible to obtain the location coordinates of the vehicle as well as its route, and to open doors, start the engine and control additional in-car devices. On the one hand, these are extremely useful functions. On the other hand, how do manufacturers secure these apps from the risk of cyberattacks?
In order to find this out, Kaspersky Lab researchers have tested seven remote car control applications developed by major car manufacturers, and which, according to Google Play statistics, have been downloaded tens of thousands, and in some cases, up to five million times. The research discovered that each of the examined apps contained several security issues.
The list of the security issues discovered includes:
· No defense against application reverse engineering. As a result, malicious users can understand how the app works and find a vulnerability that would allow them to obtain access to server-side infrastructure or to the car’s multimedia system
· No code integrity check, which is important because it enables criminals to incorporate their own code in the app and replace the original programme with a fake one
· No rooting detection techniques. Root rights provide Trojans with almost endless capabilities and leave the app defenseless
· Lack of protection against app overlaying techniques. This helps malicious apps to show phishing windows and steal users’ credentials
· Storage of logins and passwords in plain text. Using this weakness, a criminal can steal users’ data relatively easily.
Upon successful exploitation, an attacker can gain control over the car, unlock the doors, turn off the security alarm and, theoretically, steal the vehicle.
In each case the attack vector would require some additional preparations, like luring owners of applications to install specially-crafted malicious apps that would then root the device and get access to the car application. However, as Kaspersky Lab experts have concluded from research into multiple other malicious applications which target online banking credentials and other important information, this is unlikely to be a problem for criminals experienced in social engineering techniques, should they decide to hunt for owners of connected cars.
“The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks. Thinking about the security of the connected car, one should not only consider the security of server-side infrastructure. We expect that car manufacturers will have to go down the same road that banks have already gone down with their applications. Initially, apps for online banking did not have all the security features listed in our research. Now, after multiple cases of attacks against banking apps, many banks have improved the security of their products. Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right. How much time they have exactly is unknown. Modern Trojans are very flexible – one day they can act like normal adware, and the next day they can easily download a new configuration making it possible to target new apps. The attack surface is really vast here,” said Victor Chebyshev, security expert at Kaspersky Lab.
Kaspersky Lab researchers advise users of connected car apps to follow these measures in order to protect their cars and private data from possible cyberattacks:
· Don’t root your Android device as this will open almost unlimited capabilities to malicious apps
· Disable the ability to install applications from sources other than official app stores
· Keep the OS version of your device up to date in order to reduce vulnerabilities in the software and lower the risk of attack
· Install a proven security solution in order to protect your device from cyberattacks.
Project Bloodhound saved
The British project to break the world landspeed record at a site in the Northern Cape has been saved by a new backer, after it went into bankruptcy proceedings in October.
Two weeks ago, and two months after entering voluntary administration, the Bloodhound Programme Limited announced it was shutting down. This week it announced that its assets, including the Bloodhound Supersonic Car (SSC), had been acquired by an enthusiastic – and wealthy – supporter.
“We are absolutely delighted that on Monday 17th December, the business and assets were bought, allowing the Project to continue,” the team said in a statement.
“The acquisition was made by Yorkshire-based entrepreneur Ian Warhurst. Ian is a mechanical engineer by training, with a strong background in managing a highly successful business in the automotive engineering sector, so he will bring a lot of expertise to the Project.”
Warhurst and his family, says the team, have been enthusiastic Bloodhound supporters for many years, and this inspired his new involvement with the Project.
“I am delighted to have been able to safeguard the business and assets preventing the project breakup,” he said. “I know how important it is to inspire young people about science, technology, engineering and maths, and I want to ensure Bloodhound can continue doing that into the future.
“It’s clear how much this unique British project means to people and I have been overwhelmed by the messages of thanks I have received in the last few days.”
The record attempt was due to be made late next year at Hakskeen Pan in the Kalahari Desert, where retired pilot Andy Green planned to beat the 1228km/h land-speed record he set in the United States in 1997. The target is for Bloodhound to become the first car to reach 1000mph (1610km/h). A track 19km long and 500 metres wide has been prepared, with members of the local community hired to clear 16 000 tons of rock and stone to smooth the surface.
The team said in its announcement this week: “Although it has been a frustrating few months for Bloodhound, we are thrilled that Ian has saved Bloodhound SSC from closure for the country and the many supporters around the world who have been inspired by the Project. We now have a lot of planning to do for 2019 and beyond.”
Motor Racing meets Machine Learning
The futuristic car technology of tomorrow is being built today in both racing cars and
toys, writes ARTHUR GOLDSTUCK
The car of tomorrow, most of us imagine, is being built by the great automobile manufacturers of the world. More and more, however, we are seeing information technology companies joining the race to power the autonomous vehicle future.
Last year, chip-maker Intel paid $15.3-billion to acquire Israeli company Mobileye, a leader in computer vision for autonomous driving technology. Google’s autonomous taxi division, Waymo, has been valued at $45-billion.
Now there’s a new name to add to the roster of technology giants driving the future.
Amazon Web Services, the world’s biggest cloud computing service and a subsidiary of Amazon.com, last month unveiled a scale model autonomous racing car for developers to build new artificial intelligence applications. Almost in the same breath, at its annual re:Invent conference in Las Vegas, it showcased the work being done with machine learning in Formula 1 racing.
AWS DeepRacer is a 1/18th scale fully autonomous race car, designed to incorporate the features and behaviour of a full-sized vehicle. It boasts all-wheel drive, monster truck tires, an HD video camera, and on-board computing power. In short, everything a kid would want of a self-driving toy car.
But then, it also adds everything a developer would need to make the car autonomous in ways that, for now, can only be imagined. It uses a new form of machine learning (ML), the technology that allows computer systems to improve their functions progressively as they receive feedback from their activities. ML is at the heart of artificial intelligence (AI), and will be core to autonomous, self-driving vehicles.
AWS has taken ML a step further, with an approach called reinforcement learning. This allows for quicker development of ML models and applications, and DeepRacer is designed to allow developers to experiment with and hone their skill in this area. It is built on top of another AWS platform, called Amazon SageMaker, which enables developers and data scientists to build, train, and deploy machine learning quickly and easily.
Along with DeepRacer, AWS also announced the DeepRacer League, the world’s first global autonomous racing league, open to anyone who orders the scale model from AWS.
As if to prove that DeepRacer is not just a quirky entry into the world of motor racing, AWS also showcased the work it is doing with the Formula One Group. Ross Brawn, Formula 1’s managing director of Motor Sports, joined AWS CEO Andy Jassy during the keynote address at the re:Invent conference, to demonstrate how motor racing meets machine learning.
“More than a million data points a second are transmitted between car and team during a Formula 1 race,” he said. “From this data, we can make predictions about what we expect to happen in a wheel-to-wheel situation, overtaking advantage, and pit stop advantage. ML can help us apply a proper analysis of a situation, and also bring it to fans.
“Formula 1 is a complete team contest. If you look at a video of tyre-changing in a pit stop – it takes 1.6 seconds to change four wheels and tyres – blink and you will miss it. Imagine the training that goes into it? It’s also a contest of innovative minds.”
Formula 1 racing has more than 500 million global fans and generated $1.8 billion in revenue in 2017. As a result, there are massive demands on performance, analysis and information.
During a race, up to 120 sensors on each car generate up to 3GB of data and 1 500 data points – every second. It is impossible to analyse this data on the fly without an ML platform like Amazon SageMaker. It has a further advantage: the data scientists are able to incorporate 65 years of historical race data to compare performance, make predictions, and provide insights into the teams’ and drivers’ split-second decisions and strategies.
This means Formula 1 can pinpoint how a driver is performing and whether or not drivers have pushed themselves over the limit.
“By leveraging Amazon SageMaker and AWS’s machine-learning services, we are able to deliver these powerful insights and predictions to fans in real time,” said Pete Samara, director of innovation and digital technology at Formula 1.