Kaspersky has found that many of the apps in the connected car contain a number of security issues that can potentially allow criminals to cause significant damage for connected car owners.
Kaspersky Lab researchers have examined the security of applications for the remote control of cars from several famous car manufacturers. As a result, the company’s experts have discovered that all of the applications contain a number of security issues that can potentially allow criminals to cause significant damage for connected car owners.
During the last few years, cars have started actively connecting to the Internet. Connectivity includes not only their infotainment systems but also critical vehicle systems, such as door locks and ignition, which are now accessible online. With the help of mobile applications, it is now possible to obtain the location coordinates of the vehicle as well as its route, and to open doors, start the engine and control additional in-car devices. On the one hand, these are extremely useful functions. On the other hand, how do manufacturers secure these apps from the risk of cyberattacks?
In order to find this out, Kaspersky Lab researchers have tested seven remote car control applications developed by major car manufacturers, and which, according to Google Play statistics, have been downloaded tens of thousands, and in some cases, up to five million times. The research discovered that each of the examined apps contained several security issues.
The list of the security issues discovered includes:
· No defense against application reverse engineering. As a result, malicious users can understand how the app works and find a vulnerability that would allow them to obtain access to server-side infrastructure or to the car’s multimedia system
· No code integrity check, which is important because it enables criminals to incorporate their own code in the app and replace the original programme with a fake one
· No rooting detection techniques. Root rights provide Trojans with almost endless capabilities and leave the app defenseless
· Lack of protection against app overlaying techniques. This helps malicious apps to show phishing windows and steal users’ credentials
· Storage of logins and passwords in plain text. Using this weakness, a criminal can steal users’ data relatively easily.
Upon successful exploitation, an attacker can gain control over the car, unlock the doors, turn off the security alarm and, theoretically, steal the vehicle.
In each case the attack vector would require some additional preparations, like luring owners of applications to install specially-crafted malicious apps that would then root the device and get access to the car application. However, as Kaspersky Lab experts have concluded from research into multiple other malicious applications which target online banking credentials and other important information, this is unlikely to be a problem for criminals experienced in social engineering techniques, should they decide to hunt for owners of connected cars.
“The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks. Thinking about the security of the connected car, one should not only consider the security of server-side infrastructure. We expect that car manufacturers will have to go down the same road that banks have already gone down with their applications. Initially, apps for online banking did not have all the security features listed in our research. Now, after multiple cases of attacks against banking apps, many banks have improved the security of their products. Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right. How much time they have exactly is unknown. Modern Trojans are very flexible – one day they can act like normal adware, and the next day they can easily download a new configuration making it possible to target new apps. The attack surface is really vast here,” said Victor Chebyshev, security expert at Kaspersky Lab.
Kaspersky Lab researchers advise users of connected car apps to follow these measures in order to protect their cars and private data from possible cyberattacks:
· Don’t root your Android device as this will open almost unlimited capabilities to malicious apps
· Disable the ability to install applications from sources other than official app stores
· Keep the OS version of your device up to date in order to reduce vulnerabilities in the software and lower the risk of attack
· Install a proven security solution in order to protect your device from cyberattacks.
Cars connect to traffic lights
New Jaguar Land Rover technology using Vehicle-to-Infrastructure (V2X) connects cars to traffic lights so drivers can avoid getting stuck at red and help free up traffic flow in cities.
The world’s first traffic lights were installed exactly 150 years ago outside the Houses of Parliament in London. Since then drivers around the globe have spent billions of hours waiting for green. With Jaguar Land Rover’s latest tech, however, their days could be numbered.
The Green Light Optimal Speed Advisory (GLOSA) system allows cars to “talk” to traffic lights and inform the driver the speed they should drive as they approach junctions or signals.
Widespread adoption of the V2X technology will prevent drivers from racing to beat the lights and improve air quality by reducing harsh acceleration or braking near lights. The goal is for the V2X revolution to create free-flowing cities with fewer delays and less commuter stress.
The connected technology is currently being trialed on a Jaguar F-PACE, as part of a £20 million (R371 million) collaborative research project.
Like all Jaguar or Land Rover vehicles today, the F-PACE already boasts a wide range of sophisticated Advanced Driver Assistance (ADAS) features. The connected technology trials are enhancing existing ADAS features by increasing the line of sight of a vehicle when it is connected via the internet to other vehicles and infrastructure. GLOSA is being tested alongside a host of other measures to slash the time commuters spend in traffic.
For example, Intersection Collision Warning (ICW) alerts drivers when it is unsafe to proceed at a junction. ICW informs drivers if other cars are approaching from another road and can suggest the order in which cars should proceed at a junction.
Jaguar Land Rover has also addressed time lost to searching for a parking space by providing real-time information of available spaces to drivers and developed an Emergency Vehicle Warning to alert motorists when a fire engine, police car or ambulance is approaching. The advanced technology builds on the connected systems already available on the Jaguar F-PACE such as Adaptive Cruise Control.
Oriol Quintana-Morales, Jaguar Land Rover Connected Technology Research Engineer, said: “This cutting-edge technology will radically reduce the time we waste at traffic lights. It has the potential to revolutionise driving by creating safe, free-flowing cities that take the stress out of commuting. Our research is motivated by the chance to make future journeys as comfortable and stress-free as possible for all our customers.”
The trials are part of the £20 million government-funded project, UK Autodrive, which has helped accelerate the development of Jaguar Land Rover’s future self-driving and connected technology. As well as strengthening the Midlands’ position as a hub of mobility innovation. Britain’s biggest car maker, headquartered in Coventry, is working on connected technology as part of its pledge to deliver zero accidents, zero congestion and zero emissions.
Connected technology will link the vehicle to everything around it, allowing seamless, free-flowing traffic that will pave the way for delivering self-driving vehicles.
Roborace reveals new vehicle
Roborace has given its fans a first look at what the new competition vehicle for Season Alpha will look like at the WebSummmit conference in Lisbon, Portugal.
DevBot 2.0 utilizes sensors similar to that in Robocar and is also fully electric, but has the addition of a cockpit for a human driver.
Season Alpha will see teams comprising of both a human driver and an AI driver. Lap times from the duo will be compared with that of other human + machine teams to determine a winner.
DevBot 2.0 will be launched in the new year but Roborace CEO Lucas Di Grassi has shared some first glimpses of what 2019 holds for the series in an interview on stage at WebSummit.
Season Alpha will see teams compete starting in Spring 2019 using the DevBot 2.0 vehicles to develop their automated driving systems, with professional drivers teaching the AI how to improve, as well as learning from the AI how to better their own performance.