Kaspersky has found that many of the apps in the connected car contain a number of security issues that can potentially allow criminals to cause significant damage for connected car owners.
Kaspersky Lab researchers have examined the security of applications for the remote control of cars from several famous car manufacturers. As a result, the company’s experts have discovered that all of the applications contain a number of security issues that can potentially allow criminals to cause significant damage for connected car owners.
During the last few years, cars have started actively connecting to the Internet. Connectivity includes not only their infotainment systems but also critical vehicle systems, such as door locks and ignition, which are now accessible online. With the help of mobile applications, it is now possible to obtain the location coordinates of the vehicle as well as its route, and to open doors, start the engine and control additional in-car devices. On the one hand, these are extremely useful functions. On the other hand, how do manufacturers secure these apps from the risk of cyberattacks?
In order to find this out, Kaspersky Lab researchers have tested seven remote car control applications developed by major car manufacturers, and which, according to Google Play statistics, have been downloaded tens of thousands, and in some cases, up to five million times. The research discovered that each of the examined apps contained several security issues.
The list of the security issues discovered includes:
· No defense against application reverse engineering. As a result, malicious users can understand how the app works and find a vulnerability that would allow them to obtain access to server-side infrastructure or to the car’s multimedia system
· No code integrity check, which is important because it enables criminals to incorporate their own code in the app and replace the original programme with a fake one
· No rooting detection techniques. Root rights provide Trojans with almost endless capabilities and leave the app defenseless
· Lack of protection against app overlaying techniques. This helps malicious apps to show phishing windows and steal users’ credentials
· Storage of logins and passwords in plain text. Using this weakness, a criminal can steal users’ data relatively easily.
Upon successful exploitation, an attacker can gain control over the car, unlock the doors, turn off the security alarm and, theoretically, steal the vehicle.
In each case the attack vector would require some additional preparations, like luring owners of applications to install specially-crafted malicious apps that would then root the device and get access to the car application. However, as Kaspersky Lab experts have concluded from research into multiple other malicious applications which target online banking credentials and other important information, this is unlikely to be a problem for criminals experienced in social engineering techniques, should they decide to hunt for owners of connected cars.
“The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks. Thinking about the security of the connected car, one should not only consider the security of server-side infrastructure. We expect that car manufacturers will have to go down the same road that banks have already gone down with their applications. Initially, apps for online banking did not have all the security features listed in our research. Now, after multiple cases of attacks against banking apps, many banks have improved the security of their products. Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right. How much time they have exactly is unknown. Modern Trojans are very flexible – one day they can act like normal adware, and the next day they can easily download a new configuration making it possible to target new apps. The attack surface is really vast here,” said Victor Chebyshev, security expert at Kaspersky Lab.
Kaspersky Lab researchers advise users of connected car apps to follow these measures in order to protect their cars and private data from possible cyberattacks:
· Don’t root your Android device as this will open almost unlimited capabilities to malicious apps
· Disable the ability to install applications from sources other than official app stores
· Keep the OS version of your device up to date in order to reduce vulnerabilities in the software and lower the risk of attack
· Install a proven security solution in order to protect your device from cyberattacks.
Why sports cars make us feel good
Forget romance, fine dining or an epic boxset binge – new preliminary research reveals that driving a sports car on a daily basis is among the best ways to boost your sense of wellbeing and emotional fulfilment.
The study measured “buzz moments” – peak thrills that play a vital role in our overall wellness – as volunteers cheered on their favourite football team, watched a gripping Game of Thrones episode, enjoyed a passionate kiss with a loved one or took an intense salsa dancing class. Only the occasional highs of riding a roller coaster ranked higher than the daily buzz of a commute in a sports car.
Working with neuroscientists and designers, Ford brought the research to life with the unique Ford Performance Buzz Car: a customised Ford Focus RS incorporating wearable and artificial intelligence technology to animate the driver’s emotions in real time across the car’s exterior.
Watch the video here https://youtu.be/AFpt6jziFsU
“A roller coaster may be good for a quick thrill, but it’s not great for getting you to work every day,” said Dr Harry Witchel, Discipline Leader in Physiology. “This study shows how driving a performance car does much more than get you from A to B – it could be a valuable part of your daily wellbeing routine.”
Study participants who sat behind the wheel of a Ford Focus RS, Focus ST or Mustang experienced an average of 2.1 high-intensity buzz moments during a typical commute; this compared with an average of 3 buzz moments while riding on a roller coaster, 1.7 while on a shopping trip, 1.5 each while watching a Game of Thrones episode or a football match, and none at all while salsa dancing, fine dining or sharing a passionate kiss.
For the research, Ford took one Focus RS and worked with Designworks to create the Buzz Car:
From concept, design and installation to software development and programming, the Buzz Car took 1,400 man-hours to create. Each “buzz moment” experienced by the driver – analysed using a real-time “emotional AI” system developed by leading empathic technology firm Sensum – produces a dazzling animation across almost 200,000 LED lights integrated into the car. The Buzz Car also features:
- High-performance Zotac VR GO gaming PC
- 110 x 500-lumen daylight-bright light strips
- 82 display panels with 188,416 individually addressable LEDs
Driver state research
Researchers at the Ford Research and Innovation Center in Aachen, Germany are already looking into how vehicles can better understand and respond to drivers’ emotions. As part of the EUfunded ADAS&ME project, Ford experts are investigating how in-car systems may one day be aware of our emotions – as well as levels of stress, distraction and fatigue – providing prompts and warnings, and could even take control of the car in emergency situations.
“We think driving should be an enjoyable, emotional experience,” said Dr Marcel Mathissen, research scientist at Ford of Europe. “The driver-state research Ford and its partners are undertaking is helping to lead us towards safer roads and – importantly – healthier driving.”
|Activity||Buzz Moments *|
|Game of Thrones||1.5|
* Average number of high-intensity buzz moments per participant
Car that sees round corners
Jaguar Land Rover is leading a £4.7 million (approximately R79 million) project to develop self-driving cars that can ‘see’ at blind junctions and through obstacles.
Britain’s biggest carmaker is leading a project called AutopleX to combine connected, automated and live mapping tech so more information is provided earlier to the self-driving car. This enables automated cars to communicate with all road users and obstacles where there is no direct view, effectively helping them see, so they can safely merge lanes and negotiate complex roundabouts autonomously.
Chris Holmes, Connected and Autonomous Vehicle Research Manager at Jaguar Land Rover said: “This project is crucial in order to bring self-driving cars to our customers in the near future. Together with our AutopleX partners, we will merge our connected and autonomous research to empower our self-driving vehicles to operate safely in the most challenging, real-world traffic situations. This project will ensure we deliver the most sophisticated and capable automated driving technology.”
Jaguar Land Rover is developing fully- and semi-automated vehicle technologies, offering customers a choice of an engaged or automated drive, while maintaining an enjoyable and safe driving experience. The company’s vision is to make the self-driving car viable in the widest range of real-life, on- and off-road driving environments and weather.
AutopleX will develop the technology through simulation and public road testing both on motorways and in urban environments in the West Midlands. Highways England, INRIX, Ricardo, Siemens, Transport for West Midlands and WMG at the University of Warwick join the AutopleX consortium, which was announced as part of Innovate UK’s third round of Connected and Autonomous Vehicle Funding in March 2018.