back to article Beeps, roots and leaves: Car-controlling Android apps create theft risk

Insecure car-controlling Android apps create a heightened car theft risk, security researchers at Kaspersky Lab warn. Boffins at the security software maker made the warning after putting Android apps from seven (unnamed) car makers through their paces, uncovering a raft of basic security flaws in the process. During recent …

  1. Yugguy

    Yet again the issue is CHOICE

    Like so much of the shiny of today, it is foisted upon us without an option to choose wether we want it or not.

    It's new so it must automatically be better, right?

    1. SVV Silver badge

      Re: Yet again the issue is CHOICE

      Well, you do have the option to choose not to buy it. I'd take that option myself as this is a terribly unthought through idea. Unfortunately we will have to wait intil the news starts reporting the bad consequences we can all forsee here when they start hapening.

      "It's new so it must automatically be better, right?"

      Marketing will always tell you yes. All we can do is point out as technologists the well proven fact that just because you can, it doesn't mean you should.

      1. Mage Silver badge
        Unhappy

        Re: Yet again the issue is CHOICE

        "Well, you do have the option to choose not to buy it."

        Actually no, not if you want a decent new car or TV.

        Though at least with a TV you can avoid connecting it to the Internet, or set up cunning firewall rules if you do. You are lucky if you know what is embedded & connecting to a new car at all!

        1. Chemical Bob Bronze badge
          FAIL

          Re: Yet again the issue is CHOICE

          "Actually no, not if you want a decent new car or TV."

          No, the possibility of buying a decent new car or TV went out the window when manufacturers start building in this ill-conceived frippery.

      2. John Brown (no body) Silver badge

        Re: Yet again the issue is CHOICE

        "Well, you do have the option to choose not to buy it. "

        Have you tried buying a "dumb" TV recently? Choice is very limited and likely to be no choice at all eventually.

        Likewise a smartphone you can control instead of the manufacture/service provider. It's possible, if you hunt high and low, or have the skill to modify it, but other than that you are stuck with factory installed apps and Google/Apple/MS knowing your every move.

        Of course, there's always the ultimate choice of doing without altogether.

      3. Gene Cash Silver badge

        Re: Yet again the issue is CHOICE

        you do have the option to choose not to buy it

        This means you've got to not only decide to buy a particular car, but then you've got to install the app and evaluate it, all under the usual stressful shitty conditions of buying a car. I don't see anyone who's not an IT expert succeeding in that.

        Then you have to hope the manufacturer doesn't update the app so it becomes a useless floating turd. I've seen that happen too.

  2. bazza Silver badge

    2001 Obligated Sketch

    "Open the pod bay doors, Hal"

    "Why certainly Dave, straight away, even though you sound only a little bit like Dave"

  3. Anonymous Coward
    Unhappy

    Nothing new I'm afraid.

    https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/

    https://www.theguardian.com/technology/2016/aug/12/cars-risk-keyless-entry-system-hacked-volkswagen

    http://www.standard.co.uk/news/london/insurers-will-not-cover-new-range-rovers-in-london-unless-you-have-secure-parking-9820186.html

    All for not wanting to put a key in a hole. Pathetic.

    1. F0rdPrefect

      Re: Nothing new I'm afraid.

      It used to be the key locks.

      My Mk1 Escort key would open all of the other Fords of the same era that I tested it on.

      And many Vauxhalls and BL cars.

  4. WonkoTheSane
    Coat

    Vanilla Android Auto FTW

    This is why I stopped using my car maker's Android app, and switched to vanilla Android Auto, which has NO control over the car.

    (Actually, it was because VW's app gave poor satnav info and kept dropping connection, even via USB, but there's a bandwagon to jump on here!)

    1. Anonymous Coward
      Anonymous Coward

      Re: Vanilla Android Auto FTW

      I'd rather it had bugger all, In 5 years time, it will be a dog slow bug fest ridding heap o'crap

  5. Steve Evans

    Car (and IoT) manufacturers really need to be dragged into security training.

    Just because you could make a certain thing possible remotely, you need to stop and ask "should I?".

    Why would anyone want to unlock the doors via the internet connected ap? It's pretty unlikely that feature will be used by genuine owners anywhere near as many times as it'll be used by someone keen to steal the contents of the boot.

    If you *really* must have keyless door opening, only support it over a short range communication such as bluetooth, or RFID.

    Next, starting the car remotely... Okay, to prewarm on a cold morning it's nice, but you don't need to disable the interior alarm, or unlock the doors, release the steering lock, or allow the hard/parking brake to be release and a gear engaged... If those happen kill the engine and set off the arm. (Release of rattle snake from glove-box optional).

    And don't forget to give the owner of the car a method of deleting previously authorised users/devices without requiring a visit to a main dealer.

    1. Halfmad

      Incentivised

      We need the public to start demanding better from companies and we need governments who are more than willing to fine, massively for any failure by companies to keep infosec standards high in products they produce.

      We're not just talking about information here, this is vehicles that are a ton or more moving at high speed, I see a potential weapon - not just a info security risk.

    2. IsJustabloke Silver badge
      Meh

      because....

      "Why would anyone want to unlock the doors via the internet connected app?"

      for thesame reason, they blip the doors when they are still a good 30 or 40 yards away, or get out of their cars, close the doors but crucially don't blip them untl they are walking away and can "fire" the blipper back over their shoulders....

      1. tiggity Silver badge

        Re: because....

        My car has a blipper - it sits gathering dust somewhere in the house.

        I manually unlock mine with the key.

        I know some people say blipper is useful for finding your car.

        If the time comes that I forget where I parked my car I know I have reached the inevitable age related crumbling mental state where driving is no longer a good travel option

        1. Charles 9 Silver badge

          Re: because....

          "If the time comes that I forget where I parked my car I know I have reached the inevitable age related crumbling mental state where driving is no longer a good travel option"

          Until you realize it's your ONLY option...

        2. F0rdPrefect
          Unhappy

          Re: because....

          "My car has a blipper - it sits gathering dust somewhere in the house.

          I manually unlock mine with the key."

          With many cars the blipper is the only thing that sets/disables the alarm, key in the door doesn't.

    3. Anonymous Coward
      Anonymous Coward

      Re: Why would anyone want to unlock the doors [remotely]

      "Why would anyone want to unlock the doors via the internet connected ap?"

      Because I'm in an unfamiliar car park and can't remember where the car is, and if I remote-unlock the lights flash so I can see where the car is?

      Give me something that satisifies the "dude, where's my car" need, and I'll use it. Doesn't need to unlock the doors.

      1. Crazy Operations Guy

        Re: Why would anyone want to unlock the doors [remotely]

        Whenever I park my car in a large lot or garage, I take photos of the space, then either direction in the row, then at the end of the row, and so on. I do this whenever I need to park my car in the long-term garage at the airport. I've never failed to find my car afterwards.

        Before that, I'd use a notepad and a pen to write down the instruction to get from my car to the lift. Put the note into my wallet, then just followed the instructions backwards to find my car.

        These techniques work for the largest parking garage in the world (SeaTac Airport) as well as many other parking lots I've used in the last few years, so there is no reason it wouldn't work anywhere else. I was taught to do that by my father during a family trip to Disney world.

        Never once have I used an app to find my car (even after leaving it in a parking garage for 3 months).

        1. Anonymous Coward
          Anonymous Coward

          Re: Why would anyone want to unlock the doors [remotely]

          Don't need to do that. I have a child who has the uncanny ability to walk straight to the car regardless...

        2. Charles 9 Silver badge

          Re: Why would anyone want to unlock the doors [remotely]

          Then they change the signs and designations on you while you're away. Or you lose the note...or your wallet. Crap happens, and you may STILL need to find your car when you've lost all your clues on where it is.

        3. Anonymous Coward
          Anonymous Coward

          Re: Why would anyone want to unlock the doors [remotely]

          "there is no reason [taking photos, making notes] wouldn't work anywhere else"

          If it works for you, fine, but at many major UK car parks it'd probably get your collar felt (or worse), on some specious grounds of terrorism, theft, or similar. Particularly high risk at some of the 'high security' List X sites (Ministry of Defence and their suppliers etc) I used to visit for work, from time to time.

  6. tiggity Silver badge

    no car apps here

    I have a key to lock / unlock my car, what do I need an app for, beyond adding a big security hole?

    I wish they would stop going on about rooted phone as a bad thing.

    It's the only way on android to get a degree of control as need root to do any half decent security measures such as editing hosts file (nothing so useful as sudo on android to temporarily elevate privs to do such edits)

    1. Anonymous Coward
      Anonymous Coward

      Re: no car apps here

      "I have a key to lock / unlock my car, what do I need an app for, beyond adding a big security hole?"

      Tried using it on a frozen winter morning in the dark? That's assuming the lock isn't iced over...

      1. Adam 1 Silver badge

        Re: no car apps here

        > Tried using it on a frozen winter morning in the dark

        No. Temperatures around here seldom drop that low and my car is garaged. And the transponder on my keyring does a reasonable job of unlocking the doors even if there is ice over the lock. There's just no need to do it over the internet. It adds a whole bunch of security attack vectors. The only reason it's there is so they can add an extra bullet point on their feature comparison when you are picking your trim level.

        1. Anonymous Coward
          Anonymous Coward

          Re: no car apps here

          Where I live is a northern latitude and garages are a luxury. Icing over is distressingly common, and I've seen more fobs fail than work.

          1. Adam 1 Silver badge

            Re: no car apps here

            > I've seen more fobs fail than work.

            That I strongly doubt. Yes, fobs can run out of battery but in my experience you tend to get at least a small warning where for a few days or weeks you have to press it a few times before it goes entirely. And yes, operating then with gloves can be a challenge.

            But

            We have seen jeeps get remotely driven into ditches. We have seen Nissans have their climate control activated from another hemisphere (literally). And by now some of these cars are being sold to second and third owners who are blissfully unaware that the original owner's iPhone can still unlock it. And that's before the more novel attacks from fake charging points that sideload apps as demonstrated just this week that could quite easily grab those credentials and the GPS location where that phone is often kept.

            Now I grant that water can block some frequencies used by key fobs, but frankly if the ice is that thick, you ain't even getting to the handle, forget about driving it today.

            1. Charles 9 Silver badge

              Re: no car apps here

              "That I strongly doubt. Yes, fobs can run out of battery but in my experience you tend to get at least a small warning where for a few days or weeks you have to press it a few times before it goes entirely. And yes, operating then with gloves can be a challenge."

              I'm holding one for a Buick right now. Changed the battery twice and it STILL won't work, and I'm not paying $100 to get it replaced.

              "Now I grant that water can block some frequencies used by key fobs, but frankly if the ice is that thick, you ain't even getting to the handle, forget about driving it today."

              Way up north, driving in those kinds of conditions is considered de rigeur; you can't really call yourself a resident if you can't.

      2. tiggity Silver badge

        Re: no car apps here

        I have a little aerosol squirty thing that lets you spray de-icer into the lock, works fine and in my area of UK rarely get colder than -8C & in general only needs lock lube a dozen or so times each winter.

        1. Anonymous Coward
          Anonymous Coward

          Re: no car apps here

          Problem is, spray de-icer (which is usually alcohol) is not recommended for frequent use. Plus it may not be as useful in even colder climates. Like say North Dakota or Minnesota (deep interior, northern latitude, heavy snow and extreme cold are the norm in winter).

  7. creepy gecko
    FAIL

    I o T :-(

    The more I read about the Internet Of Things the worse it gets.

    Fuckwits, the lot of them.

    1. 2+2=5 Silver badge
      Joke

      Re: I o T :-(

      > The more I read about the Internet Of Things the worse it gets.

      Then would you mind stopping reading about it please?

      1. creepy gecko

        Re: I o T :-(

        Touché.

        Have an upvote.

    2. Anonymous Coward
      Anonymous Coward

      Re: I o T :-(

      Actually, I think the FWits are the ones that believe Kaspersky desperate spin to justify their existence.

      All that stragefright noise, and not a single infection in over 2billion devices. They are looking pretty dumb right now. Ditto for any other security "expert".

  8. Crazy Operations Guy

    People wonder why I don't get a new car

    I have a mid-60's VW Beetle since I was a teenager learning to drive. Stuff like this only makes me want to keep it more and more. I paid $300 for it when I got it and probably dumped $3000 in parts into over the 15+ years I've had it (most of that was getting a new interior installed). If someone steals it, whatever, I got my money's worth long ago.

    Yeah, it doesn't get as good gas mileage as a modern vehicle, but its not bad either. And then, there is figuring in the energy and resources that would've been used building a new vehicle, and then the cost of disposing of the vehicle once it reaches end of life. So with that, it is probably greener in the grand scheme of things.

    The thing is painted bright orange (It was originally painted like the "General Lee" from the 'Dukes of Hazard', painted it orange to get rid of the flag on the roof and to fix the heavily sun-burnt paint). Makes it so vary easy to spot in a parking lot as well as easy to spot by the police if it ever gets stolen.

    1. Stuart 22

      Re: People wonder why I don't get a new car

      I agree with you. Except that from Oct 2019 I won't be able to use it in London without having to pay another £2000pa.

      I agree with the reason for that (the T charge) but finding a new or nearly new car that isn't an infotainment, body & mind replacement gizmo with four wheels attached is getting near impossible.

      Guess I'll be taking the bus.

  9. Oengus Silver badge

    Those who fail to learn from history

    The automotive industry is still relatively new to both application management and security issues, comparatively speaking, and is certainly working hard to address issues as they arise.

    When will the automotive (and other IoT things) learn from previous experiences.

    In the past criminals used to target for armed robberies. As banks got smarter and improved their security the criminals moved on to easier targets (Service stations and Liquor stores) so these upped the ante.

    Cyber criminals initially targeted the banks because they were "soft". The banks learned and hardened their Apps. Now that there are new, easier, targets and the criminals will over time change their target. It is only a matter of time before the hackers attack "insecure" Apps on other platforms.

    I wonder how long before the first ransomware app to hold a car hostage appears...

  10. DougS Silver badge

    Insecurity squared!

    On the one hand, you have Android, which is a security hole masquerading as an operating system for the 90% or so of Android users who see one or two (if that) updates and then get abandoned by the OEM. On the other hand you have automakers, who know as much about writing secure software as they do about 17th century Russian history. Combine the two and they might as well just add a "hack me now" button that posts all the relevant info about your car to the dark web to save hackers five minutes.

  11. John Smith 19 Gold badge
    FAIL

    Yet another market that's discovering it's now in the computer business

    Pity. MISRA's standards for writing reliable C for embedded automotive applications IE engine and gearbox management, were reckoned to be quite good.

    Of course the mfg's argument for this is that you no longer have to carry that heaaaaaaaaavy key with you, and you don't have switch off your car alarm after you get in, saving you literally minutes a year.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yet another market that's discovering it's now in the computer business

      "Of course the mfg's argument for this is that you no longer have to carry that heaaaaaaaaavy key with you, and you don't have switch off your car alarm after you get in, saving you literally minutes a year."

      But what if the vehicle is used in situations where seconds count, such as emergency vehicles?

  12. annodomini2 Bronze badge
    Coffee/keyboard

    Turd polishers to the rescue

    ... or not as usual, just so they can justify some ridiculous bonus for selling a feature no one sane actually wants.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019