Beeps, roots and leaves: Car-controlling Android apps create theft risk Insecure car-controlling Android apps create a heightened car theft risk, security researchers at Kaspersky Lab warn. Boffins at the security software maker made the warning after putting Android apps from seven (unnamed) car makers through their paces, uncovering a raft of basic security flaws in the process. During recent …
Well, you do have the option to choose not to buy it. I'd take that option myself as this is a terribly unthought through idea. Unfortunately we will have to wait intil the news starts reporting the bad consequences we can all forsee here when they start hapening.
"It's new so it must automatically be better, right?"
Marketing will always tell you yes. All we can do is point out as technologists the well proven fact that just because you can, it doesn't mean you should.
"Well, you do have the option to choose not to buy it."
Actually no, not if you want a decent new car or TV.
Though at least with a TV you can avoid connecting it to the Internet, or set up cunning firewall rules if you do. You are lucky if you know what is embedded & connecting to a new car at all!
"Well, you do have the option to choose not to buy it. "
Have you tried buying a "dumb" TV recently? Choice is very limited and likely to be no choice at all eventually.
Likewise a smartphone you can control instead of the manufacture/service provider. It's possible, if you hunt high and low, or have the skill to modify it, but other than that you are stuck with factory installed apps and Google/Apple/MS knowing your every move.
Of course, there's always the ultimate choice of doing without altogether.
you do have the option to choose not to buy it
This means you've got to not only decide to buy a particular car, but then you've got to install the app and evaluate it, all under the usual stressful shitty conditions of buying a car. I don't see anyone who's not an IT expert succeeding in that.
Then you have to hope the manufacturer doesn't update the app so it becomes a useless floating turd. I've seen that happen too.
https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/
https://www.theguardian.com/technology/2016/aug/12/cars-risk-keyless-entry-system-hacked-volkswagen
http://www.standard.co.uk/news/london/insurers-will-not-cover-new-range-rovers-in-london-unless-you-have-secure-parking-9820186.html
All for not wanting to put a key in a hole. Pathetic.
This is why I stopped using my car maker's Android app, and switched to vanilla Android Auto, which has NO control over the car.
(Actually, it was because VW's app gave poor satnav info and kept dropping connection, even via USB, but there's a bandwagon to jump on here!)
Car (and IoT) manufacturers really need to be dragged into security training.
Just because you could make a certain thing possible remotely, you need to stop and ask "should I?".
Why would anyone want to unlock the doors via the internet connected ap? It's pretty unlikely that feature will be used by genuine owners anywhere near as many times as it'll be used by someone keen to steal the contents of the boot.
If you *really* must have keyless door opening, only support it over a short range communication such as bluetooth, or RFID.
Next, starting the car remotely... Okay, to prewarm on a cold morning it's nice, but you don't need to disable the interior alarm, or unlock the doors, release the steering lock, or allow the hard/parking brake to be release and a gear engaged... If those happen kill the engine and set off the arm. (Release of rattle snake from glove-box optional).
And don't forget to give the owner of the car a method of deleting previously authorised users/devices without requiring a visit to a main dealer.
We need the public to start demanding better from companies and we need governments who are more than willing to fine, massively for any failure by companies to keep infosec standards high in products they produce.
We're not just talking about information here, this is vehicles that are a ton or more moving at high speed, I see a potential weapon - not just a info security risk.
"Why would anyone want to unlock the doors via the internet connected app?"
for thesame reason, they blip the doors when they are still a good 30 or 40 yards away, or get out of their cars, close the doors but crucially don't blip them untl they are walking away and can "fire" the blipper back over their shoulders....
My car has a blipper - it sits gathering dust somewhere in the house.
I manually unlock mine with the key.
I know some people say blipper is useful for finding your car.
If the time comes that I forget where I parked my car I know I have reached the inevitable age related crumbling mental state where driving is no longer a good travel option
"Why would anyone want to unlock the doors via the internet connected ap?"
Because I'm in an unfamiliar car park and can't remember where the car is, and if I remote-unlock the lights flash so I can see where the car is?
Give me something that satisifies the "dude, where's my car" need, and I'll use it. Doesn't need to unlock the doors.
Whenever I park my car in a large lot or garage, I take photos of the space, then either direction in the row, then at the end of the row, and so on. I do this whenever I need to park my car in the long-term garage at the airport. I've never failed to find my car afterwards.
Before that, I'd use a notepad and a pen to write down the instruction to get from my car to the lift. Put the note into my wallet, then just followed the instructions backwards to find my car.
These techniques work for the largest parking garage in the world (SeaTac Airport) as well as many other parking lots I've used in the last few years, so there is no reason it wouldn't work anywhere else. I was taught to do that by my father during a family trip to Disney world.
Never once have I used an app to find my car (even after leaving it in a parking garage for 3 months).
"there is no reason [taking photos, making notes] wouldn't work anywhere else"
If it works for you, fine, but at many major UK car parks it'd probably get your collar felt (or worse), on some specious grounds of terrorism, theft, or similar. Particularly high risk at some of the 'high security' List X sites (Ministry of Defence and their suppliers etc) I used to visit for work, from time to time.
I have a key to lock / unlock my car, what do I need an app for, beyond adding a big security hole?
I wish they would stop going on about rooted phone as a bad thing.
It's the only way on android to get a degree of control as need root to do any half decent security measures such as editing hosts file (nothing so useful as sudo on android to temporarily elevate privs to do such edits)
> Tried using it on a frozen winter morning in the dark
No. Temperatures around here seldom drop that low and my car is garaged. And the transponder on my keyring does a reasonable job of unlocking the doors even if there is ice over the lock. There's just no need to do it over the internet. It adds a whole bunch of security attack vectors. The only reason it's there is so they can add an extra bullet point on their feature comparison when you are picking your trim level.
> I've seen more fobs fail than work.
That I strongly doubt. Yes, fobs can run out of battery but in my experience you tend to get at least a small warning where for a few days or weeks you have to press it a few times before it goes entirely. And yes, operating then with gloves can be a challenge.
But
We have seen jeeps get remotely driven into ditches. We have seen Nissans have their climate control activated from another hemisphere (literally). And by now some of these cars are being sold to second and third owners who are blissfully unaware that the original owner's iPhone can still unlock it. And that's before the more novel attacks from fake charging points that sideload apps as demonstrated just this week that could quite easily grab those credentials and the GPS location where that phone is often kept.
Now I grant that water can block some frequencies used by key fobs, but frankly if the ice is that thick, you ain't even getting to the handle, forget about driving it today.
"That I strongly doubt. Yes, fobs can run out of battery but in my experience you tend to get at least a small warning where for a few days or weeks you have to press it a few times before it goes entirely. And yes, operating then with gloves can be a challenge."
I'm holding one for a Buick right now. Changed the battery twice and it STILL won't work, and I'm not paying $100 to get it replaced.
"Now I grant that water can block some frequencies used by key fobs, but frankly if the ice is that thick, you ain't even getting to the handle, forget about driving it today."
Way up north, driving in those kinds of conditions is considered de rigeur; you can't really call yourself a resident if you can't.
I have a mid-60's VW Beetle since I was a teenager learning to drive. Stuff like this only makes me want to keep it more and more. I paid $300 for it when I got it and probably dumped $3000 in parts into over the 15+ years I've had it (most of that was getting a new interior installed). If someone steals it, whatever, I got my money's worth long ago.
Yeah, it doesn't get as good gas mileage as a modern vehicle, but its not bad either. And then, there is figuring in the energy and resources that would've been used building a new vehicle, and then the cost of disposing of the vehicle once it reaches end of life. So with that, it is probably greener in the grand scheme of things.
The thing is painted bright orange (It was originally painted like the "General Lee" from the 'Dukes of Hazard', painted it orange to get rid of the flag on the roof and to fix the heavily sun-burnt paint). Makes it so vary easy to spot in a parking lot as well as easy to spot by the police if it ever gets stolen.
I agree with you. Except that from Oct 2019 I won't be able to use it in London without having to pay another £2000pa.
I agree with the reason for that (the T charge) but finding a new or nearly new car that isn't an infotainment, body & mind replacement gizmo with four wheels attached is getting near impossible.
Guess I'll be taking the bus.
The automotive industry is still relatively new to both application management and security issues, comparatively speaking, and is certainly working hard to address issues as they arise.
When will the automotive (and other IoT things) learn from previous experiences.
In the past criminals used to target for armed robberies. As banks got smarter and improved their security the criminals moved on to easier targets (Service stations and Liquor stores) so these upped the ante.
Cyber criminals initially targeted the banks because they were "soft". The banks learned and hardened their Apps. Now that there are new, easier, targets and the criminals will over time change their target. It is only a matter of time before the hackers attack "insecure" Apps on other platforms.
I wonder how long before the first ransomware app to hold a car hostage appears...
On the one hand, you have Android, which is a security hole masquerading as an operating system for the 90% or so of Android users who see one or two (if that) updates and then get abandoned by the OEM. On the other hand you have automakers, who know as much about writing secure software as they do about 17th century Russian history. Combine the two and they might as well just add a "hack me now" button that posts all the relevant info about your car to the dark web to save hackers five minutes.
Pity. MISRA's standards for writing reliable C for embedded automotive applications IE engine and gearbox management, were reckoned to be quite good.
Of course the mfg's argument for this is that you no longer have to carry that heaaaaaaaaavy key with you, and you don't have switch off your car alarm after you get in, saving you literally minutes a year.
"Of course the mfg's argument for this is that you no longer have to carry that heaaaaaaaaavy key with you, and you don't have switch off your car alarm after you get in, saving you literally minutes a year."
But what if the vehicle is used in situations where seconds count, such as emergency vehicles?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
