Hey, Your Car Just Crashed Because Someone Hacked Your App!

The age of the car app is upon us. You can use the manufacturer’s app for your shiny new BMW, for example, to find your car in crowded parking lots, light the lights, honk the horn, and defrost it when temperatures are subzero, all remotely.

That’s the good news. The bad news is that apps mean security holes that can be exploited by bad actors, and they won’t just be flashing your headlights or sounding your car horn.

BMW isn’t the only carmaker offering handy app capability to its customers. Tesla, Ford, GM, and Toyota are also producing connected cars, with mobile apps or connected car APIs to let customers control different functions from a distance. Consequently, cybercriminals and miscreants now have two attack avenues open before them.

·       The first is the fake app, downloaded from a lookalike site via a phishing campaign for example. The fake app looks like the real, but contains malware or backdoor code to put attackers into the driving seat or let them steal private user data.

·       The second is exploiting vulnerabilities in the application programming interfaces to sneak in rogue commands and cause havoc with a car’s brakes, steering, or any other subsystem controllable remotely.

But aren’t all those so-safety-conscious carmakers aware of the problem? Kevin Mullenex, CEO of Mi3 Security points out that in the Internet of Things to which these cars are connected, manufacturers have often been slow to differentiate between safety (it won’t blow up) and security (no unauthorized access).

As Mullenex says, “Car manufacturers come from a world of operational technology or OT. But OT and IT have often developed along different paths, and what we take for granted in IT security may be missing in OT security”. Carmakers may not know as much about the security aspects of mobile apps for remote vehicle control. Internal development teams and third-party developers may be hot on coding of functionalities and communications, but skimp on security and security testing.

Even the much-publicized remote hacking (up to a mile way) of the Jeep onboard systems a while back does not seem to have made much difference. Earlier this year industry experts pointed to possible security concerns with the Tesla online systems for customers, and to the privacy concerns around the constant recording and broadcasting of driver activity data. Tesla issued a statement about its “dedicated team of top-notch information security professionals”, but the only way to be sure about security is to check it.

The app-controlled car is on the increase, both in the number of manufacturers and the number of vehicles on the road: 29.1 percent of overall car shipments in 2017 and 90% by 2035, says analyst Fuji Keizai. Whether their motivations are financial, activist, or terrorist, there is no doubt that hackers will launch attacks to attempt to compromise those apps. Only proper prior and continuing security testing can guarantee that cars stay on the road and under the control of their drivers.