Stopping Bad Apps from Busting Up Cars and Trucks

Apps are no longer just for PCs and smartphones. They are now being installed in cars and other vehicles.

The market demand for connectivity, whenever, wherever, is pushing the automotive industry towards becoming a software provider. Inside ever smarter vehicles, occupants can download and install apps (including bad apps) from the range on offer by the manufacturer.

This trend goes along with other applications of IT to automatically control systems in cars. With onboard computers recording mileage and gas consumption now commonplace, new components can control acceleration, braking, and other critical driving functions. The goals are laudable: user safety, convenience, entertainment, and lower total cost of ownership (use less fuel, optimize car servicing to save money while avoiding breakdowns, and so on).

The problem, however, is that car manufacturers are not app makers, at least, not in terms of core competencies. They turn to external providers of apps, either for development or for re-use of modules. They – and even the external subcontractors providing the apps – may be unaware of malicious code inside app software, especially when third party products are used that are only available as binary code.

The risk could be huge. Today’s cars are increasingly connected to networks to download apps. This makes them potentially vulnerable to other communications, such as commands sent by a hacker via a back door opened by malicious downloaded software, or requests for non-authorized downloads made by the malware itself. If a hacker or a bad app then accesses the brakes or the accelerator, for instance, the consequences could be fatal.

Because many automobile makers standardize on the CAN (Controller Area Network) bus as the backbone for computerized functions, hackers also have a head start in their knowledge about how and where to attack. The CAN bus was originally designed to cut down on the complexity and weight of physical wiring systems in vehicles. It allows vehicle subsystems like the engine, transmission, dashboard, brakes, windows and door locks, and security to all connect more easily. Unfortunately, what makes life easy for car makers can make it easy for hackers too.

Demonstrations of the danger have already been made. At the 2015 Defcon trade show, two engineers showed how they could make a wireless connection to a Jeep from a laptop, and take over control of the brakes and the transmission. Chinese security researchers proved they could take remote control of a Tesla Model S from 12 miles away, to interfere with the brakes, door locks, and car dashboard.

Automobile manufacturers need a reliable, cost-effective way to check their apps before making them available for download. Binary analysis allows them to vet all the code, even the components for which they do not have the source code. AppInterrogator goes even further by making the binary analysis fast and keeping the conclusion simple by declaring an app to be “In or Out”. This is a boon for busy car makers who now have one less thing to worry about when bringing new models to market. Now, if there was only a cure for bad drivers, as well as bad apps… the self-driving car, perhaps?