Bad Android security makes it easy to break into and steal millions of "smart" cars

Securelist's report on the security vulnerabilities in Android-based "connected cars" describes how custom Android apps could be used to find out where the car is, follow it around, unlock its doors, start its engine, and drive it away.

They reported their findings yesterday at the RSA conference. It's a timely reminder that cars are just computers we put our bodies into.

"The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks," said Chebyshev.

"We expect that car manufacturers will have to go down the same road that banks have already gone down with their applications. Initially, apps for online banking did not have all the security features listed in our research," the expert added. "Now, after multiple cases of attacks against banking apps, many banks have improved the security of their products."

"Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right," Chebyshev noted. "The attack surface is really vast here."

Mobile apps and stealing a connected car [Mikhail Kuzin and Victor Chebyshev/Securelist]

Millions of Smart Cars Vulnerable Due to Insecure Android Apps [Catalin Cimpanu/Bleeping Computer]

Notable Replies

  1. Note to self: smart car, smart tv, smart light bulb, smart (insert product name) - it's all marketing speak, ie, lies. To buy smart, always avoid products that call themselves smart.

  2. dfaris says:

  3. Good thing my Ford Fiesta runs Windows!

  4. I remember years ago a Microsoft product manager was quoted as saying that, hey, it was entirely possible to build a secure version of Windows, what was harder was getting people to buy it.

    I can almost guarantee you that they get complaints about how current versions of Android ask for permission to do things like use the microphone and camera.

  5. XP is only insecure if you connect it to the internet. And really, its greatest insecurity, as always, comes from being used to surf the internet by a human.

    An ATM running XP probably only connects to the bank's internal network and is no more insecure than any other headless, userless, non-internet connected windows box.

Continue the discussion

15 more replies