Securelist's report on the security vulnerabilities in Android-based "connected cars" describes how custom Android apps could be used to find out where the car is, follow it around, unlock its doors, start its engine, and drive it away.
They reported their findings yesterday at the RSA conference. It's a timely reminder that cars are just computers we put our bodies into.
"The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks," said Chebyshev.
"We expect that car manufacturers will have to go down the same road that banks have already gone down with their applications. Initially, apps for online banking did not have all the security features listed in our research," the expert added. "Now, after multiple cases of attacks against banking apps, many banks have improved the security of their products."
"Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right," Chebyshev noted. "The attack surface is really vast here."
Mobile apps and stealing a connected car [Mikhail Kuzin and Victor Chebyshev/Securelist]
Millions of Smart Cars Vulnerable Due to Insecure Android Apps
[Catalin Cimpanu/Bleeping Computer]
