Kaspersky experts analyzed 69 popular third-party mobile apps designed to control connected vehicles and identified threats drivers may encounter when using them.
According to the company statement, connected car apps offer a wide variety of functions to make drivers’ lives easier.
For example, it allows users to lock and unlock doors, adjust climate control, start and stop the engine, in short, remotely control their vehicles. While most automakers have their own apps for their cars, those designed by third-party app mobile developers are very popular with users as they can also offer unique features not yet introduced by the car manufacturer.
Third-party applications analyzed by Kaspersky include major vehicle brands controlled by such applications. Kaspersky researchers point out that these applications are not entirely safe to use.
Kaspersky experts reviewed 69 third-party apps designed for connected vehicles and identified the key privacy risks drivers may face when using them. Studies revealed that more than half of the apps (58 percent) did not warn about the risks of using the original automaker’s service through their user account.
Some developers suggested using authorization tokens instead of usernames and passwords to appear more secure. The important part here is that if the token in question is seized, there is a risk that malicious people can access the identity information and tools of the victims. Users need to be aware that they are at their own risk and using an authorization token does not provide complete security. Despite this, only 19 percent of developers mention it.
“Users should be aware of potential threats”
It turned out that more than half (58 percent) of the applications used the vehicle owners’ credentials without permission. In addition, 1 in 5 of the applications did not have contact information, making it impossible to report problems. These and similar findings are published in the new Kaspersky Connected Apps report.
The absence of official contact information and social networking pages reveals that most of these apps were developed by enthusiasts. 49 of the 69 applications are free or demo applications, and they have been downloaded 239 thousand times on the Google Play Store so far.
Kaspersky Head of Transportation Security, Sergey Zorin, whose views were included in the statement, stated that the benefits of a connected world are many, and that this is still a developing sector and carries certain risks.
Stating that users should be aware of possible threats while downloading a third-party application to remotely control the car, Zorin said:
“We entrust a lot of proprietary information and personal data to connected technologies. Unfortunately not all developers take a responsible approach when it comes to data collection and storage, which causes users to disclose their personal information. This data can then be sold on the dark web and is not trusted. can get into hands.
In addition, cybercriminals not only steal your data and personal identity information, they can also access your vehicle and cause physical threats. That’s why Kaspersky urges application developers to make users’ protection a priority and take action to avoid putting their customers and themselves in danger.”
“Application must be downloaded from official stores”
Kaspersky experts recommend for application developers:
“Applications should be checked during the core development process, vulnerabilities should be scanned before deployment. Carriers should be routinely security audited and solutions adopted that protect production infrastructures from malware, securing the software development process. Due to the recent increased frequency of supply chain attacks through public hotspots, development process needs enhanced protection against outside interference.
Kaspersky Hybrid Cloud Security is a solution that meets the security needs of developers. It protects Docker and Windows container and provides a ‘security as code’ approach with container host memory protection, tasks for containers, image browsing and scriptable interfaces. Thus, security tasks can be integrated into CI/CD pipelines without affecting the development process. Kaspersky Mobile SDK provides customers with data protection, malware detection, secure connectivity and more.”
Kaspersky experts advise users to:
“Apps should only be downloaded from official stores such as the Apple App Store, Google Play or Amazon Appstore. While apps in these markets are not 100 percent safe, at least they are checked by store representatives and have a filtering system in place.
So not every application can enter these stores. Consideration should be given before authorizing a transaction, especially when it comes to high-risk permissions such as accessing accessibility services. For example, the only permission a flashlight app needs is access to the flashlight functionality. A reliable security solution should be used to help detect malicious apps and adware. The operating system and all software should be updated regularly. Many security issues can be resolved by installing updated versions of the software.”