Kaspersky research finds third-party automotive apps present significant privacy risks
Woburn, MA – May 25, 2022 – Kaspersky experts have analyzed 69 popular third-party mobile applications designed to control connected cars and defined the main threats drivers may face while using them. The researchers found out that more than half (58%) of these applications use the vehicle owners’ credentials without asking for their consent. They also found that 14% of the applications have no contact information, making it impossible to report a problem. These and other findings are published in the new Kaspersky Connected Apps report.
Connected automotive applications provide a wide range of functions to make drivers’ lives easier. They allow users to remotely control their vehicles, locking or unlocking the doors, adjusting climate control, starting the engine, and more. Even though most car manufacturers have their own legitimate applications for the cars they make, third-party apps designed by mobile developers are also very popular among users as they may offer unique features that have not yet been introduced by the vehicle manufacturer.
The third-party applications analyzed by Kaspersky cover almost all major vehicle brands, with Tesla, Nissan, Renault, Ford and Volkswagen in the top 5 cars most often controlled by such apps. However, these applications are often not entirely safe to use, claim Kaspersky researchers.
The company’s experts examined 69 third-party applications designed for connected cars and identified key privacy risks drivers might face while using them. They found that more than half (58%) of the applications don’t warn about the risks of using the owner’s account from the original automaker’s service.
Some developers advise using an authorization token instead of a username and password to look more credible. The tricky part here is that, if a token is compromised, malefactors can get access to the cars the same way they would by using victims’ credentials. This means that the risk of losing control over the vehicles is still high. Users should be aware that everything is at their own risk and using authorization tokens does not ensure total safety. Despite this, only 19% of developers mention this and warn the user without hiding it in several layers of fine print.
Forty-six of the 69 applications are either free of charge or offer a demo mode. This has contributed to such applications being downloaded from the Google Play Store more than 239,000 times, raising questions about how many people are giving strangers free access to their cars.
“The benefits of a connected world are countless,”said Sergey Zorin, head of Kaspersky transportation security at Kaspersky.“However, it is important to note that this is still a developing industry, which carries certain risks. When downloading a third-party application to control your car remotely, users should be aware of possible threats. We entrust a lot of private information and personal data to connected technology. Unfortunately, not all developers take a responsible approach when it comes to data storage and collection, which results in users exposing their personal information. This data may further be sold on the dark web and end up in untrustful hands. Moreover, cybercriminals might not only steal your data and personal credentials but also gain access to your vehicle – and that might lead to physical threats. For these reasons, we urge application developers to make user protection a priority and take precautionary measures to avoid compromising their customers and themselves.”
To learn more about the risks of using third-party applications for connected cars, visit Securelist.com.
For application developers, Kaspersky experts recommend the following advice:
· Adopt solutions that secure the software development process through application control at runtime, scanning for vulnerabilities before deployment, routinely conducting security vetting of containers and anti-malware testing of production artifacts. With supply chain attacks through public repositories becoming more frequent as of late, the development process is in need of enhanced protection against outside interference.
· Kaspersky Hybrid Cloud Security meets developers’ needs. It secures Docker and Windows containers and provides a ‘security as code’ approach, with containerization host memory protection, tasks for containers, image scanning and scriptable interfaces. So, you can integrate security tasks into CI/CD pipelines without impacting the development process.
· Implement protection mechanisms into the application. Kaspersky Mobile SDK provides data protection for customers as well as malware detection, secure connectivity and more.
Kaspersky experts recommend that users:
· Only download apps from official stores like the Apple App Store, Google Play or Amazon Appstore. Apps from these markets are not 100% failsafe but they at least get checked by shop representatives and there is some filtration system in place, meaning that not every app can get into these stores.
· Check the permissions of the apps you use and think carefully before permitting a process, especially when it comes to high-risk permissions such as access to Accessibility Services. The only permission that a flashlight app, for example, needs is access to the flashlight functionality.
· Adopt a reliable security solution to help detect malicious apps and adware before they can start behaving badly on your device.
· Don’t forget to update your operating system and all software regularly. Many safety issues can be resolved by installing updated versions of software.
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Sawyer Van Horn