Skip to main content

Kaspersky Lab discovers several security issues with car sharing apps

July 26, 2018

Lax app security allow criminals to steal vehicles, access personal data and cause further damage

Woburn, MA – July 25, 2018 –Kaspersky Lab researchers have examined the security of 13 car sharing applications from household manufacturers worldwide, including those from the U.S., Europe and Russia. The company’s experts discovered that all of the applications contain a number of security issues that can potentially allow criminals to take control of shared vehicles, either by stealth or under the guise of another user. Once access is gained through the app, a criminal can do almost anything – from stealing the vehicle or its details, to causing damage or using it for malicious purposes.

Apps are designed to make users’ lives easier and transactions more convenient. This concept has been taken one step further with the rise of ‘sharing’ apps, which make everything from food delivery, to taxi and car sharing a more cost-effective way of using services. However, while car sharing apps are convenient and remove any overpayment of vehicle ownership or maintenance, they can also add a security risk for manufacturers and users alike. 

To discover the extent of the problem, Kaspersky Lab researchers tested 13 car sharing applications, developed by major manufacturers from different markets, which have been downloaded more than 1 million times, according to Google Play statistics. The research discovered that each of the examined apps contained several security issues. Moreover, the researchers found that malicious users are already capitalizing on stolen accounts for car sharing applications. 

The list of security vulnerabilities uncovered includes: 

  • No defense against man-in-the-middle attacks. This means that while a user believes he is connected to a legitimate website, the traffic is actually being re-directed through the attacker’s site, allowing him to gather any personal data entered by the victim (login, password, PIN, etc.);
  • No defense against application reverse engineering. As a result, a criminal can understand how the app works and find a vulnerability that would allow him to obtain access to server-side infrastructure;
  • No rooting detection techniques. Root rights provide a malicious user with almost endless capabilities and leave the app defenseless;
  • Lack of protection against app overlaying techniques. This helps malicious apps to show phishing windows and steal users’ credentials;
  • Less than half of applications demand strong passwords from users, meaning criminals can attack the victim through a simple brute force scenario.

Upon successful exploitation, an attacker can discreetly gain control of the car and use it for malicious purposes – from riding for free and spying on users, stealing the vehicle and its details, and stealing users’ personal data to then sell it on the black market for financial gain. This could lead to criminals carrying out illegal and dangerous moves on the roads under the guise of other people’s identities. 

“Our research concluded that, in their current state, applications for car sharing services are not ready to withstand malware attacks,” said Victor Chebyshev, security expert at Kaspersky Lab. “While we have not yet detected any cases of sophisticated attacks against car sharing services, cybercriminals understand the value that such apps hold, and existing offers on the black market point to the fact that vendors do not have much time to remove the vulnerabilities.”

Kaspersky Lab researchers advise users of car sharing apps to follow these measures in order to protect their cars and private data from possible cyberattacks:

  • Don’t root your Android device, as this will open almost unlimited capabilities to malicious apps;
  • Keep the OS version of your device up to date, to reduce vulnerabilities in the software and lower the risk of attack;
  • Install a proven security solution, in order to protect your device from cyberattacks.

To learn more about the сar sharing threats, please read the blog post available on Securelist.com.

About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 20 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com

Media Contact

Jessica Bettencourt
781.503.7851
Jessica.Bettencourt@kaspersky.com

Kaspersky Lab discovers several security issues with car sharing apps

Lax app security allow criminals to steal vehicles, access personal data and cause further damage
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases