Automotive apps: who gets your car keys?

Most third-party apps for connected cars require access to your account with the manufacturer. But are they secure?

Third-party apps for Tesla, Nissan, Renault and other connected cars require access to an account with the manufacturer — that’s a security risk

Any modern car is basically a computer on wheels. And many are also connected to the internet. As a result, in addition to the vehicles themselves, automakers are now developing apps to control them remotely. These can be used to check the car’s location, turn on the heating or air conditioning in advance, lock and unlock the doors, and so on.

However, different users have very different needs, and it’s not possible to squeeze all features into one app. So, besides the software from automakers, there are also third-party apps for every taste and wallet. Sure, it’s convenient. But is it safe? Our researchers decided to investigate

Who’s driving your car?

For the car to know it’s really you using the app, you need to enter a username and password. If you use the car maker’s own app, your credentials don’t get passed to a third party, which is a good thing. And there are security standards for car manufacturers that their products must meet.

If you choose a third-party app with some unique features lacking in the official app, it somehow needs access to the vehicle or its telemetry data. Some apps use solutions specially developed by the automaker for this purpose, which do not require your credentials and are given limited access to the vehicle, allowing you to use their functionality but preventing them from doing dangerous things like unlocking the doors. These apps are more or less secure, but still few in number.

Most connected cars apps require the username and password for your account with the manufacturer; that is, they get full access to your account. At the same time, the security requirements that apply to automakers do not extend to these apps, and this is where the problem arises.

Trust is everything

The study’s main focus was on the third-party mobile apps that use the vehicle owner’s account with the manufacturer. Unfortunately, more than half of app developers do not warn of the risks of handing over the account. Those who do warn the users, assure that they either won’t store the credentials at all, or store them in encrypted form. Some of them emphasize that the username and password are needed only in order to obtain an authorization token. However, a token allows anyone to use the account on your behalf, just like with your login credentials, and it too could be leaked if stored improperly. What’s more, there’s no way to check how your credentials are actually handled: you either trust the developers or you don’t use the app.

In addition, the developers of 14% of the apps that our researchers investigated proved impossible to contact in case of problems: the contact details on their websites were either missing or pointed to deleted social media pages.

It’s a similar situation with web services: the user hands over their credentials without knowing for sure how they’ll be stored and processed. Open-source solutions are more transparent in this respect: tech-savvy users can at least study the code. However, for regular folks without a technical background, it’ll be extremely difficult to figure it out.

Another problem is that there also exist intermediary services that link up the automaker’s systems to third-party apps. These are used by developers of car apps and web services, but may be something that users have no inkling about whatsoever. And it’s important to understand that if your chosen third-party automotive app works through an intermediary service, the developers of both will get hold of your credentials.

Third-party apps accessing your car: what’s the risk?

If your credentials aren’t stored very securely, intruders can get to them. They probably won’t manage to steal your car, but they can remote-control the various systems: doors and windows, climate control, horn, headlights, etc. If an intruder starts honking or flashing lights randomly while you’re driving, it can be unpleasant, if not downright dangerous.

This might seem like a James Bond-type scenario: who on earth would want to do away with you in such an elaborate manner? But if such data were to leak into the public domain, it could fall into the hands of online pranksters anywhere in the world, of which are plenty, who just want to have fun and don’t even realize what the consequences might be.

Besides, if an app is hacked, the attackers will have access to all the collected data, including geolocation. And this can be used to track the movements of car owners — again, from anywhere in the world.

Here’s a recent example. Not long ago, 19-year-old security expert David Colombo accidentally discovered a vulnerability in the TeslaMate app for collecting, storing and visualizing telemetry data from Tesla vehicles. He managed to find out where the car owners lived, where they drove and at what speed, where the vehicles were parked, where they were charged, and what updates were installed on those cars.

Although the app itself was designed to just to collect data — not control the car, Colombo managed to do just that. And all because the storage containing the user’s credentials was accessible with the default password, while some information could be retrieved with no authorization at all. Colombo reported the issue to the app developers and they fixed it relatively quickly. Despite the happy ending, the story shows that third-party car apps may not be as reliable as the devs claim.

So, should I stop using third party apps?

All this is not to say that third-party apps should never be used in any circumstances. By no means all developers are indifferent to user data security. As we observed, TeslaMate’s creators responded rather quickly to the vulnerability report and fixed the issue. And, as mentioned, there are apps that do not require full access to your account with the automaker.

That said, if you want to use features lacking in your vehicle’s native app, be careful when choosing: if possible, choose an app from a reliable developer, which at the very least doesn’t hide its contact details and respects the concept of transparency. Look for reports by security experts and feedback from tech-savvy users who understand how it all works and what the risks are.

If you’re already using a third-party app but want to stop, note that simply uninstalling it from your smartphone may not be enough…

  • Check if you also need to unsubscribe or delete your account with the service;
  • Just in case, change the password for your account with the automaker;
  • If possible, revoke the app’s access to your account through the manufacturer’s website or technical support.