Mobile car apps in recent years have become increasingly integrative in the smart mobility industry. The benefits for OEMs and car-sharing services are clear: the digitalization of the car introduces convenience, control, and visibility to the users of a product once thought of as purely physical. However, the mobile apps also add an additional layer of attack vector, exposing vulnerabilities in the mobile app, the phone’s operating system, and the app’s usability. This article discusses the main risks posed by mobile apps to OEMs and smart mobility services, explains the primary difficulty in protecting the mobile car app’s architecture, and how to tackle those challenges using a new security approach for connected cars.
Taking the connected car one step further, mobile car apps have introduced drivers with advanced control features that aim to make their vehicle into a personalized product, which means it is now not only designed for safety and driving quality alone, but for convenience and an easy, enjoyable experience. While car manufacturers use mobile car apps to offer their customers navigation, self-parking capabilities or remote unlocking (such as the mobile systems in Tesla, Volkswagen, and BMW), car sharing services use them for everything from renting a car to finding parking (such as Zipcar or Lyft).
But in a reality where vendors are eager to introduce the next innovative features, security priorities are sometimes overlooked, and car apps are often released and updated without necessary security requirements.
Since mobile apps control multiple key functions in the connected car, they constitute an extra layer of centralized application servers that creates an additional attack surface, making it easier for hackers to control both targeted vehicles and entire fleets remotely. An attack on OEM mobile systems can easily result in car theft, while attacks on car-sharing services have already proved to aid hackers in identity theft, fraud, or misuse. A painful example illustrating the risks to smart mobility is the famous hacking to the Australien GoGet car-sharing service, where a hacker stole users credentials to use the service for free.
The business, technical, and safety consequences of such cyber attacks on OEM mobile systems and car sharing apps are potentially disastrous – from damaged brand reputation to massive recalls, exposure to significant company liability, loss of intellectual property and customer data leading to regulatory fines and legal costs, not to mention the severe and tangible threat to human lives.
There are three primary weaknesses that enable a potential breach of OEMs and car-sharing services through the mobile phone app:
1. Mobile app software vulnerability. These kinds of vulnerabilities are quite common and often happen due to the lack of proper security requirements in the app’s software. Such software vulnerabilities include:
– Minimum or no password requirements
– Software bugs
– No account lockout policy limiting incorrect login attempts
– No code obfuscation to make it difficult for hackers to reverse-engineer the code
– No code integrity checks to prevent malicious manipulation
– No encryption of login credentials
One recent example of exploiting software vulnerability to hack OEM’s mobile systems is when Qihoo 360 researchers managed to crack Tesla’s mobile application’s simple six-digit code to control the car’s door locks, headlights, wipers, sunroof, and horn – all while the car was still in motion.
2. A weakness in the phone’s operating system. This type of weakness allows attacks to be executed through a loophole in the Android or the iOS operating systems. This problem usually occurs due to lack of version updates of the operating system. In 2017 alone there were 842 security vulnerabilities (CVEs) found in Android and 387 in iOS. Though vendors are continuously releasing security patches, those are not immediately updated on the users’ phones (Android security updates, in particular, suffer from a low update rate due to a variety of reasons). Such security loopholes are what led to the GM OnStar Man in the Middle Android hack in 2015.
3. Problematic usability practices. Poor user practices such as using weak passwords or reusing passwords in multiple devices and services make it easy for a hacker to steal user credentials.
These security loopholes in so many mobile car apps make it possible to intercept communication between the mobile phone and the application servers to control the vehicle. And though recent various security breaches (such as Nissan’s Leaf App vulnerability, Hyundai’s Blue Link leak, or Uber’s identity theft Android malware) have raised awareness to the risks of remote mobile apps for OEMs and car-sharing services, this issue remains largely unresolved, posing a major threat to the privacy and safety of car fleets’ and manufacturers’ customers.
But no matter how feverishly vendors will try to patch up continuous vulnerabilities, it is never going to be enough. And here’s why –
In order to understand why this is not the way to solve mobile car apps’ cyber attacks, let’s illustrate what the real problem here is: mobile car apps are so difficult to secure because of the complexity of the connected car ecosystem with mobile environments. Its complex data architecture makes it difficult to secure communications between the multiple sources: the mobile phone, the mobile application, the application’s servers, the connected vehicle itself, and the telematics servers that communicate with the car. To protect the multiple sources, it is not enough to secure each of them separately – the data between them must be correlated and analyzed to produce a coherent view of the data flow.
In addition to every separate data source’s protection, there must be a network-based solution to secure the entire data center and the network.
In order to expose security breaches, a proper security solution must be located on the network, inspecting every stage of the data flow all the way from the mobile app to the app server, and from there to the automotive protocols (telematics), then back to the vehicle, out to the data center, and so on. Tracking, correlating, and analyzing this data traffic from the many sources is the only way to piece together a holistic, centralized view of the data and uncover malicious activity.
By using Big Data Machine Learning and Artificial Intelligence, Upstream Security introduces a revolutionary approach to securing OEMs and car-sharing services against all types of cyber attacks: from identity theft, denial of service attacks, to car theft, and more. Located on the junction of the fleet’s data flow, Upstream collects a vast amount of valuable data from all sources in the ecosystem, and then processes it to create a baseline of normal behavior. This exceptional data visibility and analysis allow a deep interpretation, detection, and alert on any anomaly, thus preventing any type of suspicious activity anywhere in the data flow, in real time.
Learn more about how Upstream protects connected vehicles and car fleets at www.upstream.auto.