12/13 Connected Car Android Apps Open to Hacking– VIN & PIN Bounties by Dark Hackers

Kasperksy and AVL labs found many vulnerabilities in car apps, earlier this year. Recently the company looked at the space again with nine apps open to hacking and added four more. The company found only one app to be safe.

For a second time, all nine apps we studied were vulnerable to all of the most common attacks reporte the company blog.

The threat has gone beyond theory and into practice. Darknet forums periodically feature ads for selling and buying real user account information for connected car apps. The prices for such data are surprisingly high — a lot more than criminals typically pay for stolen credit card information.

“Mikhail Kuzin presented the second part of the report at IAA 2017, the International motor show in Frankfurt.

The expert added another four apps to the list and examined them all, testing 13 programs in total. Only one of the new apps was protected — and against only one of the three types of attack (if it detects that the phone has been rooted, it refuses to operate).

Worse: The new inspection showed that all nine of the original apps were still vulnerable. In the months they’ve known about the problem, developers haven’t fixed anything. Moreover, some of these apps were not updated at all.”

Unfortunately, auto manufacturers, despite all their knowledge and talents at building cars, still do not have te experience required to implement cybersecurity properly.

“With cars, though, the issue feels more urgent and serious; hacks could cause losses in the tens of thousands of dollars, or even put someone’s life at risk,” added the company.

In response to the rising cybersecurity challenges facing the connected and autonomous car industry, Kaspersky Lab and AVL Software and Functions GmbH unveiled the Secure Communication Unit (SCU) at New Mobility World / IAA 2017 in Frankfurt, Germany. This security solution prototype demonstrates the possibilities of interference-proof communication between car components, the car itself, and its external connected infrastructure, making connected cars secure-by-design.

With each new generation of automobiles introduced, new intelligent technologies – such as those for remote diagnostics, telematics, automated and autonomous driving, remote driver assistance and infotainment – are incorporated to make each car more innovative than the last. Car controls are becoming more and more complex cyber-physical systems with multiple sensors, controls, applications, subnets and communication modules that interact with other vehicles and their environment. This means that their functions can now be controlled remotely, via digital systems which makes connected cars increasingly vulnerable targets of cyberattacks.

The rising number of third-party applications, system complexity and the increasing dynamic in software update cycles that make use of over-the-air updates has made it difficult to test the complete connected car system for bugs, backdoors and architectural issues. The Secure Communication Unit makes it possible for connected cars to be secure by-design, regardless of the third-party software and systems on board.

The SCU is a communication gateway control unit, connected to several subnets and/or gateway-controllers to these subnets within the car network, acting as a single secure gateway for incoming and outgoing communication flows. Based on security policy enforcement and strong separation to prevent unwanted contact between various car components, the software helps ensure proper interference-proof communications within the car network.

The software platform of the SCU consists of security components that are trustworthy-by-design. The microkernel proprietary operating system, KasperskyOS, is based on well-established principles of security-driven development and specifically designed for embedded systems with strict cybersecurity requirements. KasperskyOS removes the chance of undocumented functionality, and thus mitigates the risk of cyberattacks; even if unauthorized code is embedded, it will not be executed because undocumented functionality is prohibited by default. Other components include a security policy engine, Kaspersky Security System, defining the scope and character of interaction between various components and a trusted channel framework with a set of crypto algorithms, as well as low-level protection services based on hardware capabilities.

“With the modern automobile ecosystem becoming more and more complex and interconnected, it is not surprising that cybersecurity concerns arise among consumers and the automotive industry itself,” said Andrey Doukhvalov, head of future technologies and chief security architect at Kaspersky Lab. “While the opportunities and benefits are apparent, there is still a need to make automotive systems secure. That’s why we’re making a big step forward with our prototype for secure car communications to ensure that connectivity opportunities don’t turn into failures.”

The SCU prototype presented is exemplarily implemented in ARMv7 architecture with recommended 128 MB RAM and IOMMU. Other hardware platforms can be developed on a case-by-case basis in accordance to the requirements of a particular manufacturer.

The platform provides the solution framework for specific customized applications, allowing car manufacturers to develop and implement unique SCUs into their cars, based on hardware and additional software components aligning with their manufacturing plans. The SCU is available for OEMs, ODMs, system integrators and software developers around the world.