Connected Car. This word combination has already become a symbol of technological advancement just behind the car’s wheel. Connecting your car with a smartphone or computer and individual navigation options are no longer a luxury, but rather a sign of modern convenience. With a range of services – from vehicles status and driving data, through departure time programming and parking position to air conditioning and doors and lights – car drivers receive the easiest access to their vehicles and control over its set-up 24/7. But should this fact let you sleep peacefully? Keep in mind that security threats never take a nap!
No Safety, Know Pain
Every advanced technological invention attracts a bunch of avid hackers ready to bite into your security when you least expect it. However, safety doesn’t happen by accident. Paying attention almost exclusively to the functional part of their products (as well as meeting the deadline), automobile vendors tend to keep security out of sight – a trend in the automotive industry that should be changed as quickly as possible.
As a result of a mobile security testing project based on one of the biggest automobile concerns, SoftServe’s security experts concluded that a Connected Car system faces the same security issues as any web or mobile app, meaning that it requires properly designed architecture. Especially as hacking an infotainment system may be more dangerous than it seems on the surface.
An attacker may gain control over connected-car features by hacking a mobile app and attack while a driver is on the road. The key risk factors and potential threats this may pose for an automotive vendor who provides e-remote mobile apps are:
- Remotely open vehicle’s door in motion putting a driver, a passenger or luggage in danger of falling out, or causing an accident.
- With mobile remote car control apps change the air conditioning settings and lock the car leading to overheating or cooling which may cause panic or even serious health issues.
- Simply open the doors and disengage the hand brake or transmission to steal a car or personal belongings inside.
- Remotely track geolocation of the vehicle which may lead to privacy intrusion, blackmail, spying, or burglary.
- Intentionally discharge the battery leaving the car and driver stranded.
- Steal user’s PII (Personal Identifiable Information) data like VIN or cell phone number and use it for psychological attacks or Social Engineering.
- Provide misleading information on:
- Online Traffic Information
- Online POI Search
- Google Street View™
- Google Earth™
- Destination Import
- Fuel Info
- Parking Info
- Personal POI
- POI Voice Search
- Vehicle Health Report
Safety First? Safety Always!
They say, prepare and prevent, don’t repair and repent. This is why the product design process should always involve security – it’s not just feature design that matters, but also proper security audit. The following recommendations may help your company protect an automotive service you offer from being vulnerable to hackers and their malicious intentions.
Involve a Security Architect and Follow a Secure Development Process
This team member makes sure your security level is high and is not easily hacked even before the coding stage has started – not after product release. A Security Architect on the product development team also estimates possible threats and arranges client-server architecture, and may also help establish a Software Security Assurance Program.
Pay Close Attention to Authentication and Authorization Design
Authorization and authentication (mostly critical for API) are the two key defensive mechanisms of any modern connected car application. In addition, developers must ensure strong protection against reverse engineering for any mobile app for remote car control.
Keep an Eye on Logic Implementation
Security code scanners can help detect defects in code, but not in implementation of a specific business function. In our case, source code scanning doesn’t show any violation or defects with implementation; the mobile app code seemed to function well. But logically it was badly designed and that’s why professional Manual Penetration Testing on the Release Phase of SDLC is required to ensure the application logic is correct and safe.
Don’t Underestimate Man-in the-Middle Attacks
Being at the crossroad between a user and an infotainment system, an attacker or his hacking tools might slip the developers’ attention. Make sure a hacker doesn’t know a short way to your data.
Connected cars are rapidly advancing to provide more secure Connected Car services. They must be as protected as any other network to prevent vulnerability to external and internal attacks on their information and communication systems. Car vendors should design their systems in a way that allows them to detect exploitation attempts and prevent security from being compromised – before it is too late.