Lax security leaves car sharing apps vulnerable to attack
This article has been supplied as a media statement and is not written by Creamer Media. It may be available only for a limited time on this website.
Kaspersky Lab researchers have examined the security of 13 car sharing applications from household manufacturers across the globe – including those from Russia, the US and Europe. The company’s experts discovered that all of the applications contain a number of security issues that can potentially allow criminals to take control of shared vehicles, either by stealth or under the guise of another user.
Once access is gained through the app, a criminal can do almost anything – from stealing the vehicle or its details, through to causing damage or using it for malicious purposes.
Apps are designed to make our lives easier and transactions more convenient. This concept has been taken one step further, with the advent of ‘sharing’ apps, which make everything from food delivery, through to taxi and car sharing a more cost-effective way of using services. But whilst car sharing apps are invaluable for those on a low income and remove any overpayment of vehicle ownership or maintenance, they can also add a security risk for manufacturers and users alike.
To find out the extent of the problem, Kaspersky Lab researchers tested 13 car sharing applications, developed by major manufacturers from different markets, which - according to Google Play statistics - have been downloaded over 1 million times. The research discovered that each of the examined apps contained several security issues. Moreover, the researchers found that malicious users are already capitalising on stolen accounts for car sharing applications.
The list of security vulnerabilities uncovered includes:
No defense against man-in-the-middle attacks. This means that while a user believes he is connected to a legitimate website, the traffic is actually being re-directed through the attacker’s site, allowing him to gather any personal data entered by the victim (login, password, PIN, etc.)
No defense against application reverse engineering. As a result, a criminal can understand how the app works and find a vulnerability that would allow him to obtain access to server-side infrastructure
No rooting detection techniques. Root rights provide a malicious user with almost endless capabilities and leave the app defenseless
Lack of protection against app overlaying techniques. This helps malicious apps to show phishing windows and steal users’ credentials
Less than half of applications demand strong passwords from users, meaning criminals can attack the victim through a simple brute force scenario.
Upon successful exploitation, an attacker can discreetly gain control of the car and use it for malicious purposes – from riding for free and spying on users, through to stealing the vehicle and its details, and even more serious scenarios like stealing users’ personal data and selling it on the black market for financial gain. This could lead to criminals carrying out illegal and dangerous moves on the roads under the guise of other people’s identities.
“Our research concluded that, in their current state, applications for car sharing services are not ready to withstand malware attacks. And while we have not yet detected any cases of sophisticated attacks against car sharing services, cybercriminals understand the value that such apps hold, and existing offers on the black-market point to the fact that vendors do not have much time to remove the vulnerabilities,” said Victor Chebyshev, security expert at Kaspersky Lab.
Kaspersky Lab researchers advise users of car sharing apps to follow these measures in order to protect their cars and private data from possible cyberattacks:
Don’t root your Android device, as this will open almost unlimited capabilities to malicious apps
Keep the OS version of your device up to date, to reduce vulnerabilities in the software and lower the risk of attack
Install a proven security solution, in order to protect your device from cyberattacks.
To learn more about the сar sharing threat, please read the blog post available at Securelist.com
Comments
Press Office
Announcements
What's On
Subscribe to improve your user experience...
Option 1 (equivalent of R125 a month):
Receive a weekly copy of Creamer Media's Engineering News & Mining Weekly magazine
(print copy for those in South Africa and e-magazine for those outside of South Africa)
Receive daily email newsletters
Access to full search results
Access archive of magazine back copies
Access to Projects in Progress
Access to ONE Research Report of your choice in PDF format
Option 2 (equivalent of R375 a month):
All benefits from Option 1
PLUS
Access to Creamer Media's Research Channel Africa for ALL Research Reports, in PDF format, on various industrial and mining sectors
including Electricity; Water; Energy Transition; Hydrogen; Roads, Rail and Ports; Coal; Gold; Platinum; Battery Metals; etc.
Already a subscriber?
Forgotten your password?
Receive weekly copy of Creamer Media's Engineering News & Mining Weekly magazine (print copy for those in South Africa and e-magazine for those outside of South Africa)
➕
Recieve daily email newsletters
➕
Access to full search results
➕
Access archive of magazine back copies
➕
Access to Projects in Progress
➕
Access to ONE Research Report of your choice in PDF format
RESEARCH CHANNEL AFRICA
R4500 (equivalent of R375 a month)
SUBSCRIBEAll benefits from Option 1
➕
Access to Creamer Media's Research Channel Africa for ALL Research Reports on various industrial and mining sectors, in PDF format, including on:
Electricity
➕
Water
➕
Energy Transition
➕
Hydrogen
➕
Roads, Rail and Ports
➕
Coal
➕
Gold
➕
Platinum
➕
Battery Metals
➕
etc.
Receive all benefits from Option 1 or Option 2 delivered to numerous people at your company
➕
Multiple User names and Passwords for simultaneous log-ins
➕
Intranet integration access to all in your organisation