The risk of remote cyber control of vehicles is growing as more cars become constantly connected to the Internet via a cellular link, says Inside Secure strategy VP Asaf Ashkenazi.

Inside Secure is a France-based mobile and connected devices security solutions provider.

By 2019, connected-car shipments from vehicle manufacturers are expected to hit 64-million cars.

The main risk remains attacking the car directly, however, there is a new emerging threat that is not receiving sufficient attention – smartphone apps that allow users to control their vehicles remotely, Ashkenazi tells Engineering News Online.

“Less than a decade ago it was unthinkable that a vehicle manufacturer would need to give the same level of attention to smartphone app security as they would the actual physical security features of a car.

“The smartphone app, which clearly serves as a gateway into the systems of a car, becomes an appealing target, either for those seeking an easy way to steal a car by disabling the car's alarm system, or, in the worst circumstances, to cause momentary chaos and even widespread injury or loss.”

Ashkenazi says not everything in a vehicle is controlled by the app, but these apps can do a lot more than most people would likely guess.

“Not only can they unlock and lock doors, or start and stop engines, but these smartphone apps can GPS track the car and even drive it in a remote control fashion.

“Imagine the ramifications of hijacking GPS tracking, ignition and even driving operations. Drivers are at risk from numerous, if not countless perspectives. Just turning on or off an engine in a closed or poorly vented garage can obviously have deadly consequences. Imagine how many more scary situations can be purposely or inadvertently caused by cybercriminals.”

Compromising a smartphone app on a broad scale is not new, notes Ashkenazi.

“Earlier this year we witnessed hackers stealing the names, billing addresses, email addresses and credit cards info of some 380 000 British Airways passengers.

“We also recently received a reminder regarding the potential damage associated with compromising a vehicle remote control system when 100 drivers in Austin, Texas, found their cars disabled or the horns honking out of control after an intruder ran amok in a Web-based vehicle immobilisation system.”

Smartphone apps that allow remote access to a vehicle typically connect via a cloud service, explains Ashkenazi.

The cloud service receives a command from the smartphone app and relays it to the car.

The car trusts all commands received from its cloud service.

It is the responsibility of the cloud service and the smartphone app to verify that a request is legitimate and originated from the user.

If a cybercriminal tricks the smartphone app to trust it, or steal the user’s credentials to trick the cloud service, he or she can simply decide what to tell the vehicle to do.

“This illustrates the importance of securing not only the vehicle and the service, but also the actual smartphone app,” says Ashkenazi.

“Keep in mind that if someone finds the vulnerability in a smartphone app, that person has found a vulnerability for everyone using that app. The crime can simply be repeated for all of those car owners using that particular app. The scope of the problem can be huge overnight,” he adds.

Ashkenazi believes the responsibility for vehicle and driver safety lies with all stakeholders ensuring their components are as secure as possible, from the phone manufacturer, through to the phone operating system and the application developer.

“Since no security solution is perfect, each stakeholder should not solely rely on the other stakeholders to do their job. The car manufacturer, who typically provides the app, should not assume the smartphone is a sterile and protected environment.

“Therefore, it should take all measures to protect the app from reverse engineering by hackers, and from malicious software attacks and credential theft.

“Proper secure coding practices, application dynamic self-protection, as well as strong user authentication should provide adequate security to mitigate the threat. After all, the car manufacturers have a lot at stake here – including potential financial liability and their reputation.”