The now famous proof-of-concept hack in 2015 where hackers were able to hijack a Jeep Cherokee while it was being driven shown a spotlight on potential security problems with connected cars.

Since then, the Federal Bureau of Investigation has issued warnings, and best practice guidelines were published by the National Highway Traffic Safety Administration. But new research has found that connected cars are as unsafe as ever.

Up first is new research from Charles Henderson, global head of X-Force Red, an IBM Corp. division. He told an audience at the RSA Conference in San Francisco last week that the mobile apps used to access connected cars to unlock a car with a phone, honk the horn and find out its precise location can still be used to control the car years after it has been sold — and even when a user removes personal information from the car’s services before selling it.

“The car is really smart, but it’s not smart enough to know who its owner is, so it’s not smart enough to know it’s been resold,” Henderson told CNN. “There’s nothing on the dashboard that tells you ‘the following people have access to the car.'”

According to Henderson, the problem ultimately comes down to the smart services storing the information in the cloud. While a full factory reset wipes all the local data off the device so it can be sold to someone else, the data itself remains backed up on the cloud, meaning that the factory reset only resets the cars. The car is “resold, it’s transferred … [and] almost no one’s paying attention to the back end of the ownership lifecycle,” he added.

In related news, researchers at Kaspersky Lab tested seven remote car control applications developed by major car manufacturers and found that each of the apps contained several security vulnerabilities that could potentially allow criminals to cause significant damage for connected car owners.

Security issues discovered included:

• No defense against application reverse engineering, allowing malicious users to understand how the app works and find a vulnerability that would allow them to obtain access to server-side infrastructure or to the car’s multimedia system.
• No code integrity check, enabling criminals to incorporate their own code in the app and replace the original program with a fake one.
• No rooting detection techniques, allowing criminals to install trojans that could leave the app defenseless.
• Lack of protection against app overlaying techniques that allow malicious apps to show phishing windows and steal users’ credentials.
• Storage of logins and passwords in plain text, which is so obviously bad it doesn’t requirement explanation.

“The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks,” Kaspersky security researcher Victor Chebyshev said in a statement. “Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right.”

But he said it’s unclear how much time they have. “Modern Trojans are very flexible – one day they can act like normal adware, and the next day they can easily download a new configuration making it possible to target new apps,” he said. “The attack surface is really vast here.”

Photo: Azreey/Wikimedia Commons