Hackers can steal millions of cars after discovering huge flaw in manufacturer’s connected car apps
Security researchers have discovered that it is easy for attackers to gain access to millions of cars, simply by hacking into car-controlling mobile apps and using them to unlock the vehicles.
Kaspersky Lab researchers Mikhail Kuzin and Victor Chebyshev decided to analyse nine different connected car Android apps – designed to let drivers easily locate cars and unlock them via smartphone – by top car manufacturers.
Each app has been downloaded between 10,000 to one million times from the Google Play app store. The researchers discovered that all nine mobile apps feature unencrypted usernames and passwords that are stored together with the car’s unique Vehicle Identification Number (VIN) and in some cases, even the car’s licence plate number in plaintext .xml files in the device, which is a dangerous mistake.
The apps don’t check whether the user has root access to the device (meaning that the user is granted full privileges to the phone), and some of the apps can easily be decompiled to read the app’s code or actively save debugging data to the phone’s SD card.
Source | ibtimes