Auto technology: infotainment confusion and criminal attacks on connected cars worrying car buyers


The rapidly evolving technology contained within in-car infotainment and navigation systems are increasingly bewildering for all but the most tech-savvy car buyers.

The average vehicle on US roads is 11 years old – that means many people last bought their car before iPhones were invented.

As a consequence car-buying isn’t just about kicking the tyres anymore. It’s also about testing the technology.

AP advises that car buyers need to make sure they can pair their phone with a car, play music from their phone, make a hands-free call and use the navigation system before they leave the dealer premises.

“They should make sure volume knobs, climate controls and other technology is intuitive and displayed the way they like. Some drivers want volume controls on the steering wheel, for example, while others prefer a knob on the dashboard.

Pump the brakes

“Safety technology is also changing rapidly, and buyers should familiarize themselves with what the car can and can’t do. Some vehicles will brake automatically to avoid a collision, while others flash a warning and help the driver pump the brakes but won’t bring the car to a full stop.”

Ron Montoya, senior consumer advice editor for the car shopping site explained: “Spend some time in the parking lot sitting in the car and just messing with it.”

The issue is a serious one for the auto industry.

Consumers’ complaints about phone connectivity, navigation and infotainment systems have lowered vehicle dependability scores in annual rankings from JD Power and Consumer Reports.

Poor showings in such rankings can put a dent in sales. Car shopping site has found that as many as one-third of buyers will choose a different brand if they think a vehicle’s technology features are too hard to use.

To combat that, some brands are setting up technology help desks at dealerships and boosting employee training.

Dealers get specialist training

In 2013, General Motors formed a staff of 50 tech specialists to help deal with an increase in questions from customers about new technology. Those specialists train US dealers to pair customers’ phones, set up in-car Wi-Fi and set preferences like radio stations.

When he takes customers for test drives, Paul Makowski pairs his own phone with the car and has customers make a call, stream music and do other tasks. He uses his own phone so customers don’t worry that their data will be shared with the dealership.

“Some people fear the technology and decline it all, but we still go over it with them. They don’t leave here not knowing what their car has to offer,” says Makowski, the sales manager for Ed Rinke Chevrolet Buick GMC in Center Line, Michigan.

Growing security issues for connected car drivers

Meanwhile Kaspersky Lab researchers have examined the security of applications for the remote control of cars from several famous car manufacturers.

As a result, the company’s experts have discovered that all of the applications contain a number of security issues that can potentially allow criminals to cause significant damage for connected car owners.

During the last few years, cars have started actively connecting to the Internet.

Connectivity includes not only their infotainment systems but also critical vehicle systems, such as door locks and ignition, which are now accessible online.

With the help of mobile applications, it is now possible to obtain the location coordinates of the vehicle as well as its route, and to open doors, start the engine and control additional in-car devices.

On the one hand, these are extremely useful functions. On the other hand, how do manufacturers secure these apps from the risk of cyberattacks?

In order to find this out, Kaspersky Lab researchers have tested seven remote car control applications developed by major car manufacturers, and which, according to Google Play statistics, have been downloaded tens of thousands, and in some cases, up to five million times.

Highlighting security issues

The research discovered that each of the examined apps contained several security issues.

The list of the security issues discovered includes:

● no defense against application reverse engineering. As a result, malicious users can understand how the app works and find a vulnerability that would allow them to obtain access to server-side infrastructure or to the car’s multimedia system;

● no code integrity check, which is important because it enables criminals to incorporate their own code in the app and replace the original program with a fake one;

● no rooting detection techniques. Root rights provide Trojans with almost endless capabilities and leave the app defenseless;

● lack of protection against app overlaying techniques. This helps malicious apps to show phishing windows and steal users’ credentials; and

● storage of logins and passwords in plain text. Using this weakness, a criminal can steal users’ data relatively easily.

Upon successful exploitation, an attacker can gain control over the car, unlock the doors, turn off the security alarm and, theoretically, steal the vehicle.

In each case the attack vector would require some additional preparations, like luring owners of applications to install specially-crafted malicious apps that would then root the device and get access to the car application.

However, as Kaspersky Lab experts have concluded from research into multiple other malicious applications which target online banking credentials and other important information, this is unlikely to be a problem for criminals experienced in social engineering techniques, should they decide to hunt for owners of connected cars.

Victor Chebyshev, security expert at Kaspersky Lab explained: “The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks.

“Thinking about the security of the connected car, one should not only consider the security of server-side infrastructure. We expect that car manufacturers will have to go down the same road that banks have already gone down with their applications.

“Initially, apps for online banking did not have all the security features listed in our research. Now, after multiple cases of attacks against banking apps, many banks have improved the security of their products.

“Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right. How much time they have exactly is unknown. Modern Trojans are very flexible – one day they can act like normal adware, and the next day they can easily download a new configuration making it possible to target new apps.”

“The attack surface is really vast here,” Chebyshev added, “Kaspersky Lab advises users of connected car apps to follow these measures in order to protect their cars and private data from possible cyberattacks. As a result:

● don’t root your Android device as this will open almost unlimited capabilities to malicious apps;

● disable the ability to install applications from sources other than official app stores;

● keep the OS version of your device up to date in order to reduce vulnerabilities in the software and lower the risk of attack; and

● Install a proven security solution in order to protect your device from cyberattacks.