Smartphone apps which enable drivers to control vehicle functions remotely are vulnerable to a number of security threats, according to new research. 

The seven carmaker apps all contained security flaws which could be used to hack vehicles.

Russian cybersecurity research unit Kaspersky Lab researchers examined seven apps which, according to Google Play, have been downloaded tens of thousands, and in some cases, up to five million times.

The research found that all contain a number of security issues that can potentially enable an attacker to gain control over the car, unlock the doors, turn off the alarm and, theoretically, steal it altogether.

The list of the security issues discovered includes:

• No defence against application reverse-engineering. As a result, malicious users could understand how the app works and find a vulnerability that would allow them to obtain access to server-side infrastructure or to the car’s multimedia system.
• No code integrity check, which is important because it enables criminals to incorporate their own code in the app and replace the original program with a fake one.
• No rooting detection techniques. Rooting a device enables users to change fundamental parts of its operating system. It also provides Trojans with almost endless capabilities and leave the app defenceless. Some banking apps will refuse to run if they detect they are on a smartphone which has been rooted.
• Lack of protection against app overlaying techniques. This enables malicious apps to show phishing windows, which masquerade as trustworthy sites but steal users’ credentials.
• Storage of logins and passwords in plain text. Using this weakness, a criminal can steal users’ data relatively easily.

Kaspersky Lab said in each case the attack vector would require some additional preparations, like luring owners of applications to install specially-crafted malicious apps that would then root the device and get access to the car application.

However, it added  this is unlikely to be a problem for criminals experienced in social engineering techniques, should they decide to hunt for owners of connected cars.

Victor Chebyshev, security expert at Kaspersky Lab, said: “The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks.

“Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right. How much time they have exactly is unknown. Modern Trojans are very flexible – one day they can act like normal adware, and the next day they can easily download a new configuration making it possible to target new apps. The attack surface is really vast here.”

Kaspersky Lab researchers also issued advice for users of connected car apps to protect their cars and private data from possible cyberattacks:

• Don’t root your Android device as this will open almost unlimited capabilities to malicious apps.
• Disable the ability to install applications from sources other than official app stores.
• Keep the OS version of your device up to date in order to reduce vulnerabilities in the software and lower the risk of attack.
• Install a proven security solution in order to protect your device from cyberattacks.