Another week, another big problem for the Internet of Things.
This time, it’s smart cars and the apps that surround them.
There are an increasing number of apps available for a growing number of makes and models of vehicles that can do everything from unlocking your car to starting it remotely. Unfortunately, as researchers at Kaspersky Labs have discovered, it’s almost embarrassingly easy to hack a variety of auto-related apps and use them to make stealing your smart, and supposedly more secure, vehicle a trivial matter.
While it’s true that all the apps the company tested were password-protected, almost none of them made any effort to protect the code, so even a low-skill hacker could examine it for potential security flaws to exploit.
Worse, none of them had any type of code integrity checking, meaning that the hackers were free to modify the code. Hackers could add any additional commands they wanted into it, and neither the app nor the vehicle owner would be the wiser. Also conspicuously absent was any form of root permission checking.
These are all glaringly obvious weaknesses in the design that most other industries address as their apps are being designed.
For the sake of comparison, if you examine auto-related apps against, say, banking apps, the difference is stark.
Banking apps are orders of magnitude more secure, and the companies that offer them take pains to keep customer data safe.
It should be stressed that this problem is not unique to smart cars, however. Virtually every smart object on the Internet of Things today suffers from an almost complete lack of security. In many cases, smart objects aren’t even password protected.
Given the cost of a modern vehicle, this is inexcusable, and we can only hope that sooner, rather than later, the tech industry will wake up to the very real risks and problems this attitude poses.