Manufacturers need to focus on the app security technologies for cars, given the risks of car apps being hacked and exploited. Solutions include protection for mobile apps, digital keys, vehicle electronics, in-car entertainment (ICE) and in-vehicle infotainment.
To discover more, Digital Journal spoke with cybersecurity expert Asaf Ashkenazi, chief strategy officer at Inside Secure.
Digital Journal: What are the potential vulnerabilities surrounding the convergence of apps and connected cars?
Asaf Ashkenazi: There are two groups of potential vulnerabilities. The first group includes applications that download and execute car infotainment systems; the second group includes applications running on car owners’ smartphones, allowing them to remotely track and control their vehicle.
In the first group, a hacker exploits a vulnerability in an app running on the car’s infotainment system to gain further access to the car’s software. The application is used as an entry point into the car’s closed systems. This attack requires deep understanding of the specific vehicle model software and hardware, and advanced hacking skills.
In the second group of vulnerabilities, the smartphone application is attacked. The hacker doesn’t attack the car itself, but uses a smartphone application to gain access to functionalities offered by that smartphone app. A hacker doesn’t need to find vulnerability in the car’s system, they don’t need any knowledge of automotive system, all hackers need is “standard” smartphone apps hacking tools and knowledge, widely available on the dark net. Once a hacker gains control over the smartphone app, he or she can issue any function available by the app. This is done without the smartphone user’s consent or knowledge.
Typical smartphone apps provided by car manufacturers provide remote functions such as tracking the car location, locking and unlocking the doors, starting the engine, and even remote drive capabilities in some cases. Once the app is compromised, all of these functionalities are available to the hacker.
DJ: How can these vulnerabilities be overcome?
Ashkenazi: Whether it is a smartphone app connected to a car, or an app that runs on the car’s infotainment system, all apps need to be protected from hackers.
App programmers should use secure coding practices, but unfortunately this is not always enforced and doesn’t solve the problem alone. We know that any lengthy computer code contains mistakes or bugs unintentionally introduced by the app programmer. Some applications have more bugs, and some have less, but any app code is likely to have bugs. To make sure that hackers do not discover these bugs and take advantage of them, app code needs to be properly protected. The code needs to be obfuscated, to make it extremely difficult for hackers to find these bugs. Undetected or hidden bugs cannot be exploited by hackers. Furthermore, the code should have a self-defense mechanism, which detects any attempt to tamper with the normal execution flow of the application.
The combination of secure coding practices, obfuscation, and app self-defense will keep hackers away from the app.
DJ: Are car manufacturers listening to this advice?
Ashkenazi:Some are listening and starting to use application protection techniques. Unfortunately, the awareness of the app attack vector is still relatively low, compared with other attack vectors.
DJ: What are some of the general risks surrounding autonomous vehicles?
Ashkenazi:There are many risks surrounding autonomous vehicles that must be addressed. The attack surface of an autonomous vehicle is much larger than the one of a standard car. Autonomous vehicles communicate with other vehicles (V2V), with the road infrastructure, and with cloud services (V2I). These multiple interactions are all potential entry points for hackers, seeking to gain control over the autonomous driving function. In addition, the amount of code lines in autonomous cars is exponentially larger, which means more bugs are waiting to be discovered by hackers.
