Mobile apps for connected cars offer a variety of features to make life easier for motorists, but they can also pose risks, according to Kaspersky.
Kaspersky experts have analyzed 69 popular third-party mobile apps designed to control connected cars and defined the main threats drivers can face when using them. They found that more than half (58%) of these apps use vehicle owners’ credentials without asking for their consent. Additionally, one in five apps have no contact information, making it impossible to report a problem. These and other results are published in the new Kaspersky Connected Apps report.
Connected car applications offer a wide range of functions to make life easier for drivers. For example, they allow users to remotely control their vehicles by locking or unlocking the doors, adjusting the air conditioning, starting and stopping the engine, etc. Even though most car manufacturers have their own legitimate apps for the cars they manufacture, third-party apps designed by mobile developers are also very popular among users as they can offer unique features that have not been introduced yet. by the car manufacturer.
The third-party apps analyzed by Kaspersky cover almost all major vehicle brands, with Tesla, Nissan, Renault, Ford and Volkswagen in the top 5 cars most often controlled by such apps. However, these apps are not entirely safe to use, say Kaspersky researchers.
The company’s experts reviewed 69 third-party apps designed for connected cars and identified the top privacy risks drivers might face when using any of them. They found that more than half (58%) of the apps did not warn of the risks associated with using the owner’s account of the original car manufacturer’s service.
Some developers advise using the authorization token instead of a username and password to look more believable. The tricky part here is that, if a token is compromised, malefactors can gain access to cars the same way they would using the victim’s credentials. This means that the risk of losing control of vehicles is still high. Users should be aware that everything is at their own risk and the use of authorization tokens does not guarantee complete security. Despite this, only 19% of developers mention it and warn the user without hiding it in several layers of fine print.
Also note that 46 of the 69 applications are either free or offer a demo mode. This has contributed to these apps being downloaded from the Google Play Store over 239,000 times, which makes you wonder how many people give strangers free access to their car.
“The benefits of a connected world are countless. However, it is important to note that this is still a developing industry, which carries certain risks,” says Sergey Zorin, Head of Kaspersky Transport Security at Kaspersky.
“When downloading a third-party application to control your car remotely, users should be aware of possible threats. We entrust a lot of private information and personal data to connected technology. Unfortunately, not all developers adopt a responsible approach to data storage and collection, which leads to users exposing their personal information.
“This data can further be sold on the dark web and end up in untrustworthy hands. Additionally, cybercriminals could not only steal your data and personal credentials, but also gain access to your vehicle – and that could result in physical threats,” he said.
“For these reasons, we urge app developers to make user protection a priority and take precautionary measures to avoid compromising themselves and their customers.”