Third-party automotive apps bear significant privacy risks
Mobile applications for connected cars provide various features to make life easier for motorists, but they can also be a source of risk, according to Kaspersky.
Kaspersky experts have analysed 69 popular third-party mobile applications designed to control connected cars and defined the main threats drivers may face while using them. They found out that more than half (58%) of these applications use the vehicle owners' credentials without asking for their consent. On top of this, one in five of the applications have no contact information, which makes it impossible to report a problem. These and other findings are published in the new Kaspersky Connected Apps report.
Connected automotive applications provide a wide range of functions to make drivers' lives easier. For example, they allow users to remotely control their vehicles by locking or unlocking the doors, adjusting climate control, starting and stopping the engine, etc. Even though most car manufacturers have their own legitimate applications for the cars they make, third-party apps designed by mobile developers are also very popular among users as they may offer unique features that have not yet been introduced by the vehicle manufacturer.
The third-party applications analysed by Kaspersky cover almost all major vehicle brands, with Tesla, Nissan, Renault, Ford and Volkswagen in the top-5 cars most often controlled by such apps. However, these applications are not entirely safe to use, claim Kaspersky researchers.
The company's experts examined 69 third-party applications designed for connected cars and identified key privacy risks drivers might face while using one of these. They found that more than half (58%) of the applications doesn't warn about the risks of using owner's account from the original automaker's service.
Some developers advise using the authorisation token instead of a username and password to look more credible. The tricky part here is that, if a token is compromised, malefactors can get access to the cars the same way they would by using victims' credentials. This means that the risk of losing control over the vehicles is still high. Users should be aware that everything is at their own risk and using authorisation tokens does not ensure total safety. Despite this, only 19% of developers mention this and warn the user without hiding it in several layers of fine print.
Moreover, every seventh (14%) application does not have information on how to contact the developer or give feedback, making it impossible to report a problem or request more information on the app's privacy policy. The absence of official contact information and social network pages makes it clear that most of these apps are developed by enthusiasts, which is not necessarily a bad thing, however, such developers don't have to care about your vehicle's safety and data security like regulated vehicle manufacturers do.
It is also worth noting that 46 of the 69 applications are either free of charge or offer a demo mode. This has contributed to such applications being downloaded from the Google Play Store more than 239,000 times, which makes you wonder how many people are giving strangers free access to their cars.
"The benefits of a connected world are countless. However, it is important to note that this is still a developing industry, which carries certain risks," says Sergey Zorin, head of Kaspersky transportation security at Kaspersky.
"When downloading a third-party application to control your car remotely, users should be aware of possible threats. We entrust a lot of private information and personal data to connected technology. Unfortunately, not all developers take a responsible approach when it comes to data storage and collection, which results in users exposing their personal information.
"This data may further be sold on the dark web and end up in untrustful hands. Moreover, cybercriminals might not only steal your data and personal credentials but also gain access to your vehicle – and that might lead to physical threats," he says.
"For these reasons, we urge application developers to make user protection a priority and take precautionary measures to avoid compromising their customers and themselves."