A number of security issues that can potentially allow criminals to take control of shared vehicles has been uncovered by Kaspersky Lab.
The research discovered that each of the examined apps, which together account for more than one million downloads worldwide, contained several security issues. And, more worryingly, the researchers found that malicious users are already capitalising on stolen accounts for car sharing applications.
Kaspersky’s researchers claim that upon successful exploitation, an attacker can discreetly gain control of the car and use it for malicious purposes – from riding for free or spying on users, to stealing the vehicle and its details, and the potential of personal data theft.
The list of security vulnerabilities uncovered included:
No defense against man-in-the-middle attacks. This means that while a user believes he is connected to a legitimate website, the traffic is actually being re-directed through the attacker’s site, allowing him to gather any personal data entered by the victim (login, password, PIN, etc.).
No defense against application reverse engineering. As a result, a criminal can understand how the app works and find a vulnerability that would allow him to obtain access to server-side infrastructure.
No rooting detection techniques. Root rights provide a malicious user with almost endless capabilities and leave the app defenseless.
Lack of protection against app overlaying techniques. This helps malicious apps to show phishing windows and steal users’ credentials.
Less than half of applications demand strong passwords from users. This means criminals can attack the victim through a simple brute force scenario.
“Individuals must understand that these apps pose security risks and be judicious when sharing sensitive information on them,” said David Emm, principal security researcher at Kaspersky Lab.
To alleviate concens, Kaspersky Lab researchers are advising users not to root their Android device, to keep the OS version of devices up to date to reduce vulnerabilities in the software and to install a proven security solution to protect a device from cyberattacks.