Remote apps for vehicles - How secure are they?

While such functions are convenient, they can attract criminals. IT security is therefore crucial. TCS and its partner clubs therefore subjected three remote apps (BMW, VW, Renault) to a so-called penetration test. Basically, the three apps from BMW, Renault and VW that were examined are secure and without major Risks usable. However, the all-clear cannot be given completely and per se: All three apps show various vulnerabilities that are to be rated as medium risk and can lead to third-party access to the user account and control of all remote functions in extreme cases. The following vulnerabilities were found during the investigation:

Unencrypted database

Renault My Z.E. stores sensitive data in an unencrypted database on the smartphone. Under certain conditions, this allows attackers to read data such as the vehicle identification number (VIN) and an activation code, which the attacker can use to register the vehicle to himself.

Missing certificate spinning

In addition, the connection between Renault My Z.E. and VW Car-Net and the respective cloud can be intercepted and modified under certain circumstances. This is especially easy for an attacker if certain security functions are deactivated on the user's device.

Credentials in the URL

The BMW Connected app communicates with multiple endpoints in the cloud. To ensure that the user only has to log into the app once, the credentials are first converted. Unfortunately, an insecure method was chosen for the transmission of these converted credentials, so that an account can possibly be taken over by an attacker or sensitive information is also stored in the provider's log files, which can be viewed there by administrative users.

Weak password policy

Furthermore, a weak password policy is implemented in the BMW Connected app. The password length is limited to a minimum of eight characters and also limits the number of special characters. This minimizes the possible strength of the password, making it easier for an attacker to guess passwords by trial and error (so-called brute forcing). Simple passwords such as "abcd1234" are also allowed. However, BMW locks the user account after a few unsuccessful login attempts until it is released again via mail link.

Lack of session termination

All three Apps have in common that the session is not terminated properly after a logout. Thus, a user cannot simply lock out a successful attacker.

Conclusion

The three apps were safe to use overall, but some vulnerabilities manifested themselves. This clearly shows that manufacturers must continue to work on the topic of IT security. As the range of functions of digital services increases, the demands on security structures also become greater, which means that the topic of IT security is likely to become even more of a focus in the future than it has been in the past.

Recommendations

• It should be possible to completely disable data transmission in the vehicle.
• The data collected by the manufacturer should be freely available for viewing by the vehicle owner.
• Some functions, such as the operation of the horn, should be deactivated while driving for safety reasons.
• Stricter password policies are needed.
• The IT security criteria must meet current security standards, ideally with neutral proof (e.g. Common Criteria).

Tips for the consumer

• Not only between the manufacturers, but also between the individual models and equipment variants, there are big differences in the range of functions of the remote services. As a buyer, it is therefore always necessary to check the actually supported functions in each individual case.
• Passwords should be as strong as possible - consisting of lowercase and uppercase letters, numbers, special characters and a minimum length of 12 characters.

Text: www.tcs.ch