Vehicles are increasingly connected and researchers have shown just how easily some of these connected features can be hacked. Just as people think the story’s been done, our research reveals that there is a key vector that has been overlooked and we ignore it at our peril: malware through an infected mobile device. This talk will reveal the results of our tests on several popular car-manufacturer apps.
(Source: RSA Conference USA 2017)
4. #RSAC
Mikhail`s day life
4
Misha has a car too
But it has one feature:
Remote Start from his phone
Misha just pushes a button and after 10-15 minutes
comes out to a warmed car
5. #RSAC
Scope
5
There are millions of people like Misha, who have paired their cars
with their phones:
They have become nice targets for cybercriminals
6. #RSAC
Consequences
6
So Mikhail like many other people has remote access to his car
But …
Mikhail`s phone was infected with malware
And his car was stolen
By a cybercriminal
Remote access is a dream
for the car hijackers
8. #RSAC
About
8
With mobile phone you can
Start the engine of your car
Unlock the doors
Track your car location
Even drive without the keys
For me it`s a breakthrough
For cybercriminals it`s like winning the
lottery – they just need an access to the
phone
9. #RSAC
This part of interaction is likely to be more secure
than the mobile app itself, it`s much more difficult to use MiTM
attack
Mobile-to-car scheme
9
Secure
channel
Secure
channel
Telematics
infrastructure
Let`s start with this thing
10. #RSAC
Car mobile app local data
10
Connected car app like any other app has its internal data:
Login and password
Authentication token
Car model
Driver data
Debug log
Other interesting info
Developers put all this stuff inside the
protected app space - /data/data/ with
faith that nobody can read it.
11. #RSAC
Stored data examples
11
[top tier auto manufacturer app] with
credentials.xml
[another top tier auto manufacturer app]
with prefs.{?????????}.xml
12. #RSAC
Stored data secured
12
In normal scenario
There is no way to read protected data
There is no way to download an app without user’s knowledge
There is no way to install an app without user’s knowledge
There is no way to launch an app without user’s knowledge
But with the root privileges all these things can be done silently
That is what actually happened to Misha
13. #RSAC
Infection vector
13
• But how do they get into the phone?
• We usually leave them a small loophole
• We put our phone number under the
windshield. Why? For emergency calls
• So, they just need to send us an SMS or
WhatsApp spam with malicious link
• That’s it
15. #RSAC
Mobile malware stats
15
Top 10 Android malware list by Q3 2016
Threat name
% of attacked
users
1 DangerousObject.Multi.Generic 78,46
2 Trojan-Banker.AndroidOS.Svpeng.q 11,45
3 Trojan.AndroidOS.Ztorg.t 8,03
4 Backdoor.AndroidOS.Ztorg.c 7,24
5 Backdoor.AndroidOS.Ztorg.a 6,55
6
Trojan-
Dropper.AndroidOS.Agent.dm
4,91
7 Trojan.AndroidOS.Hiddad.v 4,55
8 Trojan.AndroidOS.Agent.gm 4,25
9 Trojan-Dropper.AndroidOS.Agent.cv 3,67
10 Trojan.AndroidOS.Ztorg.aa 3,61
40% of widespread malware
can escalate to root
privileges
This malware can read
sensitive car data from the
protected storage with just a
CP command
https://securelist.com/analysis/quarterly-malware-reports/76513/it-threat-evolution-q3-2016-statistics/
16. #RSAC
Vulnerable Android versions
16
Version Codename API Distribution
2.2 Froyo 8 0.1%
2.3.3 -
2.3.7
Gingerbread 10 1.3%
4.0.3 -
4.0.4
Ice Cream
Sandwich
15 1.3%
4.1.x Jelly Bean 16 4.9%
4.2.x 17 6.8%
4.3 18 2.0%
4.4 KitKat 19 25.2%
5.0 Lollipop 21 11.3%
5.1 22 22.8%
6.0 Marshmallow 23 24.0%
7.0 Nougat 24 0.3%
Different exploit count
About 75% of worldwide
devices are at risk
According to Google data,
https://developer.android.com/about/dashboards/index.html
17. #RSAC
All devices are at risk
17
“Dirty Cow” exploit (CVE-2016-5195)
Discovered by Phil Oester
Race condition in the Linux kernel
Existed since 2007 and was fixed on Oct 18, 2016
Works on almost all Android devices
18. #RSAC
All devices are at risk
18
“Drammer” - DRAM Rowhammer Attack
Hardware-based attack
Doesn’t depend on Android version
Cannot be fixed by software update
PoC and detailed research are publicly available
19. #RSAC
All devices are at risk
19
“QuadRooter”
Discovered by CheckPoint
Uses 4 different vulnerabilities in the drivers
Affects popular devices with Qualcomm chipset
Over 900 Million Devices are at risk
20. #RSAC
All devices are at risk
20
Want more?
December 2016
Android Security
Bulletin
And this is just the
tip of the
iceberg…
26. #RSAC
Overlapping technique
26
Common technique for Android banking Trojans
Faketoken trojan uses this technique to attack 2000 financial apps
9 connected car apps were tested > no one checks if it is really in the
foreground
Can be done easily with just Android API: just check Top Activity
28. #RSAC
Repackaging technique
28
Almost every Android app can be decompiled
Some code changes can be performed
App can be compiled back
App can be signed with another certificate
Profit – app is ready for delivering to the victim
29. #RSAC
Repackaging technique
29
In the case with the connected car app login activity can be patched
We modified app code, login and password are just showed as a toast
Patched app was successfully run
[top tier auto manufacturer] app
30. #RSAC
Repackaging technique
30
Common technique for Android adware and “rooting” Trojans
Trojan-Downloader.AndroidOS.Leech: modified YouTube downloader
Trojan-Spy.AndroidOS.Instealy.a: modified Instagram client
32. #RSAC
Developers fail
32
We listed three attack techniques
Internal data leakage
Overlapping of the app
Repackaging of the app
We tested 9 connected car apps but no one was protected
Fortunately, we haven’t seen these attacks applied to the connected
car applications ITW
34. #RSAC
Connected car app = Banking app
34
App that controls such an expansive thing like a car must not be less
protected than a banking app:
Root detection
Foreground app control
Self-integrity checks