The document discusses the risks associated with remote access features in connected cars, highlighting how malware can compromise smartphone security, leading to car theft. It outlines various techniques used by cybercriminals to exploit vulnerabilities in mobile apps and devices, emphasizing the lack of protection in several connected car applications. The presentation calls for improved security measures for car applications, suggesting they should be as robust as those used in banking apps.

1. #RSAC
Victor Chebyshev, Mikhail Kuzin
Hey Android, Where is My Car?
Session# HTA-R10
Security experts
@Kaspersky Lab

2. #RSAC
My day life
2
You may know that sometimes it`s too cold in Russia
It`s me warming up my car
almost every winter day

3. #RSAC
My day life
3
I want this
But reality is

4. #RSAC
Mikhail`s day life
4
Misha has a car too
But it has one feature:
Remote Start from his phone
Misha just pushes a button and after 10-15 minutes
comes out to a warmed car

5. #RSAC
Scope
5
There are millions of people like Misha, who have paired their cars
with their phones:
They have become nice targets for cybercriminals

6. #RSAC
Consequences
6
So Mikhail like many other people has remote access to his car
But …
Mikhail`s phone was infected with malware
And his car was stolen
By a cybercriminal
Remote access is a dream
for the car hijackers

7. #RSAC
Ok, how did that happen?

8. #RSAC
About
8
With mobile phone you can
Start the engine of your car
Unlock the doors
Track your car location
Even drive without the keys
For me it`s a breakthrough
For cybercriminals it`s like winning the
lottery – they just need an access to the
phone

9. #RSAC
This part of interaction is likely to be more secure
than the mobile app itself, it`s much more difficult to use MiTM
attack
Mobile-to-car scheme
9
Secure
channel
Secure
channel
Telematics
infrastructure
Let`s start with this thing

10. #RSAC
Car mobile app local data
10
Connected car app like any other app has its internal data:
Login and password
Authentication token
Car model
Driver data
Debug log
Other interesting info
Developers put all this stuff inside the
protected app space - /data/data/ with
faith that nobody can read it.

11. #RSAC
Stored data examples
11
[top tier auto manufacturer app] with
credentials.xml
[another top tier auto manufacturer app]
with prefs.{?????????}.xml

12. #RSAC
Stored data secured
12
In normal scenario
There is no way to read protected data
There is no way to download an app without user’s knowledge
There is no way to install an app without user’s knowledge
There is no way to launch an app without user’s knowledge
But with the root privileges all these things can be done silently
That is what actually happened to Misha

13. #RSAC
Infection vector
13
• But how do they get into the phone?
• We usually leave them a small loophole
• We put our phone number under the
windshield. Why? For emergency calls
• So, they just need to send us an SMS or
WhatsApp spam with malicious link
• That’s it

14. #RSAC
Rooting
Is it that dangerous?

15. #RSAC
Mobile malware stats
15
Top 10 Android malware list by Q3 2016
Threat name
% of attacked
users
1 DangerousObject.Multi.Generic 78,46
2 Trojan-Banker.AndroidOS.Svpeng.q 11,45
3 Trojan.AndroidOS.Ztorg.t 8,03
4 Backdoor.AndroidOS.Ztorg.c 7,24
5 Backdoor.AndroidOS.Ztorg.a 6,55
6
Trojan-
Dropper.AndroidOS.Agent.dm
4,91
7 Trojan.AndroidOS.Hiddad.v 4,55
8 Trojan.AndroidOS.Agent.gm 4,25
9 Trojan-Dropper.AndroidOS.Agent.cv 3,67
10 Trojan.AndroidOS.Ztorg.aa 3,61
40% of widespread malware
can escalate to root
privileges
This malware can read
sensitive car data from the
protected storage with just a
CP command
https://securelist.com/analysis/quarterly-malware-reports/76513/it-threat-evolution-q3-2016-statistics/

16. #RSAC
Vulnerable Android versions
16
Version Codename API Distribution
2.2 Froyo 8 0.1%
2.3.3 -
2.3.7
Gingerbread 10 1.3%
4.0.3 -
4.0.4
Ice Cream
Sandwich
15 1.3%
4.1.x Jelly Bean 16 4.9%
4.2.x 17 6.8%
4.3 18 2.0%
4.4 KitKat 19 25.2%
5.0 Lollipop 21 11.3%
5.1 22 22.8%
6.0 Marshmallow 23 24.0%
7.0 Nougat 24 0.3%
Different exploit count
About 75% of worldwide
devices are at risk
According to Google data,
https://developer.android.com/about/dashboards/index.html

17. #RSAC
All devices are at risk
17
“Dirty Cow” exploit (CVE-2016-5195)
Discovered by Phil Oester
Race condition in the Linux kernel
Existed since 2007 and was fixed on Oct 18, 2016
Works on almost all Android devices

18. #RSAC
All devices are at risk
18
“Drammer” - DRAM Rowhammer Attack
Hardware-based attack
Doesn’t depend on Android version
Cannot be fixed by software update
PoC and detailed research are publicly available

19. #RSAC
All devices are at risk
19
“QuadRooter”
Discovered by CheckPoint
Uses 4 different vulnerabilities in the drivers
Affects popular devices with Qualcomm chipset
Over 900 Million Devices are at risk

20. #RSAC
All devices are at risk
20
Want more?
December 2016
Android Security
Bulletin
And this is just the
tip of the
iceberg…

21. #RSAC
Demo

22. #RSAC

23. #RSAC
Different attack possibilities

24. #RSAC
Overlapping technique

25. #RSAC
Overlapping technique
25
The phone was infected
Car app launch attempt is
intercepted
Entered login and password just
gone away

26. #RSAC
Overlapping technique
26
Common technique for Android banking Trojans
Faketoken trojan uses this technique to attack 2000 financial apps
9 connected car apps were tested > no one checks if it is really in the
foreground
Can be done easily with just Android API: just check Top Activity

27. #RSAC
Repackaging technique

28. #RSAC
Repackaging technique
28
Almost every Android app can be decompiled
Some code changes can be performed
App can be compiled back
App can be signed with another certificate
Profit – app is ready for delivering to the victim

29. #RSAC
Repackaging technique
29
In the case with the connected car app login activity can be patched
We modified app code, login and password are just showed as a toast
Patched app was successfully run
[top tier auto manufacturer] app

30. #RSAC
Repackaging technique
30
Common technique for Android adware and “rooting” Trojans
Trojan-Downloader.AndroidOS.Leech: modified YouTube downloader
Trojan-Spy.AndroidOS.Instealy.a: modified Instagram client

31. #RSAC
Attacks conclusion

32. #RSAC
Developers fail
32
We listed three attack techniques
Internal data leakage
Overlapping of the app
Repackaging of the app
We tested 9 connected car apps but no one was protected
Fortunately, we haven’t seen these attacks applied to the connected
car applications ITW

33. #RSAC
Mitigations

34. #RSAC
Connected car app = Banking app
34
App that controls such an expansive thing like a car must not be less
protected than a banking app:
Root detection
Foreground app control
Self-integrity checks

35. #RSAC
Collaboration
35
Security researchers
App developers
Car manufacturers

36. #RSAC
Victor Chebyshev (Victor.Chebyshev@kaspersky.com),
Mikhail Kuzin (Mikhail.Kuzin@kaspersky.com)
Thank you!
Questions?
Security experts
@Kaspersky Lab