Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/22/2021
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Can Your Connected Car Reveal About You?

App developers must take responsibility for the security of users' data.

The smartphone has become the central command center for many people's lives. A 2020 study found that the average user has 67 apps on their phone — but most people never stop to think about what data those apps contain or how well protected it is. Well, I probe for security holes for a living, so I decided to find out whether the mobile app for my car was encrypting the data it contains, and what information attackers might have access to if they could get into my phone.

Related Content:

5 Human Factors That Affect Secure Software Development

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Unemployment Fraud: As If Being Out of Work Wasn't Bad Enough

Many apps contain sensitive or personal information that you want to protect from unauthorized access. Some are more obvious — things such as banking and financial apps, or health or medical apps store data — but many apps store information that may seem innocuous but would still provide clues an attacker can use. The important thing is that the apps you trust with this information take the appropriate steps to encrypt and protect it from compromise.

BMW ConnectedDrive
I decided to explore the security of my car's mobile app and find out if the app encrypts that data or not. My vehicle is a BMW, and I use the BMW ConnectedDrive app. The latest version of the app available in the Apple Store in May 2020, when I conducted my research, was BMW Connected for iOS version 10.6.2.1807, which I installed on an iPhone 8 Plus running iOS 13.3.1 and an iPhone XS Max with iOS 13.4.1.

The app includes a variety of features. It can lock or unlock the vehicle remotely, perform location tracking on the vehicle, enable the headlights or horn, adjust or activate climate control features, track destinations through the navigation system, provide the status of whether doors and windows are open or closed, and report the current fuel level.

Many of those things may not have much value or pose much of a security risk, but you don't want an unauthorized user to know the destinations you visit most often or be able to use location tracking to find out where the vehicle is at any given moment.

Exposing Sensitive Data
Using a few basic tools, I was able to uncover unencrypted data on the BMW app relatively easily. As vehicles were added and authenticated with the app, I noticed that data was stored base-64 encoded — but unencrypted — in .plist files.

Using the plistutil software on an Ubuntu Linux 19.10 machine, I was able to access the data with other command-line tools and strip out empty lines and spaces to make it easier to decipher the information it revealed. I could identify the addresses of favorite locations as well as recent navigation directions sent to the vehicle. I could also see the vehicle's mileage and remaining fuel, the VIN and model of the vehicle, and even a photo of the vehicle model and color.

These things may not seem that crucial. It's not like an attacker can use the data in this app to run your car off the road or do anything directly nefarious. However, the information revealed by the unencrypted data in the BMW ConnectedDrive app could be used to stalk or track someone — to know exactly where they have gone and the places they're most likely to be — and identify the exact vehicle when they find it.

Protecting Your Data
It's worth noting that an attacker would need physical access to your device or, perhaps, to a computer that your smartphone has been authenticated to and trusted. When the phone is connected and authenticated, an attacker can potentially extract data from its apps from the computer.

It's important for app developers to take responsibility for the data they ask users to trust their apps with. That starts with not relying on the security controls of the operating system itself and taking steps to encrypt data stored by the app natively or separately from whatever protection the operating system might provide.

As an end user, there is only so much you can do to protect your data. You can do some homework and try to select only apps that don't leave data unencrypted, but you don't always get a choice. For added protection, you should not connect your smartphone to a shared workstation that others might have access to and should authenticate your mobile device only to trusted computers. Also, make sure you choose complex passwords and PINs to make unauthorized access as challenging as possible.

Responsible Disclosure
For the record, my company is committed to acting responsibly when it comes to vulnerability disclosure, so we shared this information with the BMW Group. We notified BMW of vulnerabilities we identified in May 2020 and worked with the company throughout the year to address the issues.

The BMW Group issued this statement:

"Thanks to the notification of Alejandro Hernandez at IOActive via our responsible disclosure channel, we were able to change the way the app's data cache is handled. Our app development team added an encryption step that makes use of the secure enclave of Apple devices, at which we generate a key that is used for storing the favorites and vehicle meta data that Alejandro was able to extract. We appreciate Alejandro for sharing his research with us and would like to thank him for reaching out to us."

Alejandro Hernandez is a security consultant who works for IOActive, where he has had the chance to work in Fortune 500 companies around the world. As a security researcher, he has presented his work in different conferences including Black Hat USA, DEF CON, AppSec USA, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24913
PUBLISHED: 2021-03-04
A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.
CVE-2020-24914
PUBLISHED: 2021-03-04
A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request.
CVE-2020-24036
PUBLISHED: 2021-03-04
PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.
CVE-2020-24912
PUBLISHED: 2021-03-04
A reflected cross-site scripting (XSS) vulnerability in qcubed (all versions including 3.1.1) in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users.
CVE-2019-18629
PUBLISHED: 2021-03-04
Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow an attacker to execute an unwanted binary during a exploited clone install. This requires creating a clone file and signing that file with a com...