Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/22/2021
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Can Your Connected Car Reveal About You?

App developers must take responsibility for the security of users' data.

The smartphone has become the central command center for many people's lives. A 2020 study found that the average user has 67 apps on their phone — but most people never stop to think about what data those apps contain or how well protected it is. Well, I probe for security holes for a living, so I decided to find out whether the mobile app for my car was encrypting the data it contains, and what information attackers might have access to if they could get into my phone.

Related Content:

5 Human Factors That Affect Secure Software Development

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Unemployment Fraud: As If Being Out of Work Wasn't Bad Enough

Many apps contain sensitive or personal information that you want to protect from unauthorized access. Some are more obvious — things such as banking and financial apps, or health or medical apps store data — but many apps store information that may seem innocuous but would still provide clues an attacker can use. The important thing is that the apps you trust with this information take the appropriate steps to encrypt and protect it from compromise.

BMW ConnectedDrive
I decided to explore the security of my car's mobile app and find out if the app encrypts that data or not. My vehicle is a BMW, and I use the BMW ConnectedDrive app. The latest version of the app available in the Apple Store in May 2020, when I conducted my research, was BMW Connected for iOS version 10.6.2.1807, which I installed on an iPhone 8 Plus running iOS 13.3.1 and an iPhone XS Max with iOS 13.4.1.

The app includes a variety of features. It can lock or unlock the vehicle remotely, perform location tracking on the vehicle, enable the headlights or horn, adjust or activate climate control features, track destinations through the navigation system, provide the status of whether doors and windows are open or closed, and report the current fuel level.

Many of those things may not have much value or pose much of a security risk, but you don't want an unauthorized user to know the destinations you visit most often or be able to use location tracking to find out where the vehicle is at any given moment.

Exposing Sensitive Data
Using a few basic tools, I was able to uncover unencrypted data on the BMW app relatively easily. As vehicles were added and authenticated with the app, I noticed that data was stored base-64 encoded — but unencrypted — in .plist files.

Using the plistutil software on an Ubuntu Linux 19.10 machine, I was able to access the data with other command-line tools and strip out empty lines and spaces to make it easier to decipher the information it revealed. I could identify the addresses of favorite locations as well as recent navigation directions sent to the vehicle. I could also see the vehicle's mileage and remaining fuel, the VIN and model of the vehicle, and even a photo of the vehicle model and color.

These things may not seem that crucial. It's not like an attacker can use the data in this app to run your car off the road or do anything directly nefarious. However, the information revealed by the unencrypted data in the BMW ConnectedDrive app could be used to stalk or track someone — to know exactly where they have gone and the places they're most likely to be — and identify the exact vehicle when they find it.

Protecting Your Data
It's worth noting that an attacker would need physical access to your device or, perhaps, to a computer that your smartphone has been authenticated to and trusted. When the phone is connected and authenticated, an attacker can potentially extract data from its apps from the computer.

It's important for app developers to take responsibility for the data they ask users to trust their apps with. That starts with not relying on the security controls of the operating system itself and taking steps to encrypt data stored by the app natively or separately from whatever protection the operating system might provide.

As an end user, there is only so much you can do to protect your data. You can do some homework and try to select only apps that don't leave data unencrypted, but you don't always get a choice. For added protection, you should not connect your smartphone to a shared workstation that others might have access to and should authenticate your mobile device only to trusted computers. Also, make sure you choose complex passwords and PINs to make unauthorized access as challenging as possible.

Responsible Disclosure
For the record, my company is committed to acting responsibly when it comes to vulnerability disclosure, so we shared this information with the BMW Group. We notified BMW of vulnerabilities we identified in May 2020 and worked with the company throughout the year to address the issues.

The BMW Group issued this statement:

"Thanks to the notification of Alejandro Hernandez at IOActive via our responsible disclosure channel, we were able to change the way the app's data cache is handled. Our app development team added an encryption step that makes use of the secure enclave of Apple devices, at which we generate a key that is used for storing the favorites and vehicle meta data that Alejandro was able to extract. We appreciate Alejandro for sharing his research with us and would like to thank him for reaching out to us."

Alejandro Hernandez is a security consultant who works for IOActive, where he has had the chance to work in Fortune 500 companies around the world. As a security researcher, he has presented his work in different conferences including Black Hat USA, DEF CON, AppSec USA, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31476
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
CVE-2021-31477
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
CVE-2021-32690
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
CVE-2021-32691
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).