Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/22/2021
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Can Your Connected Car Reveal About You?

App developers must take responsibility for the security of users' data.

The smartphone has become the central command center for many people's lives. A 2020 study found that the average user has 67 apps on their phone — but most people never stop to think about what data those apps contain or how well protected it is. Well, I probe for security holes for a living, so I decided to find out whether the mobile app for my car was encrypting the data it contains, and what information attackers might have access to if they could get into my phone.

Related Content:

5 Human Factors That Affect Secure Software Development

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Unemployment Fraud: As If Being Out of Work Wasn't Bad Enough

Many apps contain sensitive or personal information that you want to protect from unauthorized access. Some are more obvious — things such as banking and financial apps, or health or medical apps store data — but many apps store information that may seem innocuous but would still provide clues an attacker can use. The important thing is that the apps you trust with this information take the appropriate steps to encrypt and protect it from compromise.

BMW ConnectedDrive
I decided to explore the security of my car's mobile app and find out if the app encrypts that data or not. My vehicle is a BMW, and I use the BMW ConnectedDrive app. The latest version of the app available in the Apple Store in May 2020, when I conducted my research, was BMW Connected for iOS version 10.6.2.1807, which I installed on an iPhone 8 Plus running iOS 13.3.1 and an iPhone XS Max with iOS 13.4.1.

The app includes a variety of features. It can lock or unlock the vehicle remotely, perform location tracking on the vehicle, enable the headlights or horn, adjust or activate climate control features, track destinations through the navigation system, provide the status of whether doors and windows are open or closed, and report the current fuel level.

Many of those things may not have much value or pose much of a security risk, but you don't want an unauthorized user to know the destinations you visit most often or be able to use location tracking to find out where the vehicle is at any given moment.

Exposing Sensitive Data
Using a few basic tools, I was able to uncover unencrypted data on the BMW app relatively easily. As vehicles were added and authenticated with the app, I noticed that data was stored base-64 encoded — but unencrypted — in .plist files.

Using the plistutil software on an Ubuntu Linux 19.10 machine, I was able to access the data with other command-line tools and strip out empty lines and spaces to make it easier to decipher the information it revealed. I could identify the addresses of favorite locations as well as recent navigation directions sent to the vehicle. I could also see the vehicle's mileage and remaining fuel, the VIN and model of the vehicle, and even a photo of the vehicle model and color.

These things may not seem that crucial. It's not like an attacker can use the data in this app to run your car off the road or do anything directly nefarious. However, the information revealed by the unencrypted data in the BMW ConnectedDrive app could be used to stalk or track someone — to know exactly where they have gone and the places they're most likely to be — and identify the exact vehicle when they find it.

Protecting Your Data
It's worth noting that an attacker would need physical access to your device or, perhaps, to a computer that your smartphone has been authenticated to and trusted. When the phone is connected and authenticated, an attacker can potentially extract data from its apps from the computer.

It's important for app developers to take responsibility for the data they ask users to trust their apps with. That starts with not relying on the security controls of the operating system itself and taking steps to encrypt data stored by the app natively or separately from whatever protection the operating system might provide.

As an end user, there is only so much you can do to protect your data. You can do some homework and try to select only apps that don't leave data unencrypted, but you don't always get a choice. For added protection, you should not connect your smartphone to a shared workstation that others might have access to and should authenticate your mobile device only to trusted computers. Also, make sure you choose complex passwords and PINs to make unauthorized access as challenging as possible.

Responsible Disclosure
For the record, my company is committed to acting responsibly when it comes to vulnerability disclosure, so we shared this information with the BMW Group. We notified BMW of vulnerabilities we identified in May 2020 and worked with the company throughout the year to address the issues.

The BMW Group issued this statement:

"Thanks to the notification of Alejandro Hernandez at IOActive via our responsible disclosure channel, we were able to change the way the app's data cache is handled. Our app development team added an encryption step that makes use of the secure enclave of Apple devices, at which we generate a key that is used for storing the favorites and vehicle meta data that Alejandro was able to extract. We appreciate Alejandro for sharing his research with us and would like to thank him for reaching out to us."

Alejandro Hernandez is a security consultant who works for IOActive, where he has had the chance to work in Fortune 500 companies around the world. As a security researcher, he has presented his work in different conferences including Black Hat USA, DEF CON, AppSec USA, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21255
PUBLISHED: 2021-03-02
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4.
CVE-2021-21258
PUBLISHED: 2021-03-02
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI from version 9.5.0 and before version 9.5.4, there is a cross-site scripting injection vulnerability when using ajax/kanban.php. This is fixed in...
CVE-2021-22294
PUBLISHED: 2021-03-02
A component API of the HarmonyOS 2.0 has a permission bypass vulnerability. Local attackers may exploit this vulnerability to issue commands repeatedly, exhausting system service resources.
CVE-2021-22296
PUBLISHED: 2021-03-02
A component of the HarmonyOS 2.0 has a DoS vulnerability. Local attackers may exploit this vulnerability to mount a file system to the target device, causing DoS of the file system.
CVE-2021-27885
PUBLISHED: 2021-03-02
usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism.