Companion Apps or Backdoors? On the Security of Automotive Companion Apps
Abstract: Automotive companion apps are mobile apps designed to remotely connect with cars to provide features such as diagnostics, logging, navigation, and safety alerts. Specifically, onboard diagnostics (OBD) based mobile applications directly communicate with the in-vehicle network through the OBD device. This can lead to several security issues, for instance, onboard information of vehicles can be tracked or altered through a malicious or vulnerable app. We conduct a comprehensive measurement study including static, runtime, and network traffic analysis of OBD companion apps. Our analysis has been applied to 125 Android mobile applications available on the Google Play Store. We identify a set of vulnerabilities and further validate these vulnerabilities with real-world vehicles. We show that 70% of the apps have vulnerabilities that can lead to private information leakage, property theft, and direct risk while driving. For instance, 18 apps could connect to open OBD dongles without requiring any authentication, accept arbitrary CAN commands as inputs from the (potentially malicious) user, and deliver the commands to the CAN bus without any validation. We discuss the possible countermeasures and also make responsible disclosures to app developers.
Loading