Although they may offer features that the official vehicle manufacturer’s app does not provide, these apps harbor unmanageable risks and accountabilities.
In examining 69 third party mobile applications for automotive control—such as those used to control locking/unlocking of vehicle doors, climate control, starting and stopping the engine—one cybersecurity firm has found that such applications may not protect data privacy and were not entirely safe to use.
Some 58% of the applications did not warn about the risks of using owner’s account from the original automaker’s service. Moreover
- 14% (every seventh application) did not have information on how to contact the developer or give feedback, making it impossible to report a problem or request more information on the app’s privacy policy.
- Only 19% of the apps’ developers reminded users clearly of the risk of using the authorization token instead of a username and password. Should a token be compromised, hackers can get access to the cars the same way they would by using victims’ credentials. Users of such third party automotive control apps should be made aware that everything is at their own risk.
- Finally, 46 of the 69 applications tested were either free or operable on a ‘demo’ mode from official app stores, which means any bugs or security lapses can lead to total strangers having control over other people’s vehicles.
According to Sergey Zorin, Head of Transportation Security, Kaspersky, which conducted the testing: “We entrust a lot of private information and personal data to connected technology. Unfortunately, not all developers take a responsible approach when it comes to data storage and collection, which results in users exposing their personal information. This data may further be sold on the Dark Web and end up in un-trustable hands. We urge application developers to make user protection a priority and take precautionary measures to avoid compromising their customers and themselves.”
Vehicle owners should have more luck with apps designed by the original manufacturers, which are legally obligated to ensure duty of care in terms of data privacy and overall safety.