Tesla Cars Hacked through Mobile App

‘Tis the season for giving, but Tesla may be offering more than what was originally planned.

If you’re a hacker, and you want a new Tesla car for the holidays, all you have to do is access the company’s smartphone app.

New research shows that Tesla cars can be stolen by hacking the company’s smartphone app.

Tesla Cars Vulnerable
According to SCMagazineUK, Norwegian app security firm Promon has demonstrated through research that cyber-criminals could take control of Tesla vehicles, to the point where they can locate, unlock and drive the car away unhindered. Such a hack, possible by exploiting a lack of security in their smartphone app, gives criminals total control of the vehicle, providing additional functionality to that exposed by Keen Security Labs in a different hack in late September.

This is all done by attacking and taking control of the Tesla app. This underlines the vital importance of app security, and the wider implications this could have for IoT-connected devices in general. (IoT refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other internet-enabled devices and systems.) Most people understand the importance of online website security – and only visiting sites that constantly check for vulnerabilities, but few consider the potential issues with mobile security.

Tom Lysemose Hansen, founder and CTO at Promon, said: “Keen Security Labs’ recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car.”

One way for the hack to work is for cyber-criminals to set up a Wi-Fi hotspot close to a public Tesla charging point. When Tesla users log in and visit a page, an advert targeting car owners appears, offering an incentive such as a free meal. When clicking this link and downloading the accompanying app, hackers can gain access to the user’s mobile device, which enables them to attack the Tesla app.

According to Hansen, the ease with which any tech-savvy criminal can steal a Tesla car in this way is indicative of a need for a much greater focus on in-app security across all IoT-connected devices and applications. “Mobile-focused criminals are more skilled than ever before and are using a lack of security in mobile apps as an increasingly lucrative source of revenue. Remotely controlling and stealing Tesla cars is a particularly dangerous example of just what can be done, but in theory, any app without the necessary protection in place could be affected.

“One way to achieve this is by introducing self-defending app software that protects the app from the inside out, greatly reducing the possibility of a cyber-attack. By moving away from having a physical car key to unlock the door, Tesla is basically taking the same step as banks and the payment card industry. Physical tokens are replaced by ‘mobile tokens’. We strongly believe that Tesla and the car industry needs to provide a comparable level of security, which is certainly not the case today.”

Hansen concluded: “Tesla is a shining example of how technological advances are providing unprecedented levels of innovation and user convenience. However, our increasingly app-focused world needs to be urgently secured, to prevent criminals from seizing their opportunity on a large scale.”

 

Special thanks to SCMagazineUK.com for providing much of the content for this article.

Hackers Can Access Millions of Smart Phones!

Using a malicious app, hackers could access Android-specific security vulnerabilities from Qualcomm chipsets.hackers, security vulnerabilities, mobile apps, Trust Guard

Since 1993, DEF CON has been holding its annual hacker conventions in Las Vegas. As one of the largest such conventions in the world, security companies like Trust Guard share information about the security (and lack thereof) with online and mobile devices and apps. As one of the oldest such organizations, it is privy to much of the available information concerning security breaches – be they online or, more recently, mobile.

2016 was no different. This year computer security firm Check Point and its mobile threat research team revealed details of what it says are a set of “four vulnerabilities affecting 900 million Android smartphones and tablets that use Qualcomm® chipsets.” They call the set of vulnerabilities QuadRooter.

This type of extensive security problem shows how vulnerable our mobile devices are to security threats from hackers. All it takes it to download the wrong app and, often without even realizing it, our personally identifiable information will have been hacked. If you are using one of the above devices, we suggest you go to your phone distributor or carrier to get the patch to fix the security hole as soon as possible.

QuadRooter vulnerabilities are found in software drivers that ship with Qualcomm chipsets. The drivers, which control communication between chipset components, become incorporated into the Android “builds” that manufacturers develop for their devices. Check Point says that since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.

tg-10year-badge-High DefinitionSome of the latest and most popular Android devices found on the market today use these Qualcomm chipsets, including:

BlackBerry Priv
Blackphone 1 and Blackphone 2
Google Nexus 5X, Nexus 6 and Nexus 6P
HTC One, HTC M9 and HTC 10
LG G4, LG G5, and LG V10
New Moto X by Motorola
OnePlus One, OnePlus 2 and OnePlus 3
Samsung Galaxy S7 and Samsung S7 Edge
Sony Xperia Z Ultra

If you are using one of the above devices, we suggest you go to your phone distributor or carrier to get the patch to fix the security hole as soon as possible. If you have a website, we recommend using Trust Guard’s security scanning software to protect your site from online cyber security threats.

This type of extensive security problem shows how vulnerable our mobile devices are to security threats from hackers. These four vulnerabilities, of course, aren’t all the vulnerabilities. And Qualcomm isn’t the only instigator of chipsets with bugs in them. For all app users, Android, Apple’s IOS, or others, all it takes is to download the wrong app and, often without even realizing it, our personally identifiable information will have been hacked.

Special thanks to Sky Valley Chronicle for much of the information about the vulnerabilities found.

 

 

Mobile App Developers Need Privacy Policies Too

app developersFor most app developers, privacy policies are usually an afterthought in the mobile app development process.

App developers usually end up creating it after the app’s design and development are done. This legal safeguarding may seem like a last-minute addition that doesn’t merit much thought, but it may be the most important component of your entire business.

They usually end up creating it after the app’s design and development are done. This legal safeguarding may seem like a last-minute addition that doesn’t merit much thought, but it may be the most important component of your entire business. Privacy Policies are not all alike, and there are numerous ways that a missing clause or a mismatch between your legal documents and your app itself can cause catastrophic problems. Quite a few ubiquitous and successful mobile apps have run into massive legal headaches and astronomical fines due to flaws in their privacy policy and a failure to integrate and unify their legal protection with the “private parts” of their app architecture.

In 2013, social app Path was fined nearly 1 million dollars by the FTC (Federal Trade Commission) for privacy violations. The $800,000 penalty stemmed from two lethal mistakes made by the app:

  1. Storing third-party names and numbers from their users’ address books without proper disclosure;
  2. Failing to comply with the provisions of COPPA, a law that applies to every app that knowingly collects information from children.

This means that if you extract phone contacts from your users, not only must you notify them, you must also explain within the app’s privacy policy how any why the information is used. If you collect users’ birth dates, you can likely figure out if children are using your app and do something about it. You essentially have two legal avenues: comply with COPPA or make sure users represent that they’re over 13 years old.

But there’s more. The FTC published a long document with recommendations for app developers and even platform-specific advisement for big platforms like Android and iOS. The FTC wants app developers to use a (relatively) new approach called Privacy by Design.  Companies should build in privacy at every stage in developing their products. This means a number of things:app developers

  • Before building an app or a feature, think of the privacy implications;
  • If you collect information, protect it. Follow the security recommendations of the FTC (with special attention to the third-party software you used) and be careful not to over-promise or make generic reassuring statements;
  • Keep your policy updated! Every time you roll out a new update to the app store, stop for a second and think if you added something that has an impact on your privacy statements. Added a new analytic script? It should go in there. Added “find friends via Facebook”? Go and edit your privacy policy.

There are known best practices—some of them coming from the California Attorney General—to give you some legal protection and prevent problems, privacy breaches, and lawsuits. But this is what the FTC actually says that developers should do.

You must have a privacy policy and it must be accessible from the app store.

The simple way to accomplish this is to simply link the policy when you submit the app. But, this means the privacy policy should live on your website. And although what I have to say now is another article all together, you must keep the site that’s hosting your privacy policy free from hackers. PCI Compliant Vulnerability Scanning can help you with that. You could also provide the full text of the policy within the app, or a short statement describing the app’s privacy practices. Need a privacy policy from scratch? There are many online options including Professional Privacy Policy.com.app developers

You should provide “just-in-time” disclosures and obtain affirmative express consent when collecting sensitive information from outside the platform’s API. You already know that iOS pops up a notification that a certain app is requesting access to the user’s location or other private data. In this case, the disclosure and the consent are taken care by Apple. But, your app might as well collect other important stuff, and a pop-up notification is the best way to make sure the users know. FTC names financial, health, or children’s data, but also a generic “sharing sensitive data with third parties” as sensitive private information, so it’s best to err on the side of caution.

Know the legal implications of the code you’re using.

It’s normal for app developers to use third-party packages, but you should make sure this code is secure and fully understand exactly what information it pulls, because you’re ultimately legally responsible for it. There’s a long list of questions to ask yourself, including:

  • Does this library or SDK have known security vulnerabilities?
  • Has it been tested in real-world settings?
  • Have other developers reported problems?

While PATH’s $800K fine was in connection with COPPA violations, it’s the start of broader policing of privacy practices, even against non-American developers. If you cater to the American mobile market, you can still be fined by U.S. Authorities. It’s time for app developers to get a properly-written, constantly-curated privacy policy. The FTC is encouraging the adoption of public standards and suggests tightened integration among app developers, trade associations, ad networks, and mobile platforms, so this is definitely a topic to keep under the radar. You wouldn’t want a legal problem to cripple your app right as it’s starting to soar.

Special Thanks to Veronica Picciafuoco and her article on SitePoint.com.