Car sharing app security not ready to withstand malware attacks

Published on: 14 Aug 2018

Car sharing apps are rife with substandard security measures that allow criminals to steal vehicles and access personal data.

That’s according to research from Kaspersky Lab after examining security of 13 car sharing apps from the US, Europe and Russia.

Every application included in the study contained a number of security issues that could see criminals take control of shared vehicles, either by stealth or under the guise of another user.

Once access was gained through the app, a criminal can do virtually anything, from stealing the vehicle to causing damage to using it for malicious purposes.

Kaspersky Lab’s researchers found that in many cases, there was no defence against man-in-the-middle attacks. This means that while a user believes they are connected to a legitimate website, the traffic is actually being redirected through the attacker’s site, giving criminals the chance to gather any personal data entered by the victim, such as login, password or PIN.

Similarly, there was no defence against application reverse engineering, allowing hackers to find and exploit vulnerabilities to obtain access to server-side infrastructure.
Additionally, the study revealed a lack of protection against app overlaying techniques, helping malicious apps to show phishing windows and steal users’ credentials.

Victor Chebyshev, security expert at Kaspersky Lab, said that car sharing apps are currently not ready to withstand malware attacks.

“While we have not yet detected any cases of sophisticated attacks against car sharing services, cyber criminals understand the value that such apps hold, and existing offers on the black market point to the fact that vendors do not have much time to remove the vulnerabilities,” he commented.