TY - GEN
T1 - Companion Apps or Backdoors? On the Security of Automotive Companion Apps
AU - Mallojula, Prashanthi
AU - Li, Fengjun
AU - Du, Xiaojiang
AU - Luo, Bo
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.
PY - 2024
Y1 - 2024
N2 - Automotive companion apps are mobile apps designed to remotely connect with cars to provide features such as diagnostics, logging, navigation, and safety alerts. Specifically, onboard diagnostics (OBD) based mobile applications directly communicate with the in-vehicle network through the OBD device. This can lead to several security issues, for instance, onboard information of vehicles can be tracked or altered through a malicious or vulnerable app. We conduct a comprehensive measurement study including static, runtime, and network traffic analysis of OBD companion apps. Our analysis has been applied to 125 Android mobile applications available on the Google Play Store. We identify a set of vulnerabilities and further validate these vulnerabilities with real-world vehicles. We show that 70% of the apps have vulnerabilities that can lead to private information leakage, property theft, and direct risk while driving. For instance, 18 apps could connect to open OBD dongles without requiring any authentication, accept arbitrary CAN commands as inputs from the (potentially malicious) user, and deliver the commands to the CAN bus without any validation. We discuss the possible countermeasures and also make responsible disclosures to app developers.
AB - Automotive companion apps are mobile apps designed to remotely connect with cars to provide features such as diagnostics, logging, navigation, and safety alerts. Specifically, onboard diagnostics (OBD) based mobile applications directly communicate with the in-vehicle network through the OBD device. This can lead to several security issues, for instance, onboard information of vehicles can be tracked or altered through a malicious or vulnerable app. We conduct a comprehensive measurement study including static, runtime, and network traffic analysis of OBD companion apps. Our analysis has been applied to 125 Android mobile applications available on the Google Play Store. We identify a set of vulnerabilities and further validate these vulnerabilities with real-world vehicles. We show that 70% of the apps have vulnerabilities that can lead to private information leakage, property theft, and direct risk while driving. For instance, 18 apps could connect to open OBD dongles without requiring any authentication, accept arbitrary CAN commands as inputs from the (potentially malicious) user, and deliver the commands to the CAN bus without any validation. We discuss the possible countermeasures and also make responsible disclosures to app developers.
KW - Automotive companion apps
KW - Privacy
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=85204617573&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85204617573&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-70896-1_2
DO - 10.1007/978-3-031-70896-1_2
M3 - Conference contribution
AN - SCOPUS:85204617573
SN - 9783031708954
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 24
EP - 44
BT - Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings
A2 - Garcia-Alfaro, Joaquin
A2 - Kozik, Rafał
A2 - Choraś, Michał
A2 - Katsikas, Sokratis
T2 - 29th European Symposium on Research in Computer Security, ESORICS 2024
Y2 - 16 September 2024 through 20 September 2024
ER -