Connected car apps could give hackers access to your vehicle

Smart Car with App
(Image credit: SergeyBitos/Shutterstock)

As cars have become more intelligent, more users are turning to third-party connected car apps to access a wider range of functions compared to first-party offerings. But new research warns they can put your privacy and the security of your vehicle at risk.

To compile its new report on automotive mobile apps, researchers at the cybersecurity firm Kaspersky analyzed 69 popular third-party apps designed to control connected cars to find that more than half (58%) of these applications use a vehicle owners’ credentials without first asking for their consent. Even worse, 14 percent of the apps tested had no contact information, which makes reporting a problem near impossible.

These third-party connected car apps cover almost all major vehicle brands, including Tesla, Nissan, Ford and Volkswagen. But Kaspersky’s researchers claim that they are often not entirely safe to use. Of the key privacy risks drivers might face while using these apps, over half don’t warn them regarding the risks of using the owner’s account from the original automaker’s service.

You may be wondering why some connected vehicle owners turn to third-party instead of first-party apps to control their cars. The reason for this is that they offer unique features that have not yet been introduced by the vehicle manufacturer like being able to see fuel/energy consumption charges depending on the route they take or allowing a user to manage several different car brands all from within one app.

Using authorization tokens instead of a username and password

Some of the developers of third-party connected car apps use an authorization token instead of a username and password in an attempt to appear more credible. However, if a token is compromised, an attacker could get access to your connected car in the same way they could do so with your credentials.

Using authorization tokens doesn’t ensure total safety according to Kaspersky and despite this, only 19 percent of developers mention that they use tokens instead of credentials and warn their users about the potential dangers.

Head of transportation security at Kaspersky, Sergey Zorin, provided further insight on the firm’s new report in a press release while warning users that using third-party connected car apps could put their private information at risk, saying:

“The benefits of a connected world are countless. However, it is important to note that this is still a developing industry, which carries certain risks. When downloading a third-party application to control your car remotely, users should be aware of possible threats. We entrust a lot of private information and personal data to connected technology. 

Unfortunately, not all developers take a responsible approach when it comes to data storage and collection, which results in users exposing their personal information. This data may further be sold on the dark web and end up in untrustful hands. Moreover, cybercriminals might not only steal your data and personal credentials but also gain access to your vehicle – and that might lead to physical threats. For these reasons, we urge application developers to make user protection a priority and take precautionary measures to avoid compromising their customers and themselves.”

How to safely use third-party connected car apps

If you do want to use a third-party app with your connected car, Kaspersky has several recommendations to help you stay safe while doing so.

First off, you should only download apps from official stores like the Apple App Store or Google Play Store. While there could be dangerous apps on either store, at least they are checked by Apple and Google and there is an approval system in place.

Next up, you should check the permissions of the apps you use and carefully consider before giving them access to high-risk permissions like Accessibility Services. The less data an app can collect on you the better as it could be exposed online accidentally or disclosed following a data breach.

In terms of keeping your device secure, you should consider installing a mobile antivirus while keeping both your operating system and apps regularly updated.

When in doubt though, it’s always better to rely on first-party connected car apps from your vehicle’s manufacturer as opposed to trying to use third-party ones to add new features. If you want a feature added to a first-party app, you can always reach out to your vehicle maker or the app’s developer instead, though this may take some time.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.