from Trang Nguyen on 03/17/2022
BR/controversyThe political magazine “Kontrovers” reveals: Vehicle owners can be spied on thanks to apps
Cars can be connected and controlled with an app on the cell phone. The large amount of data collected by the app can quickly fall into the wrong hands and be misused. Experts warn of the security gap in cars.
Many car manufacturers now offer apps for their vehicles that can be used to control various functions via cell phone. For example, they can unlock the car or regulate the air conditioning from a distance. Especially with electric cars, the connection to an app is commonplace, because the app allows users to plan driving routes, display charging stations and the current vehicle range.
Users have to set up a connection between their mobile phone and car by authenticating themselves with a PIN, the chassis number and a few clicks. If the vehicle is then connected to the mobile phone, the data from the app and its functions are still available even if the car changes hands.
Reporters from Bayerischer Rundfunk investigated this gap in the security system of the vehicle apps as part of the political magazine “Kontrovers” after a user drew their attention to it.
Data from the app is still accessible when the car changes hands
Sven Prang contacted Bayerischer Rundfunk after learning about the data security gap through the app on his cell phone. He leased an Audi A3 e-tron as a company car in 2017 and also used the associated “myAudi” app during this time.
In 2019, he returned the car to an Audi center, but was amazed to find that he still had access to his former vehicle and thus also to the usage data of the new owner. According to his statements, he logged out of the app at the time.
With the help of the vehicle app, he was able to create a movement profile for the new owner: where and how long does he drive regularly, what activities does he do in his free time and where did he recently go on vacation. The fact that it is so easy to be spied on should come as a shock to many motorists. This is also how the new owner of the Audi reacted when he spoke to the br reporters, who found him thanks to the data on Sven Prang’s cell phone: “It’s unbelievable,” he comments on the situation, because the previous owner of his vehicle now has access to all his data, he was not aware.
IT experts are already aware of the problem
The Bayrischer Rundfunk also speaks to an editor of the computer magazine C’t from the Heise Medienverlag. He confirms that he is already aware of the problem with the apps and the security gap. Sven Hansen, he tells reporters, often tests vehicles and their associated apps for the magazine. He, too, is surprised that “the functionalities that were available through the vehicle apps when we tested them can still be used by us, even if completely different people are already driving the cars”. In his experience, it makes no difference which provider the vehicle is from or what price range it is in, the problem is “across the board”.
In the experiment, the reporters track down a Mazda he has tested with the help of Sven Hansen. The IT expert unlocks the vehicle from a distance of 200 kilometers using the app. A fact that the new vehicle owner will most certainly not like.
Log-out is actually mandatory
According to the data protection regulations and the terms and conditions, former owners of the vehicles are obliged to log out of the apps and thus disconnect from the car. However, this log-out does not always work and not all services and data streams would be interrupted, according to the German automobile club ADAC on this subject.
This sees the responsibility of the app manufacturers, because the apps are offered without a prior IT security check. For this reason, the ADAC is demanding stricter password guidelines from the manufacturers in order to solve the problem of data leaks.
Manufacturers play the ball back to the vehicle owners
Many car manufacturers advertise their so-called connect functions and vehicle owners like to use these functions thanks to their convenience and user-friendliness. If these are still accessible after a change of ownership of the vehicle, the manufacturers see the previous owners as responsible.
“The manufacturer may not delete data without the consent of the customer (…). The vehicle owner has unrestricted sovereignty over his own data and of course the option to delete data again,” says a statement from the Association of the Automotive Industry at the request of the magazine “Controversial”.
So how to avoid this vulnerability?
The automobile manufacturers see the vehicle owners as having an obligation. As a new vehicle owner, you can only trust that the previous owner has logged out of the app and the connection to the car, including all data transmissions, has been disconnected.
IT expert Sven Hansen sees a very simple solution: He says that the app should routinely query data again. Users would then have to confirm the connection between the app and the vehicle at regular intervals, so that old users would automatically drop out of the system. In his opinion, “at least 80 percent of these cases” would be eliminated.
You might also be interested in: E-car drivers must know this app
From experience, the experts at EFAHRER.com recommend the “A better route planner” app to every e-car driver. Based on your start and destination information and your car information, it creates the ideal route and shows you where you can/must charge. You can use the app not only on an Android or iOS cell phone, but also on your home browser.
Download A better route planner at CHIP.de