Researchers Test Security of Carsharing Mobile Apps
Analysts from Kaspersky Lab have examined how well carsharing service users are protected and what risks they face if their accounts are compromised. Why would anyone want to “steal” such an account? Experts explain that there is already a supply and demand for these accounts on the black market. These accounts are of interest to people without a driver’s license or those who have been denied registration by the service’s security team.
Additionally, knowing the login details of a carsharing account allows someone to track the user’s movements, and if they spot forgotten items in the car, they can simply steal them. Ultimately, a rented car could be driven to a remote location and dismantled for parts.
How the Research Was Conducted
The researchers studied 13 unnamed mobile apps to see if developers had taken care to protect users and prevent unauthorized access. The apps were tested against four possible attack vectors:
- Intercepting data exchanged between the app and the server
- Brute-forcing automatically generated passwords
- Overlaying the app interface with a fake window
- Running on rooted devices and injecting malicious code
Only one of the tested apps was able to resist reverse engineering, being protected by DexGuard. DexGuard’s developers also claim their solution prevents the app from running on rooted devices or if the app has been modified. However, while the app was well-protected against reverse engineering, it still ran on Android devices with root access and completed server authorization. Although an attacker could access data in the secure storage, in this case, the data was well encrypted.
Password Security
Half of the tested apps do not allow users to create their own login and password. Instead, the phone number and a PIN code received via SMS serve as credentials. Researchers note that allowing users to choose their own login and password is a crucial security feature. Phone numbers, often used as logins, are easy to find—many people forget to hide them on social media, and carsharing customers can be identified by hashtags and photos.
By forcing a password on the user, developers prevent the use of weak passwords like “1234,” but this also gives attackers a chance to guess the password (by intercepting it via SS7 vulnerabilities or obtaining it through SIM card replacement).
The researchers tested how easy it would be to brute-force such a “password.” If an attacker finds a phone number on social media and tries to log in, the owner receives an SMS with a confirmation code, often a four-digit number (only 10,000 possible combinations). Ideally, these codes should be at least six characters long and include both numbers and upper/lowercase letters.
Users are given one minute to enter the code, after which they are prompted to request a new one. However, the actual code lifetime is just over two minutes. The researchers wrote a small brute-force utility, replicated part of the app-server protocol, and attempted to guess the code, but were unsuccessful. They suspect either their internet connection was too slow, or the carsharing operator set a reasonable two-minute timeout, making brute-forcing impossible even on a fast connection. They did not continue the attack but confirmed that after several attempts of 10,000 requests, the service kept responding and allowed further attempts.
The researchers intentionally ran the brute-force attack from a single thread and IP address, giving the service a chance to detect and block the attack, contact the potential victim, or deactivate the account. None of this happened.
Another carsharing service sends users more complex passwords, but there are still issues: the codes follow a fixed pattern—numbers at the ends and four lowercase Latin letters in the middle. This results in 45 million possible combinations, but if the numbers’ positions were random, there would be 2 billion possibilities. While 45 million is a lot, the app does not have a timeout for entering the next combination, so there is no barrier to brute-forcing.
The researchers repeated the brute-force attempt with this app, deciding that if the server allowed 1,000 attempts, it would likely allow 45 million, just taking more time. The server continued to respond after 1,000 attempts. They noted that the login and password are stored locally in encrypted form, but knowing the format, it would only take a couple of minutes to generate the password/MD5 hash pair (the password is hashed with MD5 and saved to a file on the device).
Man-in-the-Middle (MitM) Attacks
The apps communicate with their control centers via HTTPS, and understanding the protocol can take time. To speed up the process, analysts used a MITM attack, and another major flaw helped them: none of the tested apps checked the server’s certificate. This allowed them to capture a full session dump.
Screenshot of a successful MITM attack with an HTTPS traffic dump
Protection Against Overlay Attacks
If an Android device is infected with malware, any access issues can be resolved quickly and efficiently: an “authorization” SMS can be intercepted and used to log in on another device. If the problem is a complex password, the attacker can overlay a fake window on top of the app’s interface to capture the login and password.
None of the tested apps could prevent such actions. Worse, if the OS version is old enough, an attacker can escalate privileges and, in some cases, extract all necessary data.
Conclusion
Experts conclude that carsharing app problems are very similar to those found in connected car management apps. “It seems developers lack an understanding of current mobile platform threats, both when designing apps and building infrastructure. It would be helpful to expand user notification features for suspicious activity—currently, only one service notifies users if someone tries to log in from another device. Most of the apps we reviewed are raw in terms of security and need improvement. Moreover, many programs are not only very similar to each other but are even based on the same code.”
Russian carsharing operators could learn from their foreign counterparts: for example, one major short-term rental provider grants access to cars via a special card, which, while less convenient, significantly increases security,” the analysts concluded.