The smartphone has become the central command center for many people’s lives. A 2020 study found that the average user has 67 apps on their phone — but most people never stop to think about what data those apps contain or how well protected it is. Well, I probe for security holes for a living, so I decided to find out whether the mobile app for my car was encrypting the data it contains, and what information attackers might have access to if they could get into my phone.
Many apps contain sensitive or personal information that you want to protect from unauthorized access. Some are more obvious — things such as banking and financial apps, or health or medical apps store data — but many apps store information that may seem innocuous but would still provide clues an attacker can use. The important thing is that the apps you trust with this information take the appropriate steps to encrypt and protect it from compromise.
I decided to explore the security of my car’s mobile app and find out if the app encrypts that data or not. My vehicle is a BMW, and I use the BMW ConnectedDrive app. The latest version of the app available in the Apple Store in May 2020, when I conducted my research, was BMW Connected for iOS version 10.6.2.1807, which I installed on an iPhone 8 Plus running iOS 13.3.1 and an iPhone XS Max with iOS 13.4.1.
The app includes a variety of features. It can lock or unlock the vehicle remotely, perform location tracking on the vehicle, enable the headlights or horn, adjust or activate climate control features, track destinations through the navigation system, provide the status of whether doors and windows are open or closed, and report the current fuel level.
Many of those things may not have much value or pose much of a security risk, but you don’t want an unauthorized user to know the destinations you visit most often or be able to use location tracking to find out where the vehicle is at any given moment.
Exposing Sensitive Data
Using a few basic tools, I was able to uncover unencrypted data on the BMW app relatively easily. As vehicles were added and authenticated with the app, I noticed that data was stored base-64 encoded — but unencrypted — in .plist files.
Using the plistutil software on an Ubuntu Linux 19.10 machine, I was able to access the data with other command-line tools and strip out empty lines and spaces to make it easier to decipher the information it revealed. I could identify the addresses of favorite locations as well as recent navigation directions sent to the vehicle. I could also see the vehicle’s mileage and remaining fuel, the VIN and model of the vehicle, and even a photo of the vehicle model and color.
These things may not seem that crucial. It’s not like an attacker can use the data in this app to run your car off the road or do anything directly nefarious. However, the information revealed by the unencrypted data in the BMW ConnectedDrive app could be used to stalk or track someone — to know exactly where they have gone and the places they’re most likely to be — and identify the exact vehicle when they find it.
Protecting Your Data
It’s worth noting that an attacker would need physical access to your device or, perhaps, to a computer that your smartphone has been authenticated to and trusted. When the phone is connected and authenticated, an attacker can potentially extract data from its apps from the computer.
It’s important for app developers to take responsibility for the data they ask users to trust their apps with. That starts with not relying on the security controls of the operating system itself and taking steps to encrypt data stored by the app natively or separately from whatever protection the operating system might provide.
As an end user, there is only so much you can do to protect your data. You can do some homework and try to select only apps that don’t leave data unencrypted, but you don’t always get a choice. For added protection, you should not connect your smartphone to a shared workstation that others might have access to and should authenticate your mobile device only to trusted computers. Also, make sure you choose complex passwords and PINs to make unauthorized access as challenging as possible.
For the record, my company is committed to acting responsibly when it comes to vulnerability disclosure, so we shared this information with the BMW Group. We notified BMW of vulnerabilities we identified in May 2020 and worked with the company throughout the year to address the issues.
The BMW Group issued this statement:
“Thanks to the notification of Alejandro Hernandez at IOActive via our responsible disclosure channel, we were able to change the way the app’s data cache is handled. Our app development team added an encryption step that makes use of the secure enclave of Apple devices, at which we generate a key that is used for storing the favorites and vehicle meta data that Alejandro was able to extract. We appreciate Alejandro for sharing his research with us and would like to thank him for reaching out to us.”
Alejandro Hernandez is a security consultant who works for IOActive, where he has had the chance to work in Fortune 500 companies around the world. As a security researcher, he has presented his work in different conferences including Black Hat USA, DEF CON, AppSec USA, … View Full Bio