[YesAuto Connected Travel] In the “big era” of connected cars, we are fortunate to witness the night sky shining with stars. Different from the western sky more than 130 years ago, today, whether it is electric vehicles or intelligent vehicles, the brightest stars are all dyed red. And just like the pollution and labor squeeze problems behind the Industrial Revolution, the obesity problem behind the “Fat House Happy Water” and puffed food, the virus that accompanies the “Internet”, etc., every new thing comes with problems and risks.
We want to know what hidden risks related to the privacy and information security of our car owners behind the automobile network connection, which should be paid attention to by car owners and car companies.
In “Kangxi Dynasty”, Kangxi in the ancient years at the Thousand Seniors Banquet: “This third bowl of wine, I want to respect my dead enemies. Obai, Wu Sangui, Zheng Jing, Galdan, and the Zhu Third princes, they are all heroes, ah! They made me, and they forced me to make this great achievement. I hate them and respect them.” The words are impassioned, and the information security of Intelligent Networking is just like this. The 8-year-old emperor enthroned, hackers and loopholes are like tigers and hungry wolves waiting for him, but there is no enemy to be powerful. We hope that one day, when China’s “automotive information security” industry defeats powerful enemies and evil spirits and becomes stronger and stronger, we will boldly say the phrase “I wish them, they will be enemies in the next life!” The beneficiaries will be At that time, thousands of car owners are inseparable from the intelligent network of car owners.
In order to have a relatively rigorous analysis of the information security situation of the intelligent network, Autohome and the JIVIC Automotive Information Security Laboratory (jointly established by the Suzhou Automobile Research Institute of Tsinghua University and the Jiangsu Intelligent Networked Automobile Innovation Center) cooperated, hoping to pass scientific and rigorous Code analysis and testing to analyze security risks. In the first stage, we will focus our attention on the car remote control App and explore the risks behind it.
In the last issue, we tested 7 overseas brand car remote control apps. In this issue, we will bring the test results of 7 Chinese brands and 1 third-party car remote control app. Based on our users’ feedback, we have also optimized the display. Form, hope to provide a more popular interpretation and clearer reference.
App information security test background
The test is based on the Android mobile phone system environment for two reasons. One is that the App Store of Apple's iOS system has its own inspection process, which already has a certain degree of security. Second, due to the problem of the form of the software package, testing the iOS version of the application requires the manufacturer to send it for testing, so we use the APK software package to test in the Android environment.
Overview of tested apps
In this issue, we tested 7 remote control apps of 5 car brands and 1 third-party smart car linkage app, namely BYD Cloud Service V4.6.1, Baojun New Energy V2.3.26, Weilai V3.10.4, Bluetooth Key ( BYD) , Geely V220.127.116.115, Baojun 730 Mobile Internet V3.0.17, Qichen Zhilian V2.0.8 and Zhijiaxing V6.1.8 yesway.mobile , let’s take a look at these apps together.
The pictures in the introduction of the tested App are from the introduction of the App Store, past test articles and other channels, and may not completely match the interface or function of the actual tested version. They are only used to briefly introduce the purpose of the App. Below we divide into broadcast, certificate, file, description file, general, WebView several major items to test how many suspected risk vulnerabilities in these apps.
Tests and scores
First of all, there are two explanations:
1. The results of suspected risk vulnerabilities tested by the JIVIC laboratory are based on code analysis and are not our common known risk vulnerabilities (that is, hackers or testers have confirmed that they can use these vulnerabilities to attack targets). The vulnerabilities in this article refer to possible There are suspected loopholes in the code and program design, and there is a risk of being exploited by hackers and causing varying degrees of harm.
2. There is no system that cannot be breached, only whether it is attractive enough. However, there are loopholes in all programs. What we hope is to attract the attention of users and the industry, as far as possible to encourage OEMs to raise the security threshold and protect user information security and privacy. In the face of these numbers, we consumers do not have to worry too much. In most cases, we are not worth the pains of others.
This is a very scary thing, so the security and uniqueness of the certificate are very important. Generally, a good cloud will regularly update the CA (digital certificate) containing the key and public key. The update process requires a strict authentication system, which mainly relies on the user's special equipment, user ID and key, and also brings file security. High encryption requirements.
We divide the suspected risk vulnerabilities into four levels, from high to low as “serious”, “high”, “medium” and “low”. The first two may cause much more harm than the latter two. In the total number of vulnerabilities in the following figure, we have marked the risk level for everyone with the color blocks of the corresponding color.
to sum up
In terms of results, the two apps of BYD performed the best. The “Bluetooth Key” benefited from its simple functions to a certain extent, while the outstanding results of BYD’s cloud service reflected BYD’s years of Android development skills, making it seem like The security of the “open source” and “radical” App program is surprisingly good. Also performing well are Qichen Zhilian and Baojun New Energy. The Baojun 730 mobile phone interconnection, Geely GNetLink and Zhijiaxing have appeared “serious” suspected risk vulnerabilities, which deserve attention.
Information security is a war without gunpowder. In this era, there are no Galdan, Wu Sangui, and Aobai, but there are threats of viruses and network hijacking, and privacy data “flooding”. We can see the efforts of various manufacturers in information security, of course, “the revolution has not yet succeeded, comrades still need to work hard.” We also hope that the existing threats can force OEMs to pay more and more attention to the safety of automotive networks and become more powerful themselves, thereby benefiting our consumers. (Picture/Text Auto Home Zheng Xu test data JIVIC Automotive Information Security Laboratory)