Armoured vehicles and defensive driving seem like two of the best ways to protect your loved ones and yourself behind the wheel. Bluclub, a relatively new car service based in Brazil, employs both tactics in order to ensure the comfort, safety and protection of its passengers. In today’s day and age however, the average driver has a lot more to worry about than other cars on the road. As two experts found out, car hacking is no longer a far-fetched, futuristic dream – it has become a reality.

Wandera’s threat detection team has discovered an issue with Bluclub’s mobile application that put users’ personal credentials and credit card information at risk. This is a result of a complete lack of security in data transferred over the internet by the application. Ironically, the security Bluclub offers within its vehicles doesn’t translate to its mobile application.
Read the full Threat Advisory


How it happens

The Bluclub app is using HTTP protocol in order to transmit user information. This means that personal credentials, including username, password, name and phone number are being transferred over the internet, completely unencrypted, and therefore unprotected. This makes the data essentially defenceless to third party attacks.
If that isn’t concerning enough, due to the online payment functionality of Bluclub, credit card information must also be shared with the company via the app. This includes customers’ full credit card numbers and expiry dates. Again, this data travels over-the-air in plaintext due to the HTTP protocol, enabling hackers to easily access the information with the right tools.
The implications of this threat are dire for the users of Bluclub. Access to personal information, including credit card details, makes identity theft an easy feat for the average hacker. The conflicting nature of a car service centered around security for its customers, while at the same time leaking their personal and credit card information is quite worrisome.

Is any car safe?

Imagine for a moment, simply driving down the highway on your way to work. You might be thinking about the day ahead, only to come to a screeching halt without ever hitting the brakes. Do you get hit from behind? Do the airbags go off? Have you caused a major accident?
As unbelievable as it may sound, this car hacking experience has already become a reality. Back in 2015, Charlie Miller and Chris Valasek, two hacking experts, demonstrated to Wired how they were able to wirelessly take over a Jeep, allowing them to control everything from the air conditioning to the brakes.

How did they do it? From miles away, they used a laptop to hack the Jeep’s computer system and rewrite the firmware to plant malicious code. This code enabled them to seize total control of the vehicle, even allowing them to cut the brakes and transmission with the simple push of a button.
Chrysler was not happy about the car hacking attack and the subsequent press it received. It did make some changes to the internal electronics of its vehicles to prevent remote takeover. However, in 2016, another hack was conducted and the results this time were far scarier. Some of the new ‘tricks’ included unintended acceleration, turning the Jeep’s steering wheel, and slamming on the brakes at even higher speeds.
While the 2015 attack was done remotely, the 2016 attack required a laptop directly plugged into the Jeep’s network (via a USB port under the dashboard). The good news is, hackers weren’t able to access the Jeep’s network remotely. The bad news is, there’s no telling how long it will take them to find a work around.

Looking to the future

So what does this mean for the future? In a world of self-driving cars, far less human autonomy and increasing incidents of car hacking, are any of us safe? It’s definitely something to consider – and not something to be taken lightly. It’s surprising that more of us aren’t uneasy about the fact that it will soon be commonplace to sit inside a massive computer and trust it with your life.
[text-blocks id=”threat-advisories”]
[text-blocks id=”newletter-sign-up”]