Flaws in smart car alarms exposed 3 million cars to hijack

In Opinions

Tomas Foltyn, security writer at ESET explains the vulnerabilities, which resided in associated smartphone apps, were both easy to find and easy to fix

Two smart alarm systems for cars have plugged critical security holes that put three million vehicles globally at risk of being hijacked, research by Pen Test Partners reveals.

If exploited, the vulnerabilities would have enabled anyone to turn the alarm off, as well as track and unlock the car fitted with it. In some cases, the researchers were also able to snoop on in-car conversations through a microphone that is built into one of the alarm systems, and even to start the car’s engine or cut it off while the car was moving.

The flaws affected alarm systems that enable control of connected cars via associated smartphone apps and that are made by two companies – Pandora, from Russia, and Viper, based in the United States (and branded as Clifford in the United Kingdom). The former had even touted its products as “unhackable”, according to Pen Test Partners.

Easy to find, easy to fix
The researchers found that both apps’ APIs (application programming interfaces) failed to properly authenticate some requests, notably requests to change the password or email address. This paved the way for a full-on account takeover.

“Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account,” they wrote. With the account in their hands, the ethical hackers were also able to seize control of the car linked to the account.

Additionally, while the researchers actually bought the alarm systems for the sake of “a full proof of concept”, they said that anyone could simply set up a test account to compromise a genuine account. “Both products allow anyone to create a test/demo account. With that demo account it’s possible to access any genuine account and retrieve their details,” according to Pen Test Partners, who called the flaws “easy to find, easy to fix”.

To their credit, the two companies acknowledged the bugs and patched them within days of receiving alerts from the white hats.

Comments

You may also read!

du acknowledged as the Best MSSP in the Middle East

du, from Emirates Integrated Telecommunications Company (EITC), presented the Managed Security Service Provider, “Visionary of the Year” Award by

Read More...

Forcepoint recognizes its partners in the region

Leading cybersecurity firm, Forcepoint recognized its key channel partner during its partner event held recently in Dubai, which was

Read More...

Tenable research discovers download hijack vulnerability in Slack

Tenable Inc, the Cyber Exposure company, announced that its research team has discovered a vulnerability in the Slack Desktop

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu