Select Page

Flaws in smart car alarms exposed 3 million cars to hijack

Posted by | Mar 17, 2019 | ,

Flaws in smart car alarms exposed 3 million cars to hijack

Two smart alarm systems for cars have plugged critical security holes that put three million vehicles globally at risk of being hijacked, research by Pen Test Partners reveals.

 

If exploited, the vulnerabilities would have enabled anyone to turn the alarm off, as well as track and unlock the car fitted with it. In some cases, the researchers were also able to snoop on in-car conversations through a microphone that is built into one of the alarm systems, and even to start the car’s engine or cut it off while the car was moving.

 

The flaws affected alarm systems that enable control of connected cars via associated smartphone apps and that are made by two companies – Pandora, from Russia, and Viper, based in the United States (and branded as Clifford in the United Kingdom). The former had even touted its products as “unhackable”, according to Pen Test Partners.

 

Easy to find, easy to fix

The researchers found that both apps’ APIs (application programming interfaces) failed to properly authenticate some requests, notably requests to change the password or email address. This paved the way for a full-on account takeover.

 

“Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account,” they wrote. With the account in their hands, the ethical hackers were also able to seize control of the car linked to the account.

 

Additionally, while the researchers actually bought the alarm systems for the sake of “a full proof of concept”, they said that anyone could simply set up a test account to compromise a genuine account. “Both products allow anyone to create a test/demo account. With that demo account it’s possible to access any genuine account and retrieve their details,” according to Pen Test Partners, who called the flaws “easy to find, easy to fix”.

 

To their credit, the two companies acknowledged the bugs and patched them within days of receiving alerts from the white hats.

About The Author

Nusaiba Khalid

Related Posts

Juniper Networks and Dragos Announce Official Joint Partnership to Secure Critical Infrastructure

Juniper Networks and Dragos Announce Official Joint Partnership to Secure Critical Infrastructure

June 19, 2022

Acronis empowers resellers and service providers with a new cloud-focused #CyberFit Partner Program.

Acronis empowers resellers and service providers with a new cloud-focused #CyberFit Partner Program.

February 3, 2021

NMC Kia Announces Ramadan Special Offers starting from 0% profit rate.

NMC Kia Announces Ramadan Special Offers starting from 0% profit rate.

March 18, 2024

INFINITI gets a new home in KSA

INFINITI gets a new home in KSA

March 7, 2024

Categories

WP Twitter Auto Publish Powered By : XYZScripts.com