Breaking News

GIGABYTE Launches AMD Radeon PRO W7800 AI TOP 48G Graphics Card TEAMGROUP Launches The T-CREATE EXPERT P32 Desktop External SSD Introducing The Razer USB 4 Dock LG Display Succeeds in Developing World's First Stretchable Display that Expands by 50 Percent Transcend Introduces CFast Card with Write Protection for Enhanced Data Security

logo

Smart Car Alarm Systems Could Be Easily Hacked

Smart Car Alarm Systems Could Be Easily Hacked

Enterprise & IT 0

Two of the largest aftermarket alarm systems were found to have critical security flaws that put three million vehicles globally at risk of being hijacked, research by Pen Test Partners reveals.

The research firm tested products from car alarm vendors Viper (branded ‘Clifford’ in the UK) and Pandora. These represent two of the largest car alarm brands globally.

They found that those alarms can expose you to hijack, may allow your engine to be stopped whilst driving and it may even be possible to steal vehicles as a result.

The security flaws allowed:

  • The car to be geo-located in real time
  • The car type and owner’s details to be identified
  • The alarm to be disabled
  • The car to be unlocked
  • The immobiliser to be enabled and disabled
  • In some cases, the car engine could be ‘killed’ whilst it was driving
  • One alarm brand allowed drivers to be ‘snooped’ on through a microphone
  • Depending on the alarm, it may also be possible to steal vehicles

The flaws affected alarm systems that enable control of connected cars via associated smartphone apps. The vulnerabilities are relatively straightforward insecure direct object references (IDORs) in the API. The researchers found that both apps’ APIs failed to properly authenticate some requests, notably requests to change the password or email address. This paved the way for a full-on account takeover.

"Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account," thr researcher said.

They also found that it is possible to geo-locate and follow a specific vehicle, then cause it to stop and unlock the doors.

Additionally, the researchers said that anyone could simply set up a test account to compromise a genuine account. “Both products allow anyone to create a test/demo account. With that demo account it’s possible to access any genuine account and retrieve their details,” according to Pen Test Partners, who called the flaws “easy to find, easy to fix”.

The two companies acknowledged the bugs and patched them within days of receiving the alerts.

Related Posts