Security experts at Pen Test Partners discovered several vulnerabilities in two smart car alarm systems put three million vehicles globally at risk of hack.
The flaws could be exploited by attackers to disable the alarm, as well as track and unlock the vehicles using it, or to start and stop the engine even when the car was moving. The experts also demonstrated that it is possible to snoop on drivers’ conversations through a microphone that is built into one of the car alarm systems,
“These alarms can expose you to hijack, may allow your engine to be stopped whilst driving and it may even be possible to steal vehicles as a result.” reads the report published by Pen Test Partners.
“After purchasing and fitting several high-end ‘smart’ alarms to our cars, costing us ~$5,000, we discovered that two of the largest aftermarket alarm systems have critical security flaws that allow:
- The car to be geo-located in real time
- The car type and owner’s details to be identified
- The alarm to be disabled
- The car to be unlocked
- The immobiliser to be enabled and disabled
- In some cases, the car engine could be ‘killed’ whilst it was driving
- One alarm brand allowed drivers to be ‘snooped’ on through a microphone
- Depending on the alarm, it may also be possible to steal vehicles“
- The flawed car alarm systems are manufactured by the Russian firm Pandora and the US-based company Viper.
The researchers discovered that the APIs for both applications failed to authenticate requests allowing attackers to take over customers’ accounts due to insecure direct object references (IDORs) issues.
“Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account,” continues the experts.
Once the attacker had control over the account, they were able to the associated vehicle. Experts also discovered that it was possible for both car alarm systems to create a test account that they used to hack into a genuine account.
“Both products allow anyone to create a test/demo account. With that demo account it’s possible to access any genuine account and retrieve their details,”states Pen Test Partners.
Pen Test Partners reported the flaws to both companies and they have fixed them in a matter of days.
“We’ve seen easy to exploit IDORs in IoT APIs on many occasions. This is the first time we’ve seen them lead to a potential attack on this scale before. ” conclude the expert.
“These alarms are expensive and are typically fitted to high-end vehicles, often those with keyless entry. A conservative estimate suggests that $150 Billion worth of vehicles were exposed.”