Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Flaws in Smart Alarms Exposed Millions of Cars to Dangerous Hacking

Serious vulnerabilities found in high-end car alarms could have been exploited to remotely hack millions of vehicles, including to track them, immobilise them and spy on their owners.

Serious vulnerabilities found in high-end car alarms could have been exploited to remotely hack millions of vehicles, including to track them, immobilise them and spy on their owners.

Researchers at UK-based penetration testing and cybersecurity firm Pen Test Partners have analyzed smart alarm systems from Pandora and Viper (known in the UK as Clifford), which are estimated to have been installed on roughly 3 million vehicles around the world. These alarms are designed to prevent relay attacks, which have often been used to steal luxury vehicles, and they allow owners to track their vehicle’s location, remotely start and stop the engine, and lock and unlock their doors via a mobile application.

These car alarms are advertised as being highly secure and, before this research was conducted, Pandora even claimed its products were “unhackable.”

Pen Test Partners has not only analyzed the mobile app provided by Pandora and Viper to customers, but it also installed alarms provided by these vendors on several vehicles to test the real-world impact of the flaws it had found.

An analysis of the APIs used by the Pandora and Viper mobile apps revealed that they were affected by insecure direct object reference (IDOR) vulnerabilities. These type of security flaws are easy to exploit and they typically allow an attacker to gain access to other users’ accounts simply by changing the value of a parameter in a request.

In the case of the APIs used by these car alarms, Pen Test Partners researchers discovered that an attacker could have exploited the vulnerabilities to send a malicious request that changes a user’s password for the mobile app (in the case of Viper), and change the email address of an account, which also allowed an account takeover by initiating a password reset procedure with the attacker’s address.

Once the attacker gained access to a user’s account, they could have conducted a wide range of activities. They could obtain information on the vehicle, so if a car thief hacked the app it made it easier for them to identify valuable targets. They could also track the vehicle’s location in real time.

In an attack scenario described by the researchers, an attacker tracks the vehicle and drives behind it. The hacker then sets off the alarm while the car is in motion to get the driver to pull over. Once the car stops, they can use the app to enable the immobiliser, unlock the doors and physically hijack the car.

Advertisement. Scroll to continue reading.

Both the Viper and the Pandora systems allow the user to kill the engine while the car is in motion — a feature that can be useful in case the car has been stolen. A hacker may have also been able to abuse this feature, but the researchers only managed to kill the engine on a car equipped with the Viper alarm.

The Pandora alarm also includes a microphone that is used for SOS calls. The API flaw could have been exploited to access this microphone and snoop on passengers.

Worryingly, both alarms can send custom CAN messages, which are designed to allow microcontrollers and other devices present in a vehicle to communicate. The CAN bus standard provides access to critical vehicle functionality and sending malicious messages can have serious consequences. The researchers claim it may be possible to launch an attack via the API but they are still analyzing this potential vector.

Both Viper and Pandora were notified and they quickly patched the vulnerabilities. Pen Test Partners only gave the vendors 7 days to take action due to the critical severity of the flaws and the risks they posed. Pandora no longer advertises its products as “unhackable” on its website.

“These alarms are expensive and are typically fitted to high-end vehicles, often those with keyless entry. A conservative estimate suggests that $150 Billion worth of vehicles were exposed,” the researchers explained. “These alarms did not add any additional security to protect against key relay attacks, and before they were fixed they actually exposed the owners to additional attacks and compromised their safety.

Pen Test Partners has published a blog post detailing its findings, along with a video showing the hacking methods in action.

This is not the first time Pen Test Partners has targeted cars. A few years ago, its researchers demonstrated that hackers could exploit vulnerabilities in the mobile application for the Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) to remotely control some of the car’s features.

Related: Hackers Can Hijack, Sink Ships

Related: 100 Million IoT Devices Possibly Exposed to Z-Wave Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.