Two popular car alarm systems have fixed security vulnerabilities that allowed researchers to track, hijack, and take control of vehicles with remotely installed alarms.
The systems, built by California-based Russian alarm maker Pandora and Viper, or Clifford in the United Kingdom, were vulnerable to an easily manipulated server-side API, according to researchers at Pen Test Partners, a US cybersecurity company. United Kingdom. In their conclusions, the API could be abused to take control of the user account of an alarm system and of their vehicle.
This is because vulnerable alarm systems can be tricked into resetting an account’s password because the API was unable to verify if it was an authorized request, allowing researchers to log in.
Although the researchers bought alarms to test, they said that “anyone” could create a user account to access any genuine account or extract all user data from the companies.
Investigators said about three million cars worldwide were vulnerable to failure, since they were repaired.
In one example demonstrating the hack, the investigators geolocated a target vehicle, tracked it in real time, followed it, remotely shut off the engine and forced the car to stop, and opened the doors. Investigators said it was “trivially easy” to hijack a vulnerable vehicle. Worse still, it was possible to identify some car models, making it even easier for specific hijackings or high-end vehicles.
Based on their findings, the researchers also found that they could hear the car’s microphone, built into the Pandora alarm system, to make calls to emergency services or roadside assistance.
Ken Munro, founder of Pen Test Partners, told TechCrunch that this was his “biggest” project.
Investigators contacted Pandora and Viper with a seven-day disclosure period, given the severity of the vulnerabilities. Both companies responded quickly to fix the defects.
When it was reached, Viper’s Chris Pearson confirmed that the vulnerability has been fixed. “If used for malicious purposes, [the flaw] could allow unauthorized access to customer accounts. “
Viper blamed a recent system update by a service provider for the error, saying the problem was “quickly rectified.”
“Directed believes that no customer data was exposed and no unauthorized accounts were accessed during the short period that this vulnerability existed,” said Pearson, but did not provide evidence of how the company reached that conclusion.
In a lengthy email, Pandora’s Antony Noto challenged several of the researcher’s findings, summarizing: “The system encryption was not cracked, the remotes where they were not hacked, [and] The tags were not cloned, ”he said. “A software glitch allowed temporary access to the device for a short period of time, which has now been addressed.”
The research follows work done last year by Vangelis Stykas at Calamp, a telematics provider that serves as the foundation for Viper’s mobile app. Stykas, who later joined Pen Test Partners and also worked on the car alarm project, discovered that the app was using the credentials encoded in the app to log into a central database, giving anyone the remote control of a connected vehicle would log in.