Two smart alarm systems for cars have plugged critical security holes that put three million vehicles globally at risk of being hijacked, research by Pen Test Partners reveals.
If exploited, the vulnerabilities would have enabled anyone to turn the alarm off, as well as track and unlock the car fitted with it. In some cases, the researchers were also able to snoop on in-car conversations through a microphone that is built into one of the alarm systems, and even to start the car’s engine or cut it off while the car was moving.
The flaws affected alarm systems that enable control of connected cars via associated smartphone apps and that are made by two companies – Pandora, from Russia, and Viper, based in the United States (and branded as Clifford in the United Kingdom). The former had even touted its products as “unhackable”, according to Pen Test Partners.
Easy to find, easy to fix
The researchers found that both apps’ APIs (application programming interfaces) failed to authenticate some requests properly, notably requests to change the password or email address. This paved the way for a full-on account takeover.
“Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account,” they wrote. With the account in their hands, the ethical hackers were also able to seize control of the car linked to the account.
Additionally, while the researchers actually bought the alarm systems for the sake of "a full proof of concept", they said that anyone could simply set up a test account to compromise a genuine account. “Both products allow anyone to create a test/demo account. With that demo account it’s possible to access any genuine account and retrieve their details,” according to Pen Test Partners, who called the flaws “easy to find, easy to fix”.
To their credit, the two companies acknowledged the bugs and patched them within days of receiving alerts from the white hats.