A bug that allowed two researchers to gain access to the backend systems of a popular internet-connected vehicle management system could have given a malicious hacker everything they needed to track the vehicle's location, steal user information, and even cut out the engine.
In a disclosure this week, the researchers Vangelis Stykas and George Lavdanis detailed a bug in a misconfigured server run by Calamp, a telematics company that provides vehicle security and tracking, which gave them "direct access to most of its production databases."
Car hacking has become a major focus in the security community in recent years, as more vehicles are hooked up to the cellular internet. But while convenient to control your car from your phone, it's also opened up new points for attack -- which could have real-world consequences.
You might not even realize you're a Calamp user. Many apps, including the vehicle tracking app Viper SmartStart, which lets users locate, start, and control their car from their phone, connects to the outside world using a Calamp modem to its cloud-based servers.
The researchers found that the Viper mobile app, while secure, was connecting to two different servers -- one used by Viper, and another run by Calamp.
Using the same credentials as the app, the researchers were also able to log in and gain complete access to the Calamp server, the researchers said in their write-up.
"You could easily exploit it and as we had full access to the database," said Stykas in an email. "We could do a lot of stuff -- pretty much any scenario that we could think of was disastrous, like mass stealing cars or turning off vehicle via panic button when going with a high speed," he said.
By querying the database, Stykas said it was possible to find a car by looking up nearby latitude and longitude coordinates, reset the password, unlock the driver's side door, start the engine, and drive away.
Stykas shared several screenshots with ZDNet of the server, which included vehicle history reports, alarm sounding histories, and payment charts.
The researchers said that they could track the location history of every vehicle in the database, even though the logged in user had limited, mostly read-only permissions. They could also see usernames and masked passwords, but had no way to export the data.
The bug was fixed after the researchers contacted the company.
A spokesperson for Calamp said it patched the flaw and continues to investigate.
"Calamp takes the matter of IT and data security seriously. Once we received the bug report, our team promptly investigated and developed a patch to address it. We believe that this matter has been resolved without issue," the spokesperson said.
Calamp has since added a new bug reporting page following the disclosure.
Stykas said he wasn't sure how many companies or vehicles were affected by the server bug. Calamp says on its site that it actively manages more than 7 million devices.
It's not the first instance of car hacking we've seen.
In 2016, hackers took full control of the brakes on a Jeep Cherokee, which caused controversy after testing the hack on a highway. That research largely opened the floodgates to a new focus on car hacking. Last year, an unpatchable flaw on most modern cars put drivers at risk from a vulnerability that could disable safety features, like switching off the airbag.
Infotainment systems are a prime target for hackers, which can be targeted over long ranges using the cellular network.