Smart 'unhackable' car alarms open the doors of 3 million vehicles to hackers

The moment you call a product “unhackable” you are asking for trouble.

Researchers find flaws in 'unhackable' smart car alarms, get data of 3 million vehicles The moment you call a product “unhackable” you are asking for trouble. Read more: https://zd.net/2Y7BAaW

Calling a product "smart" and "unhackable' does not magically make it so, as two of the largest vendors of car alarms in the world have now found out.

Viper -- known as Clifford in the United Kingdom -- and Pandora Car Alarm System, which cater for at least three million customers between them, recently became the topic of interest to researchers from Pen Test Partners.

On Friday, the cybersecurity researchers published their findings into the true security posture of these so-called smart alarms and found them falling woefully short of the vendors' claims.

Not only could compromising the smart alarms result in the vehicle type and owner's details to be stolen, but the car could be unlocked, the alarm disabled, the vehicle tracked, microphones compromised, and the immobilizer to be hijacked.

In some cases, cyberattacks could also result in the car engine being killed during use, which in a real-world scenario could result in serious injury or death.

Both companies claimed their products were "smart," and Pandora went so far as to say that its smart alarm systems were "unhackable." (This claim has since been whipped off the vendor's website.)

screenshot-2019-03-08-at-13-37-14.png

Pen Test Partners

As shown in the video below, such bold assertions will only entice cybersecurity experts to prove you wrong.

What makes the situation even worse is how easy it was for Pen Test Partners to refute these lofty statements.

The discovery of simple, relatively straightforward vulnerabilities in the products' API, known as insecure direct object references (IDORs), permitted the researchers to tamper with vehicle parameters, reset user credentials, hijack accounts, and more.

In Viper's case, a third-party company called CalAmp provides the back-end system. A security flaw in the 'modify user' API parameter leads to improper validation, which in turn permits attackers to compromise user accounts.

The research team found that the same bug could be used to compromise the vehicle's engine system.

See also: How automakers are tackling connected vehicle vulnerability management

"Promotional videos from Pandora indicate this is possible too, though it doesn't appear to be working on our car," Pen Test Partners said. "The intention is to halt a stolen vehicle. Except, using the account takeover vulnerability in the mobile app, one could kill the engine of any car fitted with these alarms. The functionality wasn't present in the Viper mobile app UI, but was supported in the API."

When it comes to Pandora, the IDOR is based on a POST request which also results in account compromise, alongside substantial data leaks. There was another attack vector of interest in this product, too, based on the Pandora alarm's ability to make SOS calls in cases of emergency.

In order to send out cries for help, the alarm is fitted with a microphone -- and due to the API security flaw, this component can be accessed and enabled remotely for snooping purposes.

CNET: Facebook Messenger bug revealed who you had conversations with

Given the severity of these security problems and the three million customers potentially impacted, Pen Test Partners chose to scrap its standard 90-day disclosure period in favor of a week.

To their credit, Pandora and Viper responded quickly and managed to fix the vulnerable APIs within the time period on offer.

The lesson here is that despite a lack of evidence that real-world attacks are taking place against vehicle owners, it may only be a matter of time before security flaws in our connected cars become a risk to driver safety.

TechRepublic: Termite and EarthWorm testing tool weaponized to create multi-platform botnet

Cybersecurity is not a laughing matter and any company which claims to offer "unhackable" devices is only opening itself up to mockery -- but rather that, than a future lawsuit when a lack of due security diligence results in accidents or injury.

"One would expect that a manufacturer of alarms, designed to make our vehicles more secure, would have carried out a degree of due diligence prior to taking their products to market," the researchers concluded. "These alarms did not add any additional security to protect against key relay attacks, and before they were fixed they actually exposed the owners to additional attacks and compromised their safety."

Previous and related coverage