Two of the largest aftermarket alarm systems were found to have critical security flaws that put three million vehicles globally at risk of being hijacked, research by Pen Test Partners reveals.
The research firm tested products from car alarm vendors Viper (branded ‘Clifford’ in the UK) and Pandora. These represent two of the largest car alarm brands globally.
They found that those alarms can expose you to hijack, may allow your engine to be stopped whilst driving and it may even be possible to steal vehicles as a result.
The security flaws allowed:
- The car to be geo-located in real time
- The car type and owner’s details to be identified
- The alarm to be disabled
- The car to be unlocked
- The immobiliser to be enabled and disabled
- In some cases, the car engine could be ‘killed’ whilst it was driving
- One alarm brand allowed drivers to be ‘snooped’ on through a microphone
- Depending on the alarm, it may also be possible to steal vehicles
The flaws affected alarm systems that enable control of connected cars via associated smartphone apps. The vulnerabilities are relatively straightforward insecure direct object references (IDORs) in the API. The researchers found that both apps’ APIs failed to properly authenticate some requests, notably requests to change the password or email address. This paved the way for a full-on account takeover.
"Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account," thr researcher said.
They also found that it is possible to geo-locate and follow a specific vehicle, then cause it to stop and unlock the doors.
Additionally, the researchers said that anyone could simply set up a test account to compromise a genuine account. “Both products allow anyone to create a test/demo account. With that demo account it’s possible to access any genuine account and retrieve their details,” according to Pen Test Partners, who called the flaws “easy to find, easy to fix”.
The two companies acknowledged the bugs and patched them within days of receiving the alerts.