Breaking News

TSMC to Start Production of N7+ Chips Using EUV Third Quarter Samsung Display in Talks With Apple to Supply OLED Panels iPads and Macbooks SpaceX Launches 60 Satellites for Starlink Space-Based Broadband Network New ECS LIVA A320 Mini PC Comes With AN AMD Ryzen Processor IGTV Now Supports Landscape Videos

logo

Smart Car Alarm Systems Could Be Easily Hacked

Smart Car Alarm Systems Could Be Easily Hacked

Enterprise & IT 0

Two of the largest aftermarket alarm systems were found to have critical security flaws that put three million vehicles globally at risk of being hijacked, research by Pen Test Partners reveals.

The research firm tested products from car alarm vendors Viper (branded ‘Clifford’ in the UK) and Pandora. These represent two of the largest car alarm brands globally.

They found that those alarms can expose you to hijack, may allow your engine to be stopped whilst driving and it may even be possible to steal vehicles as a result.

The security flaws allowed:

  • The car to be geo-located in real time
  • The car type and owner’s details to be identified
  • The alarm to be disabled
  • The car to be unlocked
  • The immobiliser to be enabled and disabled
  • In some cases, the car engine could be ‘killed’ whilst it was driving
  • One alarm brand allowed drivers to be ‘snooped’ on through a microphone
  • Depending on the alarm, it may also be possible to steal vehicles

The flaws affected alarm systems that enable control of connected cars via associated smartphone apps. The vulnerabilities are relatively straightforward insecure direct object references (IDORs) in the API. The researchers found that both apps’ APIs failed to properly authenticate some requests, notably requests to change the password or email address. This paved the way for a full-on account takeover.

"Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account," thr researcher said.

They also found that it is possible to geo-locate and follow a specific vehicle, then cause it to stop and unlock the doors.

Additionally, the researchers said that anyone could simply set up a test account to compromise a genuine account. “Both products allow anyone to create a test/demo account. With that demo account it’s possible to access any genuine account and retrieve their details,” according to Pen Test Partners, who called the flaws “easy to find, easy to fix”.

The two companies acknowledged the bugs and patched them within days of receiving the alerts.

Related Posts

0 Comments

Leave a Reply

More information about text formats

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

BBCode

  • No HTML tags allowed.
  • You may use these tags: [abbr], [acronym], [b], [center], [code], [color], [define], [font], [h1], [h2], [h3], [h4], [h5], [h6], [hr], [i], [img], [justify], [left], [list], [node], [php], [quote], [right], [s], [size], [sub], [sup], [u], [url], [wikipedia], [youtube], [align], [link], [ol], [ul]
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.