Major security flaws were discovered in smart alarm systems for cars. About three million customers are affected by the vulnerabilities worldwide. The flawed alarm systems are distributed by two of the largest vendors: Viper and Pandora Car Alarm system.
Both vendors strongly claimed that their devices were smart and secure. Pandora even claimed to be ‘unhackable’. However, since the researchers exposed the ‘unhackable’ devices, Pandora has taken down their claim off the website.
Security researchers at Pen Test Partners discovered several vulnerabilities in the smart alarms. They were able to use simple techniques to easily take over the cars.
The apps of both vendors were affected with insecure direct object reference (IDOR) vulnerabilities in the API. IDOR vulnerabilities allow attackers to manipulate files or a database to obtain access to data. After manipulating the API, the researchers were able change email addresses registered to the accounts without authentication, reset passwords, and take over the account.
Further, the researchers were able to completely hijack the vehicles through the smart alarms. They could geo-locate the car, disable/enable the alarm, listen into conversations through the microphone, and turn the immobilizer off/on. Unfortunately, any attacker could also easily stop the car in its path, open doors, and kill off the engine while in driver. Potentially, causing serious injury and death. The researchers were specifically able to kill of the engine on the car using the Viper alarm system while it was moving.
Since the discovery Pen Test Researchers have contacted both vendors, who responded very quickly. Pandora responded within 48 hours and fixed the IDOR overnight. Viper reponsded very quick and also fixed the vulnerability.
Pen Test in their blog stated:
“We’ve seen easy to exploit IDORs in IoT APIs on many occasions. This is the first time we’ve seen them lead to a potential attack on this scale before. One would expect that a manufacturer of alarms, designed to make our vehicles more secure, would have carried out a degree of due diligence prior to taking their products to market……before they were fixed they actually exposed the owners to additional attacks and compromised their safety”
Contact LIFARS today for secure code review