Author Topic: Smart Car Alarms Ironically Expose Millions of Vehicles to Remote Hijacking  (Read 115 times)

Online javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35127
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Aftermarket car alarm systems developed by Pandora and Viper have been found to be vulnerable to remote exploitation, enabling potential attackers to hijack the vehicles they're installed on and to spy on their owners.

The exploitable software flaws were found in the smartphone apps used to control the alarm systems developed by Pandora and Viper (known as Clifford in the UK), two of the most popular smart car alarms worldwide.

Just taking into account the claims made by Viper on the website of the SmartStart alarm system designed to help customers "Start, Control, and Locate" their cars from "virtually anywhere," the smartphone application has already been downloaded over 3,000,000 times.

Locate and hijack cars with the push of a button

The Pen Test Partners researchers who unearthed these flaws say that "the vulnerabilities are relatively straightforward insecure direct object references (IDORs) in the API," and "simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account."

As discovered by Pen Test Partners' research team, the aftermarket smart alarm systems would allow would-be attackers to exploit security flaws which enable:

Quote
• The car to be geo-located in real time

• The car type and owner’s details to be identified

• The alarm to be disabled

• The car to be unlocked

• The immobilizer to be enabled and disabled

• In some cases, the car engine could be ‘killed’ whilst it was driving

• One alarm brand allowed drivers to be ‘snooped’ on through a microphone

• Depending on the alarm, it may also be possible to steal vehicles

The researchers also said that some of the smart alarms they tested also gave them the ability to listen to all conversations using a microphone installed as part of the alarm system, allowing criminals to also snoop on millions of car owners who installed them on their cars.

To make matters even worse, the flaws observed in the car alarm APIs exposed huge amounts of personally identifiable information.

Additionally, "It should also be noted that you don’t need to buy either two of these products to have an account on the system. Both products allow anyone to create a test/demo account. With that demo account it’s possible to access any genuine account and retrieve their details," said the researchers.

While Pen Test Partners gave the two companies behind the vulnerable smart car alarm systems only 7 days to fix the security issues because of the high chance that criminals already were aware and possibly exploiting them in the wild, both Pandora and Viper responded and patched them very quickly, a lot faster than the researchers expected.

Quote
Pandora’s UK representative responded in about 48 hours and had their Moscow-based HQ take action quickly. The IDOR was fixed overnight and we confirmed that the following morning.

Viper responded faster but took a little longer to fix the vulnerability. That one is also confirmed as fixed.

The Pen Test Partners security researchers also gave a 'conservative' estimate of the number of cars possibly affected by the issues they found, stating that "the manufacturers had inadvertently exposed around 3 million cars to theft and their users to hijack" and "$150 Billion worth of vehicles were exposed."

Automotive software and apps vulnerable to hacking
This is not the first time and it will most definitely not be the last when cars have been hacked using vulnerabilities found in both built-in software added by their manufacturers or in various apps used to control them with the help of their owners' smartphones.

Tesla's electric cars, for instance, were found to be vulnerable during 2016, with car thieves being able to hack and steal a Tesla by infecting the owner's Android smartphone with a malware strain and using that to control the Tesla Android App and, subsequently, their car.

During April 2018, a Dutch cyber-security company discovered that multiple in-vehicle infotainment (IVI) systems used by some Volkswagen Group cars were vulnerable to remote hacking.

In May, BMW announced that they've started working on a number of firmware updates designed to patch 14 security issues found in BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series cars by researchers from the Tencent Keen Security Lab.

The same researchers were also able to find several vulnerabilities in Tesla Model X cars which would have allowed attackers to remotely control vehicles, forcing the car to brake while in motion or controlling its lights, in-vehicle displays, and open its doors and trunk when stationary.

During October 2017, an electronics designer found a security flaw in the key fob system of several Subaru models, an issue that could likely be abused to hijack customers' cars and that the automaker refused to patch when contacted.

Mazda cars have also been found to be vulnerable, with the Mazda MZD Connect infotainment system being easily hackable by plugging in a USB flash drive into the car's dashboard.

That "feature" was successfully used by Mazda car owners to alter their vehicles' infotainment systems -- installing new apps and tweaking settings.

To put everything into perspective, as detailed in a study conducted by Ponemon Institute -- when it comes to testing software vulnerabilities -- around 63% percent of all automotive companies will test less than half of the software, hardware, and other technologies they develop.

source