Pen Test Partners found vulnerabilities in aftermarket car alarms which allowed them to hack and hijack cars in a matter of moments.
Pen Test Partners tested two alarms, one from Pandora Car Alarm Systems and the other Viper. The former said it uses uses 2.4 GHz radio frequencies to transport encrypted messaging, among other features, according to a Pen Test 7 March post. Viper, known as Clifford alarms in the UK, claims to prevent carjacking, key theft, and key cloning, and between the two brands, leave nearly three million vehicles at risk of theft.
Pen Test wrote the alarm’s vulnerabilities it took advantage of are insecure direct object references (IDORs) in the API. This was done by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (ie the attacker’s) and take over the account, the company wrote.
In addition to grand theft auto, the vulnerability allows an attacker to see the cars location in real time, identify the vehicle type so precious time can be allocated to more lucrative vehicles, lock and unlock, as well as start and stop the vehicle on command to ultimately take control of the vehicle.
Some alarms even allowed attackers to activate a vehicles in cabin microphone allowing them to snoop on unsuspecting victims
The vendors told researchers the vulnerabilities have been patched since they were reported to them which the researchers have yet to confirm. SC Media has attempted to reach both firms for comment but they have yet to respond.
In emails to SC Media UK Aaron Zander, head of IT at HackerOne commented: "Car manufacturers struggle to build a unified system that has all the information that we, as drivers and consumers want, that is still disconnected and segregated enough to protect against vulnerabilities. This doesn’t just end with cars, but extends to all connected systems from home automation to airplane infotainment systems"
Bill Lummis, technical program manager at HackerOne added in comments emailed to SC Media UK: "Nothing is unhackable, it's only more or less difficult to do. Any time you see a company claiming they have something unhackable, you can immediately assume they lack security sophistication."
This article was originally published on SC Media US. With additional reporting by SC Media UK.