The Pen Test Partners has released information on major vulnerabilities it found in premium car alarm systems Viper and Pandora, which could have allowed hackers to locate cars, disable alarms, unlock doors, and even switch the engine immobiliser on/off.
White hat hackers at Pen Test Partners were able to exploit critical vulnerabilities in popular 'smart' car alarm apps and unlock vehicles, listen in on driver conversations and even kill the engine whilst running.
— Valeo Networks Inc. (@valeonetworks) March 8, 2019
Main key points are:
- Cyber security researchers from Pen Test Partners found a serious vulnerability affecting cars using widely used premium alarm systems from Viper and Pandora.
- It would have allowed hackers to geo-locate 3m cars using these alarms in real time, disable alarms, unlock doors and even switch the engineimmobiliser on/off – all remotely through an app. In tests, it also allowed for an engine to be killed whilst driving and even for an internal microphone to be used for eavesdropping.
- Both alarm systems had the same simple flaw in an internet connected interface which allowed the attacker to do a malicious password reset and take-over the app associated with each target car.
- Both alarm companies have now fixed the vulnerability
- The cybersecurity researchers proved the concept using cars connected with their own accounts attached to alarms installed on their own cars. However, they could tell 3m vehicles were affected because their user account numbers appeared to be allocated sequentially.
. The alarms cost around £3500 / $5000. In the UK Viper Smartstart is available as Clifford Alarms, in the USA the alarm is available from big brand stores such as Best Buy, as well as in around 25 other countries. Pandora alarms are available online here as well as through independent retailers.
Expert Comment below:
Ken Munro, Partner at Pen Test Partners:
“The scale of risk to car owners and drivers around the world would have been worrying. A single flaw in a line of mobile app code opened people up to kidnap, hijacking, car theft and potentially even injury from those with malicious intent. The fact the alarm system is aimed at the higher-end of the car market, would only have served to increase appeal to criminals.
“It underlines the importance of securing any mass market Internet connected device, even those which are seemingly innocuous. To do this, manufacturers need to build security in to their products from day one, or risk creating a society where more and more everyday objects are open to attack by nation states, criminals and others with bad intentions.”