Researchers discovered a serious Vulnerability in famous vendors car alarm system that allows attackers to hijack the car remotely and kill the engine while driving, even steal the car.
These alarms available in the market for $5,000, that already fitted in several high-end cars and the critical vulnerabilities were discovered in two leading alarm vendors Viper and Pandora manufactured alarm systems.
Also, Pandora has since taken the claim off their web site as ‘unhackable’ and also said that they never faced any security breachs.
Penetration Testers discovered the critical vulnerability
This vulnerability allows to tamper the user account let attacker update the email address registered to the account without authentication, send a password reset to the modified address to compromise the account.
Researchers said “Another Smart Start alarm Viper vulnerability is an IDOR on the ‘modify user’ request. Although all of the other APIs are correctly checking for authorization, the /users/Update/
This vulnerability resides in API system allows attackers to interact with the alarm system by issue a malicious request to change any users password and login.
Similarly, Pandora vulnerability is an IDOR on a POST request:
https://pro.p-on.ru/api/sputnik/workers?id=xxxx on the ‘email’ JSON parameter.
So once the email will be overwritten then the attacker possibly change the user password on Pandora vehicle alarm system and simply login to the app and obtain full functionality.
Lets Hijack the Car
Researchers demonstrate the process of hijacking the car once they take over the vulnerable alarm management accounts and currently This flaw affects up to 3 million vehicles globally.
They took the famous Range Rover car which installed with the alarm system. below image indicate the app control interface.
PentestPartners researchers said “track the car in real time and The driver now pulls over to investigate. We set the
In this case, once the attackers found the car then they can use the unlock future in the mobile app to unlock the car door and against start the engine.
Researchers also discovered that attackers could kill the engine on the Viper equipped car whilst it was in motion.
“Promotional videos from Pandora indicate this is possible too, though it doesn’t appear to be working on our car.”
Also there are many functionalities can be obtained by the attacker from this car alarm app and they perform the following actions,
- The car to be geo-located in real time
- The car type and owner’s details to be identified
- The alarm to be disabled
- The car to be unlocked
- The immobiliser to be enabled and disabled
- In some cases, the car engine could be ‘killed’ whilst it was driving
- One alarm brand allowed drivers to be ‘snooped’ on through a microphone
- Depending on the alarm, it may also be possible to steal vehicles
“These alarms are expensive and are typically fitted to high-end vehicles, often those with keyless entry. A conservative estimate suggests that $150 Billion worth of vehicles were exposed”. Researchers said.
“This serious flaw has been reported already to the concern vendors and gave them 7 days to take down or fix the vulnerable APIs”