car alarm  - NBAzV1552307499 - Car Alarm Flaw let Hackers Remotely Hijack 3 Million Vehicles Globally

Researchers discovered a serious in famous vendors car alarm system that allows attackers to hijack the car remotely and kill the engine while driving, even steal the car.

These alarms available in the market for $5,000, that already fitted in several high-end cars and the critical vulnerabilities were discovered in two leading alarm vendors Viper and Pandora manufactured alarm systems.

Also, Pandora has since taken the claim off their web site as ‘unhackable’ and also said that they never faced any breachs.

Penetration Testers discovered the critical vulnerability in direct object references (IDORs) in the Pandora alarm system API.

This vulnerability allows to tamper the user account let attacker update the email address registered to the account without authentication, send a password reset to the modified address to compromise the account.

Researchers said “Another Smart Start alarm Viper vulnerability is an IDOR on the ‘modify user’ request. Although all of the other APIs are correctly checking for authorization, the /users/Update/xxxxx request is not being properly validated.”

This vulnerability resides in API system allows attackers to interact with the alarm system by issue a malicious request to change any users password and login.

- pass - Car Alarm Flaw let Hackers Remotely Hijack 3 Million Vehicles Globally
Image indicate the password change operation

Similarly, Pandora vulnerability is an IDOR on a POST request:
 https://pro.p-on.ru/api/sputnik/workers?id=xxxx on the ‘email’ JSON parameter.

- post - Car Alarm Flaw let Hackers Remotely Hijack 3 Million Vehicles Globally
Post request for overwrite the existing email 

So once the email will be overwritten then the attacker possibly change the user password on Pandora vehicle alarm system and simply login to the app and obtain full functionality.

- pass1 - Car Alarm Flaw let Hackers Remotely Hijack 3 Million Vehicles Globally

Lets Hijack the Car

Researchers demonstrate the process of hijacking the car once they take over the vulnerable alarm management accounts and currently This flaw affects up to 3 million vehicles globally.

They took the famous Range Rover car which installed with the alarm system. below image indicate the app control interface.

- car1 - Car Alarm Flaw let Hackers Remotely Hijack 3 Million Vehicles Globally
- car2 - Car Alarm Flaw let Hackers Remotely Hijack 3 Million Vehicles Globally
Real time car location

PentestPartners researchers said “track the car in real time and The driver now pulls over to investigate. We set the immobiliser, so they can’t drive off. We have already removed their access to the alarm account, so they can’t reset the immobiliser.”

In this case, once the attackers found the car then they can use the unlock future in the mobile app to unlock the car door and against start the engine.

- car3 - Car Alarm Flaw let Hackers Remotely Hijack 3 Million Vehicles Globally

Researchers also discovered that attackers could kill the engine on the Viper equipped car whilst it was in motion.

“Promotional videos from Pandora indicate this is possible too, though it doesn’t appear to be working on our car.”

Also there are many functionalities can be obtained by the attacker from this car alarm app and they perform the following actions,

  • The car to be geo-located in real time
  • The car type and owner’s details to be identified
  • The alarm to be disabled
  • The car to be unlocked
  • The immobiliser to be enabled and disabled
  • In some cases, the car engine could be ‘killed’ whilst it was driving
  • One alarm brand allowed drivers to be ‘snooped’ on through a microphone
  • Depending on the alarm, it may also be possible to steal vehicles

“These alarms are expensive and are typically fitted to high-end vehicles, often those with keyless entry. A conservative estimate suggests that $150 Billion worth of vehicles were exposed”. Researchers said.

“This serious flaw has been reported already to the concern vendors and gave them 7 days to take down or fix the vulnerable APIs”

You can follow us on LinkedinTwitterFacebook for daily updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

PASTA – A New Car Hacking Tool Developed by Toyota to Test The Security Vulnerabilities

Moscow’s Cable Car System Hacked Within Two Hours After it Opened

Beware – Dangerous IoT Attacks Leads Some One to Hack and Control Your Car

CarsBlues Bluetooth Hack Allows Hackers to Access Text Messages, Call Logs and More





Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here