The vulnerabilities, which resided in associated smartphone apps, were both easy to find and easy to fix
If exploited, the vulnerabilities would have enabled anyone to turn the alarm off, as well as track or unlock the car fitted with it. In some cases, the researchers were also able to snoop on in-car conversations through a microphone that is built into one of the alarm systems, and even to start the car’s engine or cut it off while the car was moving.
The flaws affected alarm systems that enable control of connected cars via associated smartphone apps and that are made by two companies – Pandora, from Russia, and Viper, based in the United States (and branded as Clifford in the United Kingdom). The former had even touted its products as “unhackable”, according to Pen Test Partners.
Easy to find, easy to fix
Instead, the researchers found that both apps’ APIs (application programming interfaces) failed to properly authenticate some requests, notably requests to change the password or email address. This presents the prospect of a full-on account takeover.
“Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account,” they wrote. With the account in their hands, the ethical hackers were also able to seize control of the car linked to the account.
Additionally, while the researchers bought the alarm systems for tests, they said that there would have been no need to spend any money on the alarms in order to perpetrate an attack. “Both products allow anyone to create a test/demo account. With that demo account it’s possible to access any genuine account and retrieve their details,” according to Pen Test Partners, who called the flaws “easy to find, easy to fix”.
The two companies acknowledged and patched the bugs within days of being alerted to them.