Security flaws in popular car alarms affected 3 million cars worldwide
8 March 2019
Security researchers have uncovered critical security holes in popular car alarms that could have been exploited by cyber criminals to unlock car doors, activate car alarms, and turn on car engines, all of which could allow criminals to steal cars with great ease.
Research carried out by Pan Test Partners has revealed how certain third-party car alarms, whose sellers claim to offer enhanced security to owners of keyless entry cars, feature gaping security holes that could allow criminals to geo-locate cars in real time, find out the car type and details of their owners, disable car alarms, unlock cars, disable immobilisers, and even kill car engines when they are running.
According to Pan Test Partners, these security flaws affect up to three million cars worth over $150 billion globally and are present in car alarms sold by Viper (branded ‘Clifford’ in the UK) and Pandora who are among the largest car alarm brands globally. In fact, Pandora claimed in its website that security in its car alarms was “unhackable”, a claim that was decisively demolished by security researchers and subsequently retracted.
In order to exploit the car alarm to hijack a car, all a hacker needs to do is to tamper with the parameters, update the email address registered to the account without authentication, send a password reset to the modified address and take over the account.
While testing the Viper Smart Start alarm system, the researchers noted that when processing the ‘modify user’ request, the API did not properly validate the user, thereby allowing malicious actors to issue a malicious request to change any users password and login allowing interaction with the alarm.
Similarly, a vulnerability in Pandora’s car alarm allowed malicious actors to overwrite the existing email with theirs and use the same to simply log in to the app and obtain full functionality.
While carrying out their tests, the researchers also observed that it was possible to kill the engine of a Viper equipped car whilst it was in motion and that the microphone in the Pandora alarm could be accessed and enabled remotely owing to the authorisation flaw in the API.
Both Viper and Pandora fixed the security flaws in their car alarm APIs before Pan Test Partners published their findings. “We’ve seen easy to exploit IDORs in IoT APIs on many occasions. This is the first time we’ve seen them lead to a potential attack on this scale before,” the researchers said.
“One would expect that a manufacturer of alarms, designed to make our vehicles more secure, would have carried out a degree of due diligence prior to taking their products to market. These alarms are expensive and are typically fitted to high-end vehicles, often those with keyless entry. A conservative estimate suggests that $150 Billion worth of vehicles were exposed.
“These alarms did not add any additional security to protect against key relay attacks, and before they were fixed they actually exposed the owners to additional attacks and compromised their safety. Before we contacted them, the manufacturers had inadvertently exposed around 3 million cars to theft and their users to hijack,” they added.
Commenting on the presence of security flaws in popular car alarms, Ofer Maor, director of solutions management at Synopsys, says that the latest car alarm system identified by Pen Test Partners demonstrates in the most apparent way the challenges the automotive industry is facing in its transition to the modern connected world.
“The requirements, as well as risks, of legacy automotive development of those security systems are considerably different than those of connected software. For that reason, despite being high end security manufacturers (likely to be proficient with the hardware and radio aspects of the security systems), they have failed where many before them have, and that is securing the software used to interface with their systems.
“Our recent study, done together with Ponemon and SAE, shows that 30% of organisations in the automotive industry do not have an established cybersecurity programme, and 63% test less than half of the technology they develop for security. It is therefore not surprising to see such vulnerabilities, and we are likely to see many more in the years to come as connected technology (mobile apps, web portals, and more) interacts with our vehicles.
“It is now up to the manufacturers of vehicles and surrounding ecosystems to step up and take the lesson learned from other industries before them. They must establish software security practices, with secure architecture, secure development procedures, and ongoing security testing that will allow them to build secure software to interconnect with the car and its systems,” Maor adds.