hackers exploit critical flaws in car alarm apps - what drivers need to know - car alarm system
Last month, in Forbes magazine, I warned that cars were a magnet for hackers.
The warning came back today with news that Pen Test Partners's white hat hackers were able to take advantage of key bugs in the popular "smart" car alarm app and unlock the vehicle and listen to the driver's conversation, even kill the engine at runtime.
Researchers from penetration testing experts have invested nearly £ 4,000 ($5,000)in high-
End them in order for the smart car alarm system to be tested.
Ken Munro, founder of Pen Test Partners, explained that an advertisement from a related supplier, claiming that the system could not be cracked, initially attracted interest.
Any security expert will tell you that there is no such thing as 100% security, which is never a good saying.
It's no surprise that supplier Pandora has now removed uncracked claims from its website.
Pen Test Partners also tested the alarm system of the VIP, which is named after Clifford in the UK.
Given that these brands represent some of the world's largest car safety brands, you may think their products are safe.
What defects did the researchers find?
These holes are not difficult to even detect and enable researchers to access other users' profiles using one user's legitimate account.
This is because a simple "modify user" request in the code is not checked correctly for verification.
Once accessed, they are able to change the user's password and control the account and its associated cars.
Simply review, by modifying some of the parameters in the application code, researchers can update the registered email account without authentication and send a password reset request to the new address.
Did I mention that you don't even need to actually have a system to get an account, which makes it even more trivial to take advantage of these flaws?
What can they do?
Once the researchers have control over the user account, they can access and extract all user data.
To prove the concept, they are not responsible for accessing data from their own accounts.
They do geography.
Locate and track vehicles.
In due course, they were able to kill the engine, causing the car to stop, open the door and hijack the car if there was a tilt.
In a similar way, they may alert and flash during driving, causing the driver to stop the investigation.
At this point, they can set up anti-theft devices because they can control the account and prevent the owner from restarting the car. What else?
Well, it is possible to clone the alarm key fob using the app that allows any smartphone to unlock the car.
That sounds bad enough, but the situation gets worse: in a car equipped with a VIP snake, researchers are able to kill it while the engine is running.
"The impact of this on security is very worrying," Munro continues to explain. "How many accidents can a malicious person lead to driving on a fast track?
Munro admits, "it's very convenient about the start/stop feature --
Specific, so we can't test all this all the time.
"According to Munro, there are Mazda 6, Range Rover Sport, Kia Quoris, Toyota Fortuner, Mitsubishi Pajero in vehicles that may face the risk of this particular vulnerability
"These all seem to have features that are not recorded in the alarm API to remotely adjust cruise control speed!
"But perhaps the most surprising hacking is about Pandora's alarm system, which includes a microphone that allows drivers to make emergency calls.
The researchers found that by enabling the microphone remotely, they could spy silently on the passengers in the car.
What did the supplier say?
In an email from Pandora to TechCrunch Antony Noto, he insisted that "the encryption of the system has not been cracked and the remote control has not been hacked ,[and]
The tag was not cloned.
The problem, he said, was caused by a "software failure" that allowed "temporary access" and has now resolved the problem.
Speaking to the BBC, director, the parent company of the Clifford and VIP brand, said, "the customer's account can be accessed without authorization. . .
Due to the recent update ".
What do you need to do now?
Pen Test Partners contacted the relevant vendor before releasing the vulnerability details in order to fix the vulnerability.
Because these holes exist in the application software, the vendor is able to change the coding and the researchers have confirmed that the defects have been fixed by Clifford/VIP and Pandora.
Nevertheless, Munro noted that his researchers did not conduct a full test of interface coding, as this required further authorization.
"We don't know if there are any other loopholes. . . " Munro admits.
"It can be difficult to solve the problem, these companies are doing a good job in quickly reversing these fixes," Synopsys Security Solution Manager Adam Brown, but preventing these defects is the best way
Prevent the transfer of security to the software development cycle and reduce risk and cost by solving problems as early as possible.
As Ian Trump, head of security at AmTrust International, noted, "While these companies have acted swiftly and with credit, these devices should never be allowed to be installed --
First of all.
Trump also said that it was lucky for good people to get there first, adding, "we may never know, because the attack surface is about 3 million vehicles with these alerts installed. . .