Hackers Can Hijack Cars with Alarm Apps

[AlphaAtlas]

Security researchers from Pen Test Partners claim they've found serious security vulnerabilities in high end car alarm services from Viper and Pandora. In a quick demonstration, the researchers showed an potential attacker could pull up behind a moving vehicle with one of the commercial security systems installed, set off the alarm, disable the engine, unlock the doors, then drive off with it in a matter of minutes. On top of that, the researchers say they could geolocate vehicles, pull up owner and car details, and in some cases, adjust cruise control speed or snoop on drivers through a microphone. The researchers say the exploits affect up to 3 million vehicles around the world, and confirmed that the vulnerabilities they found were quickly fixed by the manufacturers, but note that they "have no idea if there are other vulnerabilities in the API."

Check out the researchers' video here.

Amazingly, the vulnerabilities are relatively straightforward insecure direct object references (IDORs) in the API. Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker's) and take over the account. It's possible to geo-locate and follow a specific vehicle, then cause it to stop and unlock the doors. Hijack of the car and driver is trivially easy. We found the flaws prior to fitting the alarms, but wanted to purchase and fit them to our vehicles for a full proof of concept.

 

[sfsuphysics]

Like having a nuclear power plant functions remotely accessible, why does a car alarm have access to cruise control?

 

[thejokker]

Nice Mk5 R32...

 

[Nukester]

I just got letters from our HOSPITAL system about our data being breached. Anyone who thinks their info or devices are safe are in la la land.

 

[Jagger100]

Like having a nuclear power plant functions remotely accessible, why does a car alarm have access to cruise control?

Budget Lojack.

 

[Galvin]

Rule#1 Never advertise your product as unhackable

 

[Dead Parrot]

Like having a nuclear power plant functions remotely accessible, why does a car alarm have access to cruise control?

The CAN bus was standardized well before connected cars became a thing so security wasn't a high priority. If someone had physical access to your ODB2 port, they pretty well owned the car. The main security concern was obscuring the error codes to keep the owners coming back to the authorized dealer service bays. Now all of this connected crap is added to that same unsecured core CAN network. Chrysler had a similar deal a few years back with millions of Jeep products.

Getting security made part of the CAN standard is probably going to take government mandates which seem unlikely.

 

[EODetroit]

Sometimes you gotta roll the hard six and not network shit that doesn't need to be networked.

 

[Deleted member 83233]

Good, now we can take control of a Volkswagen to crash it into one of those Amazon automated delivery robots, then hack a quad-copter delivery bot to haul our stolen goods to an intermediate location that we hacked the locks on, to then be picked up by a guy on a rented electric scooter to be dropped off at our homes. Free shit!

 

[Darunion]

People laughed at the game watch dogs "that would never happen".......i mean that just popped into my head, i know there is a ton of books and movies on this kinda thing too.

 

[freeloader1969]

 

[Krenum]

Well my car doesn't have an alarm or an app so nah nah nah!