Car alarms with security flaws put 3 million vehicles at risk of hijack

Two popular car alarm systems have fixed security vulnerabilities that allowed researchers to remotely track, hijack and take control of vehicles with the alarms installed.

The systems, built by Russian alarm maker Pandora and California-based Viper (or Clifford in the U.K.), were vulnerable to an easily manipulated server-side API, according to researchers at Pen Test Partners, a U.K. cybersecurity company. In their findings, posted Friday, the API could be abused to take control of an alarm system’s user account — and their vehicle.

It’s because the vulnerable alarm systems could be tricked into resetting an account password because the API was failing to check if it was an authorized request, allowing the researchers to log in.

Although the researchers bought alarms to test, they said “anyone” could create a user account to access any genuine account or extract all the companies’ user data.

The researchers said some three million cars globally were vulnerable to the flaws (since fixed).

In one example demonstrating the hack, the researchers geolocated a target vehicle, tracked it in real time, followed it, remotely killed the engine and forced the car to stop, then unlocked the doors. The researchers said it was “trivially easy” to hijack a vulnerable vehicle. Worse, it was possible to identify some car models, making targeted hijacks or high-end vehicles even easier.

According to their findings, the researchers also found they could listen in on the in-car microphone, built-in as part of the Pandora alarm system for making calls to the emergency services or roadside assistance.

Ken Munro, founder of Pen Test Partners, told TechCrunch this was their “biggest” project.

The researchers contacted both Pandora and Viper with a seven-day disclosure period, given the severity of the vulnerabilities. Both companies responded quickly to fix the flaws.

When reached, Viper’s Chris Pearson confirmed the vulnerability has been fixed. “If used for malicious purposes, [the flaw] could allow customer’s accounts to be accessed without authorization.”

Viper blamed a recent system update by a service provider for the bug and said the issue was “quickly rectified.”

“Directed [which owns Viper] believes that no customer data was exposed and that no accounts were accessed without authorization during the short period this vulnerability existed,” said Pearson, but provided no evidence to how the company came to that conclusion.

In a lengthy email, Pandora’s Antony Noto challenged several of the researcher’s findings, summated: “The system’s encryption was not cracked, the remotes where not hacked, [and] the tags were not cloned,” he said. “A software glitch allowed temporary access to the device for a short period of time, which has now been addressed.”

The research follows work last year by Vangelis Stykas on the Calamp, a telematics provider that serves as the basis for Viper’s mobile app. Stykas, who later joined Pen Test Partners and also worked on the car alarm project, found the app was using credentials hardcoded in the app to log in to a central database, which gave anyone who logged in remote control of a connected vehicle.