Two smart alarms namely Viper and Pandora Car Alarm System, that serve at least three million customers were found to be vulnerable after testing by cybersecurity researchers from Pen Test Partners.
The two companies claimed their products to be smart and even unhackable but it was proved to be wrong by the researchers.
Compromising the smart alarms can lead to the vehicle type and owner’s details to be stolen, unlocking the car, disabling the alarm, tracking the vehicle, compromising the microphones and hijacking the immobilizer.
In certain cases, the attacks can also lead to engine failure during usage which could result in serious injury or death.
The researchers discovered simple, relatively straightforward vulnerabilities in the products’ API, known as insecure direct object references (IDORs), that lead them to tamper with vehicle parameters, reset user credentials, hijack accounts, and much more.
In the case of Viper, a third-party company called CalAmp provides the back-end system. A security flaw in the ‘modify user’ API parameter leads to improper validation, that enabled the attackers to compromise user accounts.
The security researchers discovered that the same bug could be used to compromise the vehicle’s engine system.
In the case of Pandora, the IDOR is based on a POST request which can compromise the account together with substantial data leaks. Another attack vector is based on the Pandora alarm’s ability to make SOS calls in cases of emergency. To send out cries for help, the alarm comes with a microphone and because of the API security flaw, this component can be accessed and enabled remotely for snooping purposes.
The severity of these security problems is high and since it affects around three million customers, the Pen Test Partners chose to scrap its standard 90-day disclosure period in favor of a week.
Pandora and Viper responded quickly and managed to fix the vulnerable APIs within the time period on offer.
It is just a matter of time before security flaws in our connected cars become a risk to driver safety.