In the previous month, we reported about vulnerabilities in electric scooters that allowed remote hacks. While that already bewildered some readers, here comes another report to further enrage them. This time, the problem exists in smart car alarm systems. Researchers found vulnerabilities in the two popular alarm systems that pose a threat to 3 million users around the world.
Vulnerabilities Spotted In Smart Car Alarm Systems
Researchers from Pen Test Partners have unveiled how two popular smart car alarm systems welcome hackers. The vulnerable alarm systems belong to Viper and Pandora. The later even claimed the service ‘unhackable’ (remember MacAfee’s claim for BitFi wallet?). Nonetheless, both the systems could allow hackers to compromise the alarm systems and take control of the car.
The researchers have published a detailed report of their findings. Allegedly, they tested the alarm systems from the two largest brands – Viper and Pandora. Both of these possessed critical vulnerabilities that could allow attackers to take control of the car system. Some of the actions permitted hackers upon exploitation to disable the car alarms, unlocking cars, enabling/disabling the immobilizer, real-time location tracking, sudden ‘killing’ of the car engine while driving, and accessing car owners’ and vehicles’ details.
While the researchers elaborated in detail about their findings in their report, they have also demonstrated it all in the following video.
Vendors Patched The Flaws
As reported, in the case of the Viper car alarm system, the vulnerability existed in the ‘modify user’ API parameter. Though, the backend Viper alarm systems are powered by a third-party service CalAmp.
“Although all of the other APIs are correctly checking for authorization, the /users/Update/xxxxx request is not being properly validated. Therefore one can issue a malicious request to change any users password and login allowing interaction with the alarm.”
Whereas, in the case of Pandora, the IDOR on POST request caused issues. The flaw could allow an attacker to overwrite the existing email and reset the password, thus gaining access to the app functionality.
Owing to the severity of the flaws and easy discoverability, researchers followed a 7-day disclosure period only. Fortunately, both the vendors patched the flaws during this time. Now, the users of these car alarm systems must ensure that they stay protected from possible hacks.